StarWind is a hyperconverged (HCI) vendor with focus on Enterprise ROBO, SMB & Edge

Ransomware: 14 Key Methods of Protection

  • January 9, 2017
  • 11 min read
Online Marketing Manager at StarWind. In touch with virtualization world, may know stuff you are interested in.
Online Marketing Manager at StarWind. In touch with virtualization world, may know stuff you are interested in.

After 2016 everyone can come to a certain conclusion that ransomware is a persistent phenomenon to reckon with from now on, with more sophisticated and innovative techniques to come. That is why it is crucial for every user and administrator to learn how to improve and protect their computer from ransomware. Here are some important steps to remember:

ransomware key

1. ALWAYS backup

First priority thing for everyone and everything. If you have up-to-date backups, ransomware loses its sense, as you can just remove the infection, format the media, and restore your data from backups. What has to be pointed out is that your backup storage should be an external or remote one as ransomware will target and encrypt all the drives on a computer, including mapped network drives, and sometimes even target unmapped network shares. A good cloud backup strategy with versioning and a significant restore window will be a decent solution. The long restore window is needed in case recent cloud backups contain the encrypted files and you need to restore from older versions. Since most cloud backups do not map to a computer as a drive letter, the backups are safe from being encrypted and can be used to restore files.

2. Install an antivirus or antimalware solution that detects ransomware behavior

Make sure you have a reliable anti-virus or anti-malware solution installed on the computer that contains good behavioral detection in order to detect when ransomware infection, even brand new ones, are trying to encrypt your data and then stop it.

3. Always install operating system updates

Many ransomware infections are installed via so-called exploit kits, which mostly target vulnerabilities in operating systems. That is why if your OS prompts that new updates are ready to install, then you should immediately do that. Many of these updates are security updates that protect your computer from vulnerabilities that could literally allow an attacker to execute whatever command they want on your computer.

4. Keep , updated

Similar to operating system vulnerabilities, exploit kits also target vulnerabilities in commonly installed programs on your computer such as Java, Flash Player, PDF readers, and others. Therefore, it is imperative that you keep these programs up-to-date too.

5. Keep SPAM filters enabled

Ransomware is hugely distributed through SPAM messages ‘disguised’ as shipping notices, resumes, bills, or tickets from government agencies. Web-mail vendors like Gmail, Outlook, or Yahoo will be filtered out many of these types of SPAM emails for you automatically. But, if you are not using a service that has good SPAM filtering, then these types of emails may get a chance to crawl in.

6. Enable the viewing of Extensions

By default, Windows and macOS do not show the extensions of a file when you are viewing a folder. That is why malware distributors try to trick a user into believing that an executable file is actually a Word, Excel, or a PDF document. They will open this file expecting it to contain data, but in fact, the malware will be installed.

7. Do not open attachments without confirming that someone actually sent it to you

When ransomware is distributed via SPAM, in many cases the downloader or actual infection is attached as an attachment so do not open it without first confirming with the person that they actually sent it or by scanning it with antivirus tool. If you still open it by mistake and get a prompt to enable macros or enable content, never do it as this will just download and install the ransomware.

8. Be careful of what you download from the Internet

Free downloads from the Internet may also arrive with a hidden ransomware ‘bonus’.  Only download from sites that you trust and always read the license agreements.

9. Rename vssadmin in Windows

Shadow Volume Copies are used by Windows to automatically store backups of files on a computer. These backups can then be used to restore data that was changed or deleted. Ransomware developers make sure that their infections will execute the vssadmin.exe command in order to delete all shadow volume copies on a computer so that they cannot be used to restore encrypted files.

10. Disable Windows Script Host

Many ransomware infections are installed via attachments that are script files coded in Jscript or VBS. Unless you execute Jscript or VBS files a lot, it is strongly suggested that you disable the ability to launch these types of scripts in Windows. Once the scripting host is disabled, if a script is launched you will see a message like the following.

Windows Script Host

11. Disable Windows PowerShell

Windows PowerShell is also used to install ransomware or encrypt files. If you are not using PowerShell, you can disable the execution of PowerShell (ps1) scripts from running by entering this command in a Windows Elevated Command Prompt:

12. Use strong passwords

Make sure you use strong passwords to protect your computer from unauthorized access. This is because there are some ransomware infections that are installed by attackers logging into Remote Desktop connections that are secured with weak passwords.

13. If you do not need Remote Desktop, disable it, otherwise change the port

If you are not using Remote Desktop, there is no reason to keep it enabled. If you are using it, change the port to something different from 3389, so your computer will become invisible to scripts and scanners looking for the default TCP port.

14. Setup Software Restriction Policies in Windows

Software Restriction Policies is a method that allows you to create various policies that restrict what folders an executable can be started from.

15. Create an Application White List Policy in Windows

A Software White List Policy is when you configure Windows to only allow programs to execute that you specify. This prevents any unknown programs from running and essentially locks your computer down completely from allowing an unauthorized program to run.

This is the review of an article.


Found Oksana’s article helpful? Looking for a reliable, high-performance, and cost-effective shared storage solution for your production cluster?
Dmytro Malynka
Dmytro Malynka StarWind Virtual SAN Product Manager
We’ve got you covered! StarWind Virtual SAN (VSAN) is specifically designed to provide highly-available shared storage for Hyper-V, vSphere, and KVM clusters. With StarWind VSAN, simplicity is key: utilize the local disks of your hypervisor hosts and create shared HA storage for your VMs. Interested in learning more? Book a short StarWind VSAN demo now and see it in action!