How To Not Get Extorted By Ransomware

(Following is some material that Slingshot recently wrote up to help guide our customers through securing their IT systems against Ransomware.  It’s too good to not share with the world, though, so here ya go.  BTW, we pair this with a personalized recommendation — just holler if your organization would like a Slingshot consultation!)

 

Introduction

CryptoWall, CryptoLocker, and a variety of other names – they’re all Ransomware, one of the newer and most dangerous types of malicious software (Malware) threatening anyone who uses computers.  Once a computer is infected, these threats can lock your users out of their computers or encrypt your data irreversibly, including data on your servers.

Once the computers and/or data are compromised, users are told they can pay a “ransom” to recover their system and data access, often for thousands of dollars.  Since the culprits are often overseas, they reach over and hide behind the Internet in ways that regular law enforcement can’t help you.  This is extortion, and you just don’t want to be there!

Instead, we want to help you stay safe, so we’ve written this document to do two things:

  • Outline your options to Avoid, Block, Catch, Limit and Recover From Ransomware.
  • Recommend your best options to quickly and thoroughly secure your organization.

Options

Fortunately, there are plenty of ways to avoid paying your way out of Ransomware!

1) Avoid It with User Training:

Some technologies can reduce your risks, but the most important part of the puzzle is training users.  Besides Ransomware, training can help you avoid other threats, such as:

  • Phishing: Masquerading as a trustworthy entity to acquire sensitive information such as usernames, passwords, and credit card details, and sometimes money.
  • Whaling: Phishing that specifically targets organizations’ empowered decision makers.  Targeting details are harvested through Internet searches and/or social engineering attempts.  Hackers will sometimes register a very similar-looking domain, and then email decision makers from what appears to be their bosses, directing them to transfer money to offshore accounts.
  • Pharming: Malware is secretly planted in your computer to hijack your web browser.  When you type in the address of a legitimate Web site, you’re redirected to a fake copy of the site without realizing it, where the attackers can harvest your sensitive information.
  • Vishing: Phishing via telephone, this relies on social engineering techniques to trick you into providing sensitive information.

Informed users are the first line of defense against Internet security threats!  Slingshot can train your staff by several means: easy-to-read advisory documents, “lunch and learn” sessions with a hands-on visual component and Q&A, one-on-one training, or any combination of these.

2) Block It with Perimeter Defense:13604255104_b8cf62e8c0_m

The next defense is to block threats at a network level before they reach users (or vice versa).  Here are options and recommendations for each network threat:

  • Malicious File FilteringBlocks access to Malware and other known dangerous files.
    → We recommend Cyberoam firewalls paired with an Antivirus Filtering subscription for this.
  • Malicious Traffic Filtering – Blocks malicious traffic, like encryption keys used by Ransomware.
    → We recommend Cyberoam firewalls paired with an IPS subscription for this.
  • Geo BlockingBlocks all traffic from countries known for their criminal Internet reputation.
    → We recommend Cyberoam firewalls with Geo Blocking configured.
  • Web Filtering – Blocks access to websites classified as dangerous. Many firewalls can do this as a blanket solution, but most folks want something more sophisticated.
    → We recommend WebFilter (a Slingshot Managed Service), which we can also setup with per-user policies to also shield you from productivity and legal risks.
  • Email Filtering – Blocks spam, dangerous email content, and fraudulent emails. Some email servers can be setup to do some of this, but not very effectively.
    → We recommend MailControl (another Slingshot Managed Service), which we setup and keep tuned up, but which gives users easy self-management over their own filtering.

3) Catch It with Endpoint Protection2182760200_2825aac351_m

Should Ransomware or other malware still get past the user and firewall (e.g. by infected flash drive or using a work laptop outside the office network), additional protections are available:

  • Antivirus software – Installed software to detect and block malware. Windows 8+ has Defender built-in, which is free, but basic and unmanageable. → We recommend Slingshot’s Managed Antivirus (a Slingshot Managed Service) which uses the top-ranked BitDefender scanning engine, and which we setup, manage and monitor.
  • CryptoPreventA third party software application that installs on each computer and blocks many Ransomware infections. The commercial version costs around $100 for 50 licenses.
  • Malwarebytes Anti-RansomwareNew program (still in beta) that detects ransomware behavior and blocks the threads that are trying to encrypt files. Currently available for free.

