Defending Against Ransomware On Windows Domains

Ransomware is increasingly becoming a serious issue for many companies. It’s a type of malware that encrypts all data on and accessible by a computer, and holds the recovery key hostage until payment is made by a certain deadline. If the deadline passes without payment, the recovery key is destroyed and access to the encrypted data is permanently lost. With criminals making large sums of money using this method ransomware will continue to become even more commonplace in the future.

Plan For Recovery


A good first step is planning for recovery in the case of infection despite any of the protections put in place. Having timely, reliable backups is absolutely necessary and should be a focus regardless. Make sure there are regular backups running that cover all important data, and verify backup integrity by performing test restores often. If accessible, ransomware will also encrypt backups so it’s important to have off-site backups as well.

If there are solid backups in place then the worst case scenario of ransomware getting on the network is a (hopefully) short amount of downtime while all encrypted data is restored from backups. Although not a substitute for proper backups, restoring from shadow copies can help reduce downtime as well. Typically ransomware will attempt to delete shadow copies but limiting user privileges can prevent this.

Lock-Down Applications

Limit Privileges

The Principle Of Least Privilege is the idea that any process, program, or user must only be allowed access to the resources that are necessary for the tasks they need to carry out. For non-technical users this means using a normal, non-admin account with access only to the resources needed for the user’s job. For technical users this means using a non-admin account by default and elevating privileges as needed with a separate local admin account.

This is often enough to protect against malware infection; however, some ransomware variants are able to run even when using an account with limited privileges. Despite this, using a non-admin account by default is critical because it’s necessary for properly implementing application whitelisting.

Application Whitelisting

One of the most effective defenses against malware infection is application whitelisting. The basic idea is that all applications are blocked from running by default except for specific applications.

Many attempt to defend their network by blacklisting executables running from certain locations (such as the AppData directory) but the job of maintaining the blacklist is never-ending. It also means that you are vulnerable when encountering a new ransomware variant that uses a non-blacklisted location. A whitelist can potentially cause extra work if users need a wide range of applications but it guarantees safety compared to the blacklist approach. Typically once a whitelist is properly set up there is little work needed to maintain it.

A common way to implement application whitelisting is by using AppLocker though it requires an enterprise edition of Windows. Those not using an enterprise edition of Windows can implement it with Software Restriction Policies (SRP) in Group Policy.

Whitelisting via SRP is accomplished by blacklisting all locations with the exception of those requiring admin privileges to write to and other needed locations. There is also the option of whitelisting the hash of an executable instead of the location. This is preferable because it guarantees only the specific executable you’d like to run is allowed, avoiding the possibility of malware overwriting a whitelisted file path that doesn’t require admin privileges to write to. It also allows executables matching a whitelisted hash to run from any location. This is a good guide for setting up whitelisting with SRP.

Decrease Attack Surface

Install Security Updates

This is pretty self-explanatory. Install security updates for your operating system and applications as soon as possible. In particular, updates for Windows, Adobe products (Flash, Reader, Acrobat), and Java should be top priorities.

Improve Microsoft Office Security

A common attack vector is Microsoft Office documents containing macros. By default macros won’t run but the user is notified with the option to enable them so it’s a good idea to lockdown macro execution through group policy. There’s an option to disable all macros without notification or to disable all macros except for those that are digitally signed.

There are other Office security improvements worth consideration as well. For those using Office 2016 Microsoft is adding further management options to block macros in documents originating from the Internet.

Block Website Ads

Lately there has been a large controversy about whether people should block website advertisements or not. The fact of the matter is that ads are a popular attack vector, especially as of late. Because of this blocking ads are an important self-defense measure.

One approach is to block ads at the perimeter of the network using a capable router/firewall or UTM device. Something to keep in mind is that most traffic nowadays occurs over HTTPs, which means that it’s encrypted and unable to be inspected. The only way to inspect this traffic for ad-blocking purposes is to deploy digital certificates on all clients, essentially acting as a man-in-the-middle. There may be legal or privacy concerns to consider before implementing this.

Another approach is to block ads at each endpoint using a browser extension or similar solution. Group policy can be used to deploy the browser extension and settings. There’s less centralized control using this approach but blocking ads at each endpoint obviates the need to act as a man-in-the-middle to inspect HTTPs traffic.

Final Thoughts

Keep in mind there is no such thing as 100% security. Security should be approached with a defense in depth mindset, using as many defense measures as possible. The suggestions mentioned above are just a subset of possible defenses to implement but, despite being very basic, they are some of the most effective.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: