How to protect from ransomware?

mattyg said:
I've been virus free for a long time now. Although my modem had the DNS changed a few years ago.

But all this has made me think about security. I've always run AVG free. But I'm currently running Kaspersky total security. Free 30 day trial. (bank with barclays so could also get a big discount) on a scale of 1-100 how paranoid am I being that its run by a Russian...
Click to expand...

Things like Kaspersky are under huge scrutiny by independent security researchers who'd love nothing better than to find some problem with it - that said something that has the ability to execute code on your PC and update at will could always be used for malicious ends in the future if the company went bad or was playing a long game or something, etc.
 
Rroff said:
That is nothing compared to some sites these day :( I've seen over 100 entries in noscript for a single simple site before. Its not surprising people run ad blockers heh. Very bad for security - its how the Guru3D ad compromise worked a few years back which got a lot of people probably many who didn't even realise.
Click to expand...
yes you are right.
Overclocker's has a few too, but the forum runs fine/faster with
google-analytics, twitter, facebook, ajax.googleapis all blocked.

Incidentally, just thought - maybe facebook should be categorised as the biggest virus distribution mechanism, it's platform is responsible for killing people (ISIS hate) and maybe saving some lifes too (revolutions),
but as yet no deaths (reported anyway) as a result of WannaCry ransomware (need to get a T shirt with an appropriate FB logo)
 
Rroff said:
Almost pointless on Windows even 10, though still a sound strategy in Linux - despite what some claim there are vulnerabilities that allow malware to go straight through UAC on Windows i.e. vulnerabilities in some signed device drivers - it'll stop less sophisticated malware but little against more serious stuff.
Click to expand...

Far from pointless. UAC on max/a standard user account will protect against most of the UAC bypasses, including the one posted above. Removal of admin rights has been proven to mitigate well over 90% of all Microsoft vulnerabilities.

You're describing something in the realm of APT, not the average malware attack.

Linux users don't ditch their non-root account every time someone discovers a new way to elevate privileges.
 
KIA said:
Far from pointless. UAC on max/a standard user account will protect against most of the UAC bypasses, including the one posted above. Removal of admin rights has been proven to mitigate well over 90% of all Microsoft vulnerabilities.

You're describing something in the realm of APT, not the average malware attack.

Linux users don't ditch their non-root account every time someone discovers a new way to elevate privileges.
Click to expand...

Pointless might not be quite the right way to put it but a lot of people will still be juggling older software that doesn't play well with UAC, etc. making the hassle debatable for the effective security - I would debate the effectiveness though - its often banded about as 90%, etc. but the reality isn't quite as ideal - as events of the last few days demonstrate.
 
Cloning an OS drive right after you have everything setup how you like it makes sense and speeds up recovery.
Click to expand...
I have done this for years. I used to use "Ghost" but now use "Acronis True Image". I am aware that there are free (Linux) options but I have no experience with them.
 
Rroff said:
Norton in my experience has generally severely slowed down a system and/or had other limitations - one thing if you are mostly doing a bit of web browsing and watching videos but for someone that is closer to that of a power user it will have significant trade offs for the security it provides.
Click to expand...

Nope never experienced slowdown with Norton Security when gaming, browsing and watching videos with Norton Security installed on 4 PCs, desktop PC with Ivy Bridge 3770K CPU, Dell laptop with Haswell CPU, Linx 10 inch tablet with Bay Trail Atom CPU and MeeGoPad compute stick with Bay Trail Atom CPU.
 
Rroff said:
Pointless might not be quite the right way to put it but a lot of people will still be juggling older software that doesn't play well with UAC, etc. making the hassle debatable for the effective security - I would debate the effectiveness though - its often banded about as 90%, etc. but the reality isn't quite as ideal - as events of the last few days demonstrate.
Click to expand...

Search for a better solution instead of disabling UAC. Here's one example, others exist.

90% is better than 0%. Effective security requires a layered approach, and this includes includes regular patching, reducing privileges, white listing, etc. The NHS, and many other organisations probably failed to do the basics, which may explain why the malware has been so successful.
 
AthlonXP1800 said:
Nope never experienced slowdown with Norton Security when gaming, browsing and watching videos with Norton Security installed on 4 PCs, desktop PC with Ivy Bridge 3770K CPU, Dell laptop with Haswell CPU, Linx 10 inch tablet with Bay Trail Atom CPU and MeeGoPad compute stick with Bay Trail Atom CPU.
Click to expand...

Its possible its some compatibility issue with the other ****ware bundled on new PCs but I've had to remove it from several systems people have purchased and replace with other software due to the extreme poor performance (even after giving it time to do its initial scan, etc.) they were seeing out the box. It has been quite awhile since I've tried it alone on an existing installation.

KIA said:
Search for a better solution instead of disabling UAC. Here's one example, others exist.

90% is better than 0%. Effective security requires a layered approach, and this includes includes regular patching, reducing privileges, white listing, etc. The NHS, and many other organisations probably failed to do the basics, which may explain why the malware has been so successful.
Click to expand...

