Webroot Ransomware Prevention Guide

Malware Prevention Guide

Secure Multi-Tenant Endpoint Security with Reputable, Proven, and Proven.

This is a question we are frequently asked: “Which endpoint security solution will provide 100% protection against malware?” Even the most advanced endpoint security, which we are proud to innovating and striving for, will not be 100% effective all the time.

Real-time anti-phishing can stop emails from phishing websites, web browser protection to prevent browser threats, and web reputation to block potentially dangerous sites. You can also make changes to your computer and the environment to further secure things.

Cybercriminals are always looking for ways to bypass endpoint security protection. Their methods of attack will continue to evolve. Every day, new malware campaigns are created. The malware is then packaged or delivered in such a way that it remains undetectable by antivirus.

Back up your data.

Ransomware can be a very dangerous threat to your data. If it succeeds, you will have the best protection. Protecting an environment is vitally important with backups that have been tested and proven to work.

Keep in mind that ransomware can also encrypt files on mapped drives. Some modern variants may also look for unmapped drives when you plan your backup strategy. Ransomware can search for USB drives and network files stores.

Carbonite Endpoint 360 is an automated backup solution that protects all endpoint devices and data. This includes data in Microsoft O365.

A backup routine that backs up data to external drives or to a backup service that is disconnected when it isn’t performing a backup is essential.

It is a good idea to have at least three backups of your data and systems.

  • Your primary storage area (fileserver)
  • Local disk backup
  • Mirrors in a cloud service for business continuity

This setup will allow you to quickly restore the functionality of your IT systems and mitigate any ransomware attack.

User Education

Your “human firewall”, which is your computer and the rest of the internet users, is often the weakest security link. User Security Education is often neglected. With the availability of self-paced online courses, there’s no reason not to use those tools to educate your users about the risks they face at work and home.

Webroot Security Awareness Training is offered. This training helps users recognize emails intended to harm or steal information.

A user may receive an invoice, receipt, or other attachment from someone they don’t know. It is a good idea to warn users not to click on “enable contents” in word document emails.

Ransomware and Webroot Payloads

We have written many articles and blogs on how to protect yourself against modern-day extortionists as the severity and impact of crypto-ransomware attacks and threats have increased. We don’t believe our customers or business should have to choose between losing valuable, irreplaceable data and extortion.

There are many options when it comes to endpoint protection. Although published detection tests can help with crypto-ransomware detection, many detection tests are flawed. Many programs achieve 100% detection results that cannot be replicated in real life.

Webroot is well-known for its ability to stop crypto-ransomware. Our primary goal is to be 100% efficient. Webroot was the first antimalware and antivirus vendor to abandon the signature-based file detection system. Webroot harnessed the power of cloud computing to replace traditional reactive antivirus. It provides proactive endpoint monitoring and threat information, protecting each endpoint individually while analyzing and spreading threat data together. Webroot solutions can accurately categorize executable files and processes at the time of execution to determine their status.

Webroot uses this method to quickly identify and block many more infections than signature-based methods. We are also highly skilled at stopping crypto-ransomware.

Webroot’s approach to infection prevention has consistently proven its effectiveness in stopping crypto-malware in real-time. It addresses threats as soon as they attempt to infect devices, stopping it from starting and stopping any further encryption.

No matter what endpoint security system you choose, ensure that it offers multi-tenant and multilayered protection against malware. This will help to quickly identify external threats and suspicious behavior. It is crucial to have a next-generation endpoint security system that protects against more than just file-based threats.

Secure remote desktop access and restrict weak passwords.

Cybercriminals scan the internet constantly for common remote desktop ports. Then they brute force these systems with weak passwords and username combinations to gain access. Once access is gained, the intruder may disable security, install ransomware variants, create user accounts and download other malicious software.

To help protect RDP and avoid this type of attack, we recommend following the steps below:

Preventing scanning of an open port:

  • Restriction RDP to whitelisted IPs
  • Require two-factor authentication, i.e. smartcards
  • Protect your computer with protection software to stop brute force RDP
  • Create a GPO to enforce strong password requirements: https://technet.microsoft.com/en-us/library/cc786468(v=ws.10).aspx
  • Change default RDP port 3389 to another unutilized port

You can change the default port by running the following command in an elevated prompt

The parameter “XXXXX” indicates the port number to which you wish to send RDP. It is recommended that you choose a random port number, which isn’t in use or outside the 33XX port range.

  • Block RDP completely (port 3389) via firewall
  • Restriction RDP to whitelisted IP ranges

Windows Event Viewer can also be used to detect possible intrusions. This will allow you to see what cybercriminals are doing in an attempt to get into your environment and help you adjust or use different security precautions. Here is an example of how to filter event logs for event ID “4625”. (An account failed to log on).

Keep your software current and patch it.

Another common vulnerability is unpatched software. Exploit kits were used to distribute ransomware such as older exploits like Locky and CryptXXXXXXX. Exploit kits target vulnerabilities in Adobe Flash Player, Oracle Java, and Internet Explorer.

Unpatched software can be exploited by an exploit kit landing page. This page can execute arbitrary codes and start a silent download. This type of malware is known as “zero-day” and system administrators must keep it up-to-date. Zero-day threats are new and completely undetected by antivirus systems until further investigation is done. To mitigate any attacks, you should download and install Microsoft’s EMET if outdated software is present in your environment.

