How to Deal with Ransomware


What is Ransomware?

Ransomware is a type of malware or virus that prevents user access to devices, files or applications, requiring the victim to pay a ransom (money or information) to regain access. The ransomware that we most often see encrypts the user’s files (for example: Crowti, Tescrypt and Locky) and then asks the user to pay a ransom in bitcoins (or similar payment method). If you would like to learn more about ransomware in general, you should take a look at the articles and blog posts listed under the references section at the end of this post.

How can I protect my users from ransomware?

Office 365 has several integrated protections against malware that are enabled by default, however we still see customers being affected by ransomware threats. There are several reasons why this could happen. For example, when users visit a website infected with ransomware or opening an email attachment infected with ransomware from their personal or corporate email accounts. Some possible attachments could be:

  • Executables (ade, adp, ani, bas, bat, chm, cmd, com, cpl, crt, hlp, ht, hta, inf, ins, isp, job, js, jse, lnk, mda, mdb, mde, mdz, msc, msi, msp, mst, pcd, reg, scr, sct, shs, url, vb, vbe, vbs, wsc, wsf, wsh, exe, pif, etc.)
  • Office files that support macros (doc, xls, docm, xlsm, pptm, etc.)

Below are some recommendations to protect your users against this threat.

Provide security awareness and education

Providing security awareness and education to your users is a good practice and can be used as an effective prevention mechanism. If users are able to identify security threats such as ransomware, they will be less susceptible to the threat. Also, educating users on how to react in a security incident or if their device has been infected with ransomware will make the recovery process less painful and minimize the risk of the infection spreading further.

Keep antivirus/antimalware solutions running and up to date.

Installing an antivirus solution like Windows Defender and keeping it up to date will prevent many instances of ransomware and malware from affecting your organization. Windows Defender and Microsoft Security Essentials will help protect your users and proactively remove many of the known ransomware attacks such as Crowti, Tescrypt, Nymaim, Troldesh, Reveton, etc…

Enable Microsoft Active Protection Service (MAPS) cloud-based protection

Microsoft Active Protection Service (MAPS) is a cloud-based service that will provide greater malware protection through cloud-delivered malware-blocking decisions and leverage the latest ecosystem-wide detection techniques offered through the cloud. To learn more about MAPS and how to enable it, see the “MAPS in the cloud: How can it help your enterprise?” blog post.

Regularly backup your files

As recommended by the Microsoft Malware Protection Center (MMPC) in their “Backup the best defense against (Cri)locked files” blog post, you should back up your files on a regular basis by enabling System Restore, using manual syncing methods, or even by manually moving your files to a separate drive. We recommend that your backups are kept in an external, non-mapped or not synced storage.

Use OneDrive for Business

OneDrive for Business can be used as a protection mechanism against ransomware. If your organization utilizes OneDrive for Business, OneDrive will allow you to recover files stored in it. More on this in the “Recover your files in your OneDrive for Business” section below.

Beware of Phishing emails and Malicious attachments

Be careful when opening emails and look for phishing indicators especially if it contains an attachment that can be used as ransomware (such as exe, js, vbs and ps or Office document types that support macros .doc, .xls or .xlm ). For more details about phishing emails and how to mitigate their, please take a look at our previous blog post about “How to review and mitigate the impact of phishing attacks in Office 365“.

Keep Windows and installed software up-to-date

You should use the latest versions of your Operating System and installed software (internet browser, mail client, etc.). The latest version of Windows and other software running in your computer will support new functionalities and features that will help you prevent security threats. For example, Windows 10, already includes protections by default against ransomware like Windows Defender with MAPS (Cloud-based Protection). Another example is the latest versions of Microsoft web browsers will have SmartScreen enabled to prevent your users from visiting known malicious websites or downloading known malicious files. It is essential that the software your users are using (Browsers, Java, Flash, etc…) are kept up to date. Updates and patches fix known security vulnerabilities and add net new security functionality.

Enable file history or system protection

If you are infected by ransomware, you should make sure that you are able to recover the files by using the file history as described in step 4 below. To be able to recover previous version of your files in your Windows 10 or Windows 8.1 devices you must have your file history enabled and you have to setup a drive for file history. If you are using Windows 7 or Windows vista, the feature is named system protection. Please note that some ransomware will also encrypt or delete the backup versions which will not make this a viable solution.

