Simple ways to prevent Ransomware, Part 1

Share on linkedin
LinkedIn
Share on twitter
Twitter
Share on facebook
Facebook

Ransomware is on the rise!

Here is Part 1 of a series of articles on how you can prevent your organisation from having your data locked up.  These guides can, and should, be done now!

The Ransomware ‘process’ usually comes in email via attachments that are executed (opened by the user).  However, we usually find that the attacker has already gained access to the system before the Ransomware attack is performed.

Once the attacker has gained access they will:

  • Collect data for a few days first, determine who are the best targets to attack (typically finance users)
  • Copy/download company files
  • Run password capture tools on the network such as Minikatz.
  • Remove Windows Server backups and Shadow copies.

Once the above is done, the ransomware is invoked.  We find that it is usually run on weekends and afterhours, when you have least chance of recovery.

In Part 1, we will disable the Windows Script Host and PowerShell.  Users do not typically require these tools.

Restrict PowerShell

  1. Create a new Group Policy (Group Policy Management)
  2. On the Policy head over to User Configuration > Windows Settings > Security Settings
  3. Create a new Software Restriction Policyreduce ransomware via software restriction policy
  4.  Create a new Path Rulesoftware restriction policy2
  5. The typical path for PowerShell is c:\windows\system32\WindowsPowerShellsoftware restriction policy
  6. Hit OK when done

Restrict Windows Scripting Host WScript

  1. On the same Group Policy from above, expand Computer Configuration > Preferences > Windows Settings
  2. Create a new Registry Itemblock WSH
  3. Create a Registry entry as per below:  block WSHThe Key path is Software\Microsoft\Windows Script Host\Settings\    You need to create two Keys, HKCU and HKLM

Want to stay up to date with useful tech-tips?  

Follow us on LinkedIn, Facebook or Twitter to be notified when we post new content. Or, even better, scroll down to the very bottom of this page to sign up for our Newsletter. We only send them once a month and you can always unsubscribe.