21 May 2016

Nearly every day one can read horror stories about new ransomware variants in the media. The new variations encrypt not only the victim’s files. In addition, they change the computer’s configuration to make recovery with windows tools harder, thus to add weight to their ransom demand.

The PETYA ransomware overwrites the master boot record of the computer’s hard disk. The 7ev3n ransomware e.g. disables the Windows default recovery options by executing some bcdedit commands. In addition, this variant allows components to run with elevated rights without displaying a UAC (User Account Control) prompt.

With this, recovery from a ransomware attack becomes much more difficult and elaborate. But this is also a clear indicator for the lack of basic cyber hygiene.

When signed in as standard user one will just get the error message ‘Access is denied’ when a bcdedit command is run from shell program. The same is true for the PETYA ransomware that overwrites the master boot record of the computer’s hard disk.

Without administrative privileges and with UAC set to ‘Always notify me’ it is just not possible to destroy the master boot record, or to get elevated rights by using the auto-elevation capabilities of Windows. Period.

Basic cyber hygiene will not avoid the risks of ransomware, but it is a good preventive means for reducing this and lots of other risks.

The FBI published some really remarkable Tips for Dealing with the Ransomware Threat. Here is an excerpt from the list:

• Manage the use of privileged accounts—no users should be assigned administrative access unless absolutely needed, and only use administrator accounts when necessary.
• Configure access controls, including file, directory, and network share permissions appropriately. If users only need read specific information, they don’t need write-access to those files or directories.
• Disable macro scripts from office files transmitted over e-mail.

Great tips, easy to implement, even for SME and end users.

Have a good weekend.