Use Exchange transport rules to protect users against emails with attachments vulnerable to Ransomware

A common ransomware attack leverages macros or executables in email attachments to infect their victims’ devices. Exchange transport rules can be used to protect your users by:

  1. Warning users about the risk of macros if they receive any file attachments with file extensions that support macros.
  2. Tracking users who have received a file extension that support macros.
  3. Blocking mail that allow users to run macros (especially legacy file extensions like .doc) or are executables.

In addition, you can disable macros in Office documents to help prevent infections in your devices. To learn how to implement the mitigations mentioned above please take a look at the how-to section at the end of this post.

How can I remediate a ransomware attack?

Many ransomware attacks are quite sophisticated and users can still fall victim to them regardless of protective measures. If you or somebody in your organization falls victim to a ransomware attack, please keep in mind that there is no guarantee that handing over the ransom will give you access to your files and paying the ransom can also make you a target of more malware. When dealing with ransomware, reacting in a timely manner is key. You must act as soon as possible and should not wait to deal with the problem. If you wait for more than two weeks, your ability to effectively remediate the problem is dramatically reduced. The steps below include instructions that assume you are using Office 365 and OneDrive for Business. If you are not a subscriber, the local file restoration steps can be of use.

Step 1: Make sure you have a backup of your files

We cannot guarantee that you will be able to recover your data. Make sure that you have a backup as we previously discussed under the “Regularly backup your files” section of this blog post.

Step 2: Disable ActiveSync & OneDrive Sync

Disable Active Sync and pause OneDrive for Business Sync. If you have them enabled, it is possible that they will overwrite your files.

ActiveSync is the service that allows your Email in Exchange Online to sync to Office 365. If you suspect your email data may be targeted by the Ransomware, you should disable ActiveSync temporarily to protect the data in the cloud from being targeted. To disable ActiveSync, you can run the following script in PowerShell:

#Connect to Office 365 using your Admin credentials
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session 
#Enter target user to disable Active Sync
$userEmail = Read-Host -Prompt 'Please enter the user's email to disable Active Sync' 
#Disable ActiveSync. Optionally, if you want to disable other connections: 
#-OWAEnabled $False –MAPIEnabled:$false -IMAPEnabled:$false -PopEnabled:$false)
Set-CASMailbox $userEmail -ActiveSyncEnabled $False

 

OneDrive Sync is the service that syncs document data to OneDrive for Business. Disabling sync on the service will protect your cloud data from being updated from other potentially infected devices. If you know there is only one affected device, you can use the “Pause Syncing” feature built into the local client.

Step 3: Remove the malware from the affected devices

Run a full scan with your antivirus and remove the ransomware (malware) from all devices you suspect could be affected. This can include any devices you are syncing content with or have mapped drives to. If you do not have an antivirus solution installed or your solution is not able to detect it, use Windows Defender or Microsoft Security Essentials. Another alternative that will help you remove ransomware or malware is the Malicious Software Removal Tool (MSRT). In the case that none of these solutions are enough, you can run Windows Defender offline or follow the advanced troubleshooting instructions.

Step 4: Recover the files in your device

After completing the previous step, try to recover your files to avoid the ransomware encrypting or removing your files. If you have previously turned File History on in Windows 10 and Windows 8.1 devices or System Protection in Windows 7 and Windows Vista devices, you can (in some cases) recover your local files and folders.

To restore your files or folders in Windows 10 and Windows 8.1:

  • Swipe in from the right edge of the screen, tap Search (or if you’re using a mouse, point to the upper-right corner of the screen, move the mouse pointer down, and then click Search). Enter “restore your files” in the search box, and then tap or click Restore your files with File History.
  • Enter the name of file you’re looking for in the search box, or use the left and right arrows to browse through different versions of your folders and files.
  • Select what you want to restore to its original location, and then tap or click the Restore button. If you want to restore your files to a different location than the original, press and hold or right-click the Restore button, tap or click Restore To, and then choose a new location.