Agreed but I've generally found running a non-admin account for daily stuff on Windows to cause significant hassle if you even remotely use older software and I think there is a bit of romanticising comparing it to the level that it works in Linux - I've seen some fairly common malware go straight through it like it wasn't even there just from someone clicking ok on a prompt to run something as a non-admin user. (While an older one stuff like the clone CD driver vulnerability make a mockery of the claims about UAC, etc. - if you look around some of the darker resources of the internet there are no shortage of proof of concepts for privilege escalation).
 
KIA said:
90% is better than 0%. Effective security requires a layered approach, and this includes includes regular patching, reducing privileges, white listing, etc. The NHS, and many other organisations probably failed to do the basics, which may explain why the malware has been so successful.
Click to expand...

I'm surprised because I thought it was standard practice to set it up this way. I do the same on OS X. I'd rather be safe than sorry. "If only I hadn't done that."
 
just heard first sensible media interview on the topic - guy from IBM ~7:45 on r4 today
- they do not undertand how phishing/patient-zero was achieved, and no big trail of emails in sample they take
- absence of private individuals attacked
- low ransom demand - corp customers usually attract >$10k$ and 50% pay
- quick deployment in organisations too

read another article on jpg ransomware attacks via facebook I had not heard of,
since I still think, via image sharing sites, tha could be easiest vector for OC user infection, say.
(edit: I do not mean using jpg for ransomware, that is not new - the fact it got through any pre-filtering that I thought FB or other image sites employed)
 
V F said:
:eek::o
Click to expand...
Why does this surprise anyone?

It's not some anarchic attack by people who wanna watch the world burn, it's a ransom (hence the name) by people who want money, if they didn't give out the keys in exchange for the money then people would stop giving them the money.
 
ubersonic said:
Why does this surprise anyone?

It's not some anarchic attack by people who wanna watch the world burn, it's a ransom (hence the name) by people who want money, if they didn't give out the keys in exchange for the money then people would stop giving them the money.
Click to expand...

Still, it is daft to be so careless.
 
jpaul said:
just heard first sensible media interview on the topic - guy from IBM ~7:45 on r4 today
- they do not undertand how phishing/patient-zero was achieved, and no big trail of emails in sample they take
- absence of private individuals attacked
- low ransom demand - corp customers usually attract >$10k$ and 50% pay
- quick deployment in organisations too

read another article on jpg ransomware attacks via facebook I had not heard of,
since I still think, via image sharing sites, tha could be easiest vector for OC user infection, say.
(edit: I do not mean using jpg for ransomware, that is not new - the fact it got through any pre-filtering that I thought FB or other image sites employed)
Click to expand...

Yeah was saying about that in the thread in GD - some of it just doesn't make much sense when you look beyond the ransomware itself and still lots of unanswered questions that people should really be asking but everyone (media, etc.) is falling over themselves over the wannacry ransomeware bit itself rather than looking at the delivery and deployment mechanism.

I'm fairly sure the recent Microsoft Malware Protection Engine vulnerability (which for some reason MS is trying to downplay in connection) is partially to blame but I don't think it entirely explains it.

I was wondering if someone had somehow found a way to exploit server grade CPUs with vPro even from behind NAT/Firewall but they seem to largely be unaffected unless they were merely used to redeploy the malware onto desktop systems and just have something nasty lurking on the servers not actively attacking the server itself - but that seems somewhat far fetched and unlikely but I can't shake the feeling there is something in the initial attack vector that people are overlooking.

EDIT: https://twitter.com/calebbarlow/status/864232713863213056 same guy - also backs up that it wasn't just phishing.
 
Last edited:
V F said:
I'm surprised because I thought it was standard practice to set it up this way. I do the same on OS X. I'd rather be safe than sorry. "If only I hadn't done that."
Click to expand...

NHS Digital says it issued an update that immunised Windows (including Windows XP) against Wanna Decryptor/WCry to a central NHS security portal on April 25, but seemingly the IT managers of at least 48 NHS trusts didn't follow that guidance. Given the scale of the Wanna Decryptor attack, it's clear that there are lots of businesses and institutions with not-regularly-patched Windows networks.
Click to expand...

https://arstechnica.co.uk/information-technology/2017/05/windows-update-keep-it-on/
 
mysticsniper said:
I purposely downloaded WanaCry to my VM running an unpatched Win 7, and tried to execute it. Cylance wouldn't event let me access it as it deleted as soon as I downloaded it.
Click to expand...

the patch is only relevant for the WanaCry spreading to other machines I thought ? (but if you are testing on a dedicated vm, I guess i am wrong)
would expect all on demand a/v's to have its signature now ? and that the zero-day detection would only have deployed if it started to encrypt ?
 
jpaul said:
the patch is only relevant for the WanaCry spreading to other machines I thought ? (but if you are testing on a dedicated vm, I guess i am wrong)
would expect all on demand a/v's to have its signature now ? and that the zero-day detection would only have deployed if it started to encrypt ?
Click to expand...

Cylance detects and blocks malware before it can affect your computer. Cylance uses a mathematical approach to malware identification, using machine learning techniques instead of reactive signatures, trust-based systems or sandboxes.

The Cylance Agent doesn’t require continuous cloud connectivity or continual signature updates, and works in both open and isolated networks

Gartner have this product listed as visionary :)

But expect to pay around £50 per licence
 
Last edited:
You must log in or register to reply here.
Back
Top Bottom