Part 4: A Security Expert’s Guide to Ransomware on Windows

If you missed last week’s blog post on iOS and OS X exploits and remediations, take a look here. This week on Rethink: Security, we take a deeper look at ransomware on Windows devices.

Windows Exploits

The Windows desktop has had a long history of ransomware that have afflicted the platform throughout the years. The first recorded ransomware was called PC Cyborg or the AIDS Trojan horse discovered in 1989. The malware replaced the autoexec.bat file. The basic premise was the malware would hide all directories and encrypt the data within the C: drive and root directory. The victim would be presented with an end user license agreement (EULA) demanding payment of $189 U.S. dollars to a post office box in Panama.

Instead of the two main types of ransomware that attack mobile devices like iOS and Android, there are four types for Windows desktops:

  • Locker ransomware or Winlocker as it is known
  • Crypto ransomware
  • MBR ransomware
  • RAR compression ransomware

The MBR ransomware infects the master boot record of the operating system. The demand-for-payment is to remove the infected MBR and restore it with the original, and return their Windows desktop to normal operation.

The RAR file compression ransomware employs a technique to compress and also encrypt the personal data. The archive is then password protected. The demand-for-payment is to provide the password to decompress and decrypt the personal data.

The most common delivery mechanisms for these types of ransomware have been spam email attachments, running fake applications, and downloading drive-by malware from infected web sites.

The latest advanced ransomware is delivered to victims using a malicious Microsoft Office Word document with an email attachment. It arrives as an official looking invoice document and when opened, the text is unreadable. It tricks the victim into enabling all macros in order to make the text readable again. Once all Word macros was enabled, the payload is delivered and remotely executed by a command and control (C2) server within the darknet. The payload is a 32-bit Windows executable that runs an infected copy of the svhost.exe file, and stored in the TEMP directory. The svhost.exe file is a generic Windows host process name that executes from dynamic-link libraries (DLL) files. The name of this ransomware is Locky, and it uses the Advanced Encryption Standard (AES) cryptographic algorithm with strong entropy to encrypt the victim’s personal data.

Windows Remediation

The ransomware attacks for Windows have been only on desktop platforms and sparing Windows Phone platforms, for the time being. The biggest reason is Windows Desktop platforms run Win32 applications. Throughout the years, numerous vulnerabilities have been found in these applications. Windows 32 application programming interfaces (API) require access to the underlying Windows operating system in order to run, and in some unfortunate cases, malicious applications like viruses and other malware can modify the operating system.

Windows 10 Desktops can run Win32 applications along with the new modern Universal Windows Platform (UWP) apps that are sandboxed and isolated from other installed apps. Windows Phone 8.1 and Windows 10 Mobile devices run only UWP apps.

How does a network administrator stop ransomware in its tracks on all Windows platforms? The tasks are again similar to those already itemized for Android, iOS, and Mac OS X platforms, mentioned previously.

Here are the additional configuration tasks.

  1. Employ Microsoft’s AppLocker. For BYOD deployments, create a blacklist of disallowed apps on the device. For company-owned devices, create a whitelist of allowed apps on the device. All other apps will be disallowed.

    Download UWP apps from the Microsoft Apps Store. For legacy Win32 applications as well as UWP apps, create an Enterprise App Store using an EMM to push line-of-business apps to the Windows devices.

  2. Enable Windows desktop’s built-in anti-malware protection agent called Defender. It is already enabled by default. Other anti-malware agents can also be used including Bitdefender, Kaspersky or Malwarebytes.

    For Windows 8.1 desktops, the antivirus and firewall settings will be checked to make sure they are enabled. If these settings are disabled on the desktop, it would fail compliance checking and can be blocked from accessing the corporate network.

  3. When supported, enable Enterprise Data Protection (EDP) on the device to containerize, encrypt, and isolate the work data from personal data.
  4. With a Microsoft Account, personal data backups are automatically uploaded to OneDrive. Within OneDrive, the user can choose to sync only those folders and files they want backed up to the personal cloud storage. Users can also choose to set up their own backup to a network share. This is configured from Control Panel and Backup and Restore.
  5. For company-owned devices, disable Cortana. It is Microsoft’s version of iOS’ Siri digital personal assistant that helps the user find information using voice or text prompts.

Additional Windows application tasks include:

  • Create spam filters in Microsoft Outlook or email application that automatically forwards them into the Junk Email folder. Empty out the folder regularly.
  • Ensure that Disable Macros is set for all Office 365 applications like Word, Excel and PowerPoint. This is the default within the Trust Center Settings of the respective application.
  • Also ensure that all the Protected View settings within all Office 365 applications remain enabled. These are the default settings.
  • Opt out of the Microsoft’s Internet-based advertising. To opt out, visit Microsoft's website.

Come back next week as we wrap up our Rethink: Security series on ransomware exploits and remediation on networks.

James Saturnio

Senior Solutions Architect at MobileIron

About the author

James Saturnio is a Senior Solutions Architect for the Technical Marketing Engineering team at MobileIron. He immerses himself in all things cybersecurity with equal parts mobility and IoT technologies. He has been with MobileIron for 5 years. Previously, he worked at Cisco Systems for 19 years where he started out as a Technical Assistance Center (TAC) engineer, then a software engineer, and as a Technical Leader in the Security Technology and Internet of Things (IoT) business units. He was the main architect for the IoT security framework that is still being used today by Cisco’s IoT customers.