Source: Restore files or folders using File History

To restore your files in Windows 7 and Windows Vista

  • Right-click the file or folder, and then click Restore previous versions. You’ll see a list of available previous versions of the file or folder. The list will include files saved on a backup (if you’re using Windows Backup to back up your files) as well as restore points. Note: To restore a previous version of a file or folder that’s included in a library, right-click the file or folder in the location where it’s saved, rather than in the library. For example, to restore a previous version of a picture that’s included in the Pictures library but is stored in the My Pictures folder, right-click the My Pictures folder, and then click Restore previous versions. For more information about libraries, see Include folders in a library.
  • Before restoring a previous version of a file or folder, select the previous version, and then click Open to view it to make sure it’s the version you want. Note: You can’t open or copy previous versions of files that were created by Windows Backup, but you can restore them.
  • To restore a previous version, select the previous version, and then click Restore.

    Warning: The file or folder will replace the current version on your computer, and the replacement cannot be undone. Note: If the Restore button isn’t available, you can’t restore a previous version of the file or folder to its original location. However, you might be able to open it or save it to a different location.

Source: Previous versions of files: frequently asked questions

Important: Some ransomware will also encrypt or delete the backup versions and will not allow you to do the actions described before. If this is the case, you need to rely on backups in external drives (not affected by the ransomware) or OneDrive (Next step).

Warning: If the folder is synced to OneDrive and you are not using the latest version of Windows, there might be some limitations using File History.

Step 5: Recover your files in your OneDrive for Business

OneDrive for Business will allow you to recover any files you have stored in it. Below are the two options that you can use to do this.

Restoring the files using the Portal

Users can restore previous version of the file through the user interface. To do this you can

 

  1. Go to OneDrive for Business in the office.com portal

  2. Right click the file you want to recover, and select Version History.

  3. Click the dropdown list of the version you want to recover and select restore

 

If you want to learn more about this feature, take a look at the Restore a previous version of a document in OneDrive for Business support article.

Site Collection Restore service request

If a large number of files were impacted, using the user interface in the portal will not be a viable option. In this case, create a support request for a ‘Site Collection Restore’. This request can restore up to 14 days in the past. To learn how to do this please take a look at the Restore Option in SharePoint Online blog post.

 

Step 6: Recover deleted items from server

In the rare case that the ransomware deleted all your emails, you can recover them from the server using the ‘Recover Deleted Items from Server‘ functionality in Outlook:

  1. Go to the Deleted Items folders.

  2. Click the Recover Deleted Items from Server: button.

  3. Select the items you want to recover. In the case you want to recover all select the “Select All” button, make sure the Restore Selected Items radio button is selected, and then click Ok.

If you would like to learn more about this functionality, please take a look at the “Recover deleted items in Outlook for Windows” support article.

Step 7: Re-enable active sync and OneDrive for Business Sync

Now that you already have cleaned your devices and recovered your files you can re enable active sync.

Set-CASMailbox $userEmail -ActiveSyncEnabled $True

 

And you can re-enable your OneDrive for Business sync by reversing the process identified here: Video: Stop or pause syncing libraries with OneDrive for Business.

Step 8 (Optional): Block Sync for Malware File Extensions in the Future

Now that you have fully recovered, you can prevent your local OneDrive for Business client from syncing files affected by this malware in the future by blocking the ransomware filetype from being allowed to sync to your cloud service.

Set-SPOTenantSyncClientRestriction [-BlockMacSync <SwitchParameter>] [-DomainGuids <String>] [-Enable <SwitchParameter>] <COMMON PARAMETERS> 
Set-SPOTenantSyncClientRestriction [-ExcludedFileExtensions <String>] <COMMON PARAMETERS>

Please see “Use Windows PowerShell cmdlets to enable OneDrive sync for domains that are on the safe recipients list” to learn more about the OneDrive cmdlets and parameters.
 

What if I’ve already paid?

If you already paid, and you were able to successfully recover your files without having to use the attacker’s resolution, you should call your bank to see if they can block the transaction. We also recommend that you report the ransomware attack to Law Enforcement, Scam Reporting websites and Microsoft.

Reporting the attack

Contact law enforcement

You should contact your local or federal law enforcement agencies. For example, if you are in the United States you can contact the FBI local field office, IC3 or Secret Service.