4) Limit It with Secure Settings4250220079_b577b9b0c1_m

Even with a comprehensive protection plan in place, malware is constantly morphing to get around those measures.  If malware gets past the user, firewall, and malware detection, we want to limit its impact as much as possible.  There are two good ways to do this:

  • Software Restriction Policy (SRP) – A built-in Microsoft utility which can be configured to prevent executable files from running from directories that malware commonly tries to use. Basically, this keeps malware from having a foundation to work off.
  • Least User Privilege (LUA) – This is just a matter of using Standard User accounts for everyday work (rather than Administrator accounts). If a user account can only make changes to his areas, Ransomware running as that user has the same limitations.  (A best practice anyway, LUA also protects against staff accidentally taking down systems, as well as from snooping or malicious users tampering with things they shouldn’t.)
  • Network Share Security – Similar to LUA and “need to know” thinking, server network shares should have their access set to only allow the level of access that’s needed by each user or user group. This requires some thinking about an organization’s groups and who needs what.  (Also a best practice for the same reasons as LUA above).

5) Recover From It with BackupsStone-Rolled-Away1[1]

Finally, no matter what you do, bad things can still happen.  If worse comes to worst, there are options for data recovery without paying ransom.
→ Any properly configured server should follow the 3-2-1” Backup Rule:  3 backups, on 2 different media, and 1 offsite.

  • Volume Shadow Copy / Restore Previous Versions / System RestoreProperly configured Windows servers and workstations “snapshot” a backup of their files several times per day. In most cases, these previous versions can be easily restored over the encrypted versions.  Unfortunately, some malware knows how to also corrupt the previous file versions – LUA (above) helps prevent that.
  • Nightly Backups This is the second layer, usually a full-system (“bare metal”) Windows Backup to an external drive or NAS. Should Volume Shadow Copy have trouble, we can still restore files from this.
  • Offsite Backups – Finally, in the event of any catastrophe, you want a copy of your data offsite. We recommend CrashPlan or JungleDisk for this.

 

GPO To Set Firewall Exception For Windows 10 RDP

Slingshot recently rolled out several Windows 10 Pro systems for a customer, and discovered their existing GPO’s firewall rules weren’t enough to allow RDP from within the LAN.

Susan’s post Windows 10 and SBS/Essentials Platforms showed how to do it as a one-off.  But I wanted a GPO!  Google let me down, returning a lot of confusion and complicated workarounds.  (I shared this with Susan and she blogged it, which reminded me of my own blog, duh, so here it is!)

I went exploring GPO, and found the right setting under the Advanced Firewall section:  Computer Configuration->Windows Settings->Security Settings->Windows Firewall with Advanced Security->Inbound Rules->New Rule->Predefined->Remote Desktop – RemoteFX :
GPO for W10 RDP

That’s it!  Tested and confirmed working in production.

(Note: this is in addition to the usual rules at Computer Configuration->Administrative Templates->Network Connections->Windows Firewall->Domain Profile)

 

Upgrade HP Stream to Windows 10

 

Last December I grabbed a deal on a cheap HP Stream laptop for my family.  It’s been a nice little convenience screen, but with gotchas:
1) Tiny hard drive – 30GB total, with 10 gone to Windows (as expected).  Then HP took another 10 for their partition.
→ So just 10GB for you!  A few apps later and even OneDrive cannot save you.
2) Tiny RAM – 2GB, but only 0.7GB available idling.  HP complicated the 2GB also by bizarrely installing 64-bit Windows (against Microsoft’s recommendation) and wasting its limited RAM.
→ Multiple users?  “Please log out instead of switch user, honey”.
3)…and none of it is upgrade-able.
→ Well, you can do like I did and add a big fast SD card for more storage, but that’s about it.