Disable script file execution

Webroot also discovered ransomware variants that were sent as email attachments. These malicious attachments are often a zip archive that contains a script, which serves the purpose of downloading/executing a ransomware/malware payload.

Webroot recommends that script files types are not executed to prevent this type of attack.

Example of Spam Email

We recommend that you choose the best solution for your environment to stop these scripts and documents from running.

Block WSF, VBS, WSH, HTA, VBS, and JS files

You have three options to stop script files from running on a computer.

Option 1REDIRECT SCRIPT FILE EXTENSIONS VIA GPO

This policy setting can be enabled by accessing the policy control system and navigating to the following settings:

Settings – User Configuration – Preferences – Control Panel

Right-click folder OptionsNavigate toNew > Open with.

Enter the unwanted extensions, e.g. Type wif into the file extension in the box, enter the path to the program that you wish to use as the default to open the file.

TickSet as defaultPressOK.
.A system administrator may need to run a WSF or VBS file, JS file, or any other file. This can be done by running the WScript program using the script file argument.

Option 2:REDIRECT SCRIPT FILE EXTENSIONS VIA THE WEBROOT CONSOLE

You can also redirect file extensions to the utility below if there is no policy controller. By downloading the utility, you acknowledge that you agree to the https://download.webroot.com/UtilityEula.html.

In the event of conflicting terms, any existing agreement between Webroot and you regarding the use of the utility software will prevail.

  1. Log in to the Webroot Enterprise console and click group Management.
  2. Navigate to the hostnames you wish to have it applied to.Agent Commands > Advanced > Customer Service Diagnostics.
  3. Enter the following link in the URL field.

For the command Line OptionsThe following commands are available for the field:
-disable: This command will change the default action for these file types:.hta..jse..js.VBS..be..wif..wish to show a message box similar to the one below:

Refer to the below screenshot to see how you can do this from the Webroot Endpoint console.

-disable “Custom Message” – This command allows you to change the default action for the file types. However, it also allows you to specify the message that you want the user to see. The “Custom Message” parameter is the message that you want to display to any user who opens a script file. This text must contain quotes. You can optionally include %1 in the custom message. This will display the file that was blocked in this manner:

Refer to the below screenshot to see how you can do this from the Webroot Endpoint console.

-enable: This command restores default execution for the file types described above.

Refer to the below screenshot to see how you can do this from the Webroot Endpoint console.

4. To send the command to your system, click “Download and Execute”.

Notice: The “View commands for selected endpoints” option under the “Agent Commands” menu allows you to view the status of all sent commands. It may take up to 24 hours to send this command to the appropriate endpoints, depending on their poll interval. To force a poll or configuration update, locate the Webroot icon on the system tray and click it to the right, then select “Refresh Configuration”.

5. You can check that script files are not blocked by opening a file with a block file type.

Option 3DISABLE WSCRIPT HOOST 

WScript Host (C:\Windows\System32\WSCRIPT.exe) is an application within Windows that interprets .vbs, .vbe, .js, .jse, .wsf and other types of script files. This program will execute a script when it is run. You may wish to disable the WScript Host completely. You can do this by following the below steps. By downloading the utility, you acknowledge that you agree to the If there is a conflict between these terms and conditions and any agreement you have with Webroot regarding your use of the utility software, the agreement will prevail.

The Webroot Console

1. Log in to the Webroot Enterprise Console. ClickGroup Management.
2. Navigate to the hostnames you wish to have applied.Agent Commands > Advanced > Customer Service Diagnostics.
3. In the URL field, enter the following link:
https://download.webroot.com/DisableWSCRYPT.exe
4. 4.Command-Line OptionsThe following commands are available for the field:

This command will activate WScript and allow the execution of script files.

5. To send the command to your system, click “Download and Execute”.

Notice: The “View commands for selected endpoints” option under the “Agent Commands” menu allows you to view the status of all sent commands. It may take up to 24 hours to send this command to the appropriate endpoints, depending on their poll interval. To force a poll or configuration update, locate the Webroot icon on the system tray and click it to the right, then select “Refresh Configuration”.

6. To ensure WScript is blocked, open a command prompt and type “WScript” before pressing Enter. The following message should appear:

Manually – 64 bits

You can disable Windows Script Host by running the following commands in an elevated command prompt

The following steps can be used to re-enable Windows Script Host:

Manually – 32 bits

You can disable Windows Script Host by running the following commands in an elevated command prompt

Disable Macro execution.

Although Office Macros may be useful in some environments, they aren’t necessary and pose no security risk. Ransomware might attempt to use macro scripts in documents as a way to deliver malicious payloads.

Macro example:
To enable this policy setting, run gpedit.MSC to navigate to the following setting.

Configuration > Administrative templates > Microsoft Word 2016, Word options > Security > Trust Center

Notice: You can disable macros manually if there is no policy controller.

Stop users from running Powershell via GPO

Run gpedit.MSC to enable this policy setting. Navigate to the following setting:

Configuration > Administrative templates > System

  1. Double-click is not run certain Windows applications.
  1. Click on the radio button enabled to enable the policy.
  2. Click hereShowClick next list of prohibited applications add powershell.exe and clickOK.
  1. Try Powershell.