Submit a report to your country’s scam reporting website

Scam reporting websites provide information about how to prevent and avoid scams. They also provide mechanisms to report if you were victim of scam. Below are some of them:

Submit a report to Microsoft

You can help Microsoft reporting any phishing email that contains ransomware by sending an email to ‘phish@office365.microsoft.com’ or following the “Submit spam, non-spam, and phishing scam messages to Microsoft for analysis” article.

References

How to use Exchange Transport Rules to track or block emails with file extensions used by ransomware

  • Go to the admin portal.

  • Go to Admin | Exchange.

  • Click Mail Flow | Rules.

  • Create a new rule by clicking the “+” , Create new rule…

  • Enter the rule Name (e.g. “Anti-Ransomware rule”) and click more options.

  • Modify Apply this rule if… Any Attachment… file extension includes these words…

  • Enter the file extensions you want to track by clicking the “+” icon and then click Ok. You should consider:
    • Executables (ade, adp, ani, bas, bat, chm, cmd, com, cpl, crt, hlp, ht, hta, inf, ins, isp, job, js, jse, lnk, mda, mdb, mde, mdz, msc, msi, msp, mst, pcd, reg, scr, sct, shs, url, vb, vbe, vbs, wsc, wsf, wsh, exe, pif, etc.)
    • Office files that support macros (doc, xls, docm, xlsm, pptm, etc.)

     

  • Do the Following:
    • Track emails: Generate incident report and send it to… Your account… Custom Content: Select all of them.

    • Warn the Users: Add Action, Append the disclaimer (for example: “Do not open these type of documents from people you do not know since they might contain macros that will allow malicious code to be executed in your machine. Thanks.”) and select a fall back action (for example, Wrap)

     

    • Block Messages: Add Action, Block the message… Use this option only if you are certain your organization does not use these type of files.

       

  • Keep in mind that you can create multiple rules. For example, you can create a block rule for executables and a separate rule to track and warn users about Office documents that support macros.

     

How to disable macros in your PCs

To learn how to disable macros in your devices please take a look at “New feature in Office 2016 can block macros and help prevent infection” or “Enable or disable macros in Office documents“.

Comments (6)

  1. deijmaster says:

    I’m a bit mystified by the first series of recommendation, “Provide security awareness and education”, then things like “keep and updated virus software”? My 2 cents, but by the time an average user starts looking at this blog and ransomware information, it’s usually a bit late… First step should always be: “talk to an expert”… then go into the awareness scenarios if nothing is observed…

    1. Dave Cradle says:

      Deijmaster: you are only quoting the start of the sentence and ignoring the end. “Providing security awareness and education to your users is a good practice and can be used as an effective PREVENTION MECHANISM.” This is not something to be done after they are hit with ransomware. it is a prevention mechanism to be done ahead of time (ie. Now) to lessen the chance that they become infected in the first place. An average user shouldn’t need to go looking for information, they should have already had this education forced on them, with a bat if necessary, ahead of time. 🙂

  2. Alexs Pena says:

    @deijmaster – You have a good point, users should talk to an expert, especially if they have the means and resources to do so. Even when I agree with your statement “by the time an average user starts looking at this blog and ransomware information, it’s usually a bit late…”, I wanted the blog post to be useful for users looking for protection and remediation guidance. Thank you for your feedback, I’ll take it in consideration in the next update.

  3. David LeRoy says:

    I receive an error when trying to setup this policy as you have it. Here is what it says: An action to reject the message was specified, but there is more than one action. When this action is used, it must be the only action in the rule.
    From this I gather that because its rejecting the message that it cannot run the previous rules.

  4. Sarah says:

    Great Article, one question…
    “Now that you have fully recovered, you can prevent your local OneDrive for Business client from syncing files affected by this malware in the future by blocking the ransomware filetype from being allowed to sync to your cloud service.”

    What are the Ransomware filetypes that should be blocked? Thanks!

  5. Kiersten says:

    Howdy! This blog post couldn’t be written any better! Going through this article reminds me
    of my previous roommate! He constantly kept preaching about this.
    I will forward this post to him. Fairly certain he’s going to
    have a good read. Thanks for sharing!

Skip to main content