TWindows 10 on a Streamhen Windows 10 came out, and it’s generally great.  It extended Win8’s unified Microsoft logins, and rolled in what was formerly Live’s Family Safety features, making it great for families.  And with the Start Menu back, I now have no worries about moving cheese for business users.  So to me, the Windows 10 upgrade is an automatic yes for any Windows 8 systems or new PCs.

Add 10 to the above challenges, and of course I wanted to kill seven in one blow!   Specifically, 1) move to Windows 10, 2) reclaim drive space from HP’s extra partition, and 3) reclaim RAM from HP’s dumb 64-bit choice.  (Alright, 3 in one blow, whatever).

That brings us to a month ago, when I started this blog post….
TL;DR: 2/3 ain’t bad.  Success on #1 for drive space.  No-go on RAM.  

Problem: HP provides NO 32-bit drivers for the Stream.  Result: non-working touchpad.
Many hours of reinstalling various editions of Windows, and every other trick I’ve learned over 20+ years, and I got Device Manager looking happy, but with no valid chipset drivers (I believe Intel’s Trusted Execution Engine Interface is the main culprit) to expose the touchpad device to Windows.  Actually, I saw a dramatic difference on RAM usage (about 25% more available), but no working touchpad (which is critical for a convenience device like the Stream).  I’ll leave that sad story there — if you want more, lemme know.

But there’s still the upgrade and the drive!

Problem #2: Not enough free-space to do the upgrade.
I ran into several snafus with this, but we can get around that!  Here’s how:

  1. Get an empty 16GB flash drive.
  2. Backup all your data to OneDrive.  Just do it now.  It’s built-in!  And now your stuff is backed up and can just self-load into any future Windows installs.
  3. Use Windows built-in “Reset this PC” feature to return your Stream to factory defaults.  This will wipe everything and free up a ton of space.
  4. Download and run MediaCreationTool64.exe, and let it download and check away.  (FYI, the 32-bit MediaCreationTool.exe will NOT work, and will just pop up an empty or useless error message…)
    When the tool still(!)  complains about not having enough space…
  5. Plug in an empty 16GB USB flash drive and point it at that for temporary storage.  This should let it run.  Be patient, it’s downloading an entire DVD and replacing your OS.  Maybe let it run overnight, but it should work.
  6. You now have Windows 10!
    Login with your Microsoft account and turn on OneDrive.  Your stuff will appear.
  7. …And HP’s partition disappeared!  This is a nice surprise, as I otherwise would have given about 20 more steps to capture product key, capture drivers, repartition the drive, and scratch-install Windows.
    I suspect it means “undoing” the upgrade probably won’t really put it back the way it was, but that way stunk, and this saves you tons of trouble.

Unfortunately, it’s still high RAM usage (I’m currently at 72% with a single Chrome tab open and nothing else running), but it’s significantly more free drive space and Windows 10.   Heck of an ordeal, but a worthwhile improvement.

Decrapify NCH VideoPad

NCH VideoPad is an excellent “free” video editor.

I would recommend VideoPad heartily if NCH didn’t crap on their own work.

But unfortunately “free” needs those scare quotes, because its installer just behaves badly.  Here’s how, and my answer to each:

  1. The installer tries to sneak on several irrelevant crapware apps.
    → This is unfortunately common.  Always click “custom” and uncheck the extras.
  2. Without notice or permission, it pollutes your start menu with web links to other products.
    → Less common, but easy to just delete.
  3. It gets worse: The add context menu links which prompt you to download and install their Express Zip tool.
    → Download ShellMenuView to remove the menu entries.
  4. The topper: It associates a raft of file extensions to their “Install On Demand Component”.  So when you click on a .DOC or PDF file, you don’t get Word/Wordpad or Adobe Reader, you get railroaded into downloading and installing their Doxillion app.
    → Nobody else had an answer, so I tracked down the registry entries to remove.  Here’s what it looks like as a .reg file:

    Windows Registry Editor Version 5.00
    
    [-HKEY_CLASSES_ROOT\docfile\Shell\NCHconvertdoc]
    [-HKEY_CLASSES_ROOT\docxfile\Shell\NCHconvertdoc]
    [-HKEY_CLASSES_ROOT\htmlfile\Shell\NCHconvertdoc]
    [-HKEY_CLASSES_ROOT\NitroPDFReader.Document.3\Shell\NCHconvertdoc]
    [-HKEY_CLASSES_ROOT\odtfile\Shell\NCHconvertdoc]
    [-HKEY_CLASSES_ROOT\rtffile\Shell\NCHconvertdoc]
    [-HKEY_CLASSES_ROOT\wpdfile\Shell\NCHconvertdoc]
    [-HKEY_CLASSES_ROOT\wpfile\Shell\NCHconvertdoc]

    (Save as a reg file and run it, or manually delete those paths yourself.)

It’s a shame — VideoPad has a paid premium version with more features, and I would recommend it heartily if NCH didn’t crap on their own work.

Possible alternative: it looks like <a href=”http://portableapps.com/node/19682″>you can make VideoPad Portable.</a>  That certainly keeps it clean.

 

Fool me 8 times, shame on me.

  1. Reader
  2. Postini
  3. Calendar sync
  4. iGoogle
  5. Gears
  6. Code Search
  7. Pack
  8. and now Voice XMPP integration

These are a few of my favorite things,
…that Google has yanked out from under my feet.

And let’s not forget Gmail’s Activesync. (That’s why I switched to Outlook.com, and happily).

Why are geeks still trusting Google? We should know better by now.

You can remember dozens of other loved ones in The Google Graveyard

Dear Acer: It’s your own fault

So Microsoft is about to sell its own hardware running Windows.    And Acer is unhappy, because Microsoft is effectively competing with its own partners.

Now, working for a Microsoft Partner, I can understand the feeling.  I have my beefs with Microsoft, like how they’ve just disenfranchised Small Business Specialists and cut down Small Business Server at the knees
(The 30-day discontinuation of SBS on SA is really throwing us for a loop now, since we relied on TechSoup to provide affordable solutions to non-profits, and Techsoup only has SA software, not OEM).

But consider this:

Acer and their ilk have been making Windows suck.

How so?   What do you think you should get to do after first powering up your brand-new computer?   Hours manually uninstalling paid Norton or McAfee trials, a dozen manufacturer addons, and a dozen more partner promotions?   Me either.    Here’s our experience:

  • Once upon a time, we manually removed the junk, as a labor of love. 
  • A few years ago we started using PC-Decrapifier to help automate the process, followed by CCleaner for the remnants.  Down to an hour or so…
  • Last year, we started wiping the (brand new) systems, and scratch installing from Microsoft’s own media.   It’s some upfront work, but actually faster, and the result is so much better.  (The only downside is tracking down weird laptop drivers).

 

Last week we bought an Acer netbook, and (for some crazy reason) gave their install a shot.   After powering up and doing some standard Windows configuration, Acer started their first-run customization process .   Now I’ve done this a LOT, and know this process should take about minute or two.  

Instead, it took 45 minutes, and crashed with a BSOD.

Then, after finally getting past “buy me” promos, it was sluggish.   Task Manager showed 35% CPU gone to a McAfee trial, and 67% RAM used overall, when I HAD RUN NO PROGRAMS YET.   Did we buy a pet to run for our amusement, and do nothing useful?

 

Dear Acer, I don’t like the idea of Microsoft taking their ball back either, but you dropped it, and someone’s gotta run the bases.  

 

P.S.  Also noteworthy about the Microsoft shift is that’s how Apple sells:  unified software AND hardware.  Other criticisms aside, Apple delivers a pretty tight package. 

How to redirect OWA HTTP to HTTPS (the actually easy way that works)

 

With SBS 2008, if try to open Outlook Web Access at http://remote.example.com/owa, you’ll get “Error 403 – Forbidden: Access is denied…”, because SSL is required in IIS.   The proper URL is https://remote.example.com/owa, but most users don’t remember that little “s”.

 

 

As a note, SBS 2011 already redirects this for you.  But if you’re stuck with SBS 2008, there are tons of articles that show how to automatically redirect users :

 

Microsoft has 4 different articles on the topic, but the forums are still covered with it.  The solutions vary on a few themes:

  • Redirect in IIS on the Default website (doesn’t work since that site doesn’t actually answer those HTTP requests in SBS).
  • Disable Require SSL, and edit OWA’s default.aspx to Response.Redirect (doesn’t work because it’s precompiled and handled by DLL).
  • Set a redirect or custom 403 page on the actual OWA directory to a custom SSLRedirect.html with a Meta redirect (might work, but clunky & straight outta 1998!)

Other solutions either forget you can’t get past “Require SSL” to reach the redirect, or they don’t know you’ve already been redirected (creating an infinite redirect loop and “Too many Redirects” error).

 

I think I have a much simpler solution — Just set the OWA directory’s 403 error to redirect to the right URL.  Here’s how:

  1. Start the Internet Information Services (IIS) Manager snap-in.
  2. Expand the local computer, expand Sites, and then click SBS Web Applications.
  3. At the bottom of the SBS Web Applications Home pane, click Features View if this option is not already selected.
  4. In the IIS section, double-click Error Pages, and double-click 403 in the list.
  5. In the Edit Custom Error Page dialog, select Respond with a 302 redirect.
  6. Type the Absolute URL of the /owa virtual directory. For example, type https://mail.contoso.com/owa.

 

OWA’s Error Pages list should look like this when you’re done:

image

 

Hope it helps someone.

Vista/Win7 Solution: Skip the Switch User screen

So I’ve been happily using Windows 7 for a couple years (since the beta), but just finally moved my family into it, and discovered a new issue in the process:

Like XP, the “Win+L” key combination locks your profile so the next person won’t “be you.” But instead of the main Welcome screen with the list of accounts, you get the Switch User screen, with a button to take you to the real Welcome screen. This a confusing extra step when you’re the next guy just looking to login.

I did some research, and it looks like a LOT of folks have wondered how to skip the Switch User screen, but without luck.

Not sure, but I may be the first with a decent solution. The ingredients are tsdiscon.exe (which does the “Switch User”), and Task Scheduler (which hooks it up to the Win+L combination), both of which are built into Windows. Here’s how:

  1. Click Start, type taskschd.msc, enter. Confirm any UAC prompts you get, and Task Scheduler will open.
  2. In the Action menu, click Create Task.
  3. In the Create Task dialog > General tab, type a meaningful Name like “Lock » Switch User”
  4. In the Security options section, click the “Change User or Group” button, type _Users_ in the dialog and click OK.
  5. On the Triggers tab, click the “New…” button. In the New Trigger dialog > “Begin the task” list, choose “On workstation lock” and click OK. This takes you back to the Create Task dialog.
  6. In the Actions tab, click the “New…” button. In the New Action dialog > “Program/script” field, type tsdiscon.exe and click OK. This takes you back to the Create Task dialog.
  7. Click OK again and enter the password for the administrative account it offers.
  8. Test it! Press Win+L and you should see the Switch User screen for a moment, then the main Welcome screen.

2011-01-17 UPDATE:  As I was setting up this tweak on a new system, I noticed Windows 7 HOME doesn’t include tsdiscon.exe. It’s easy enough to copy from a Win7 Pro machine (from/to %windir%\System32), and then works as I described.

2011-02-10 UPDATE:  It looks like I was on the same track as Duncan Smart.  He didn’t make automate it with Task Scheduler, but he did write a downloadable substitute for tsdiscon.exe (handy if you have no access to a Windows PRO machine.)