11

I'm looking for ways to defend against ransomware.
As part of this strategy I've come up with the idea to block myself from writing to as many locations (and files) as possible.

It may be assumed that the active user is always logged-in as standard, local user (not as an administrator) on Windows 10 and that write access is specifically denied to that user, using NTFS' security features.

Does NTFS' "disallow write" feature effectively stop ransomware from encrypting and deleting the protected folders and files?

Or better formulated:

Is it worth it to bother and change NTFS file and folder access permissions to defend (in-depth) against ransomware?

Bonus question:

What changes if you're usually logged in as an adminstrator?

SEJPM
  • 9,500
  • 5
  • 35
  • 66
  • Not sure, but it probably effectively stops you from doing quite a lot of things! Would you even be able to open Word files, for example? – Matthew Mar 03 '16 at 11:15
  • @Matthew, I would be able to read them, not save them if denied write access. However I implicitely assumed that I don't block "write" on *every* folder but only those that contain data that I'm only going to read anyways (i.e. not my active work document folder(s), but picture albums, completed work items and such stuff) – SEJPM Mar 03 '16 at 11:17
  • I was more thinking of how Word creates temporary files upon open - from some digging around in MS knowledge base, you'd need write enabled on some directories, although the specific ones appear to be version specific. – Matthew Mar 03 '16 at 11:30
  • 4
    This can be used as a mitigation strategy. Another options is to create backups frequently on a daily basis for example and use an updated OS and antivirus. – isoman Mar 03 '16 at 12:17
  • 3
    If privilege escalation is used and they're running as admin then this won't really stop them from making everything writable. – RoraΖ Mar 03 '16 at 12:23
  • @RoraΖ, while this is certainly true for targeted attacks, I wonder if "standard" ransomware usually tries to privilege escalate *and* alter NTFS access restrictions. – SEJPM Mar 03 '16 at 13:04
  • @isoman, the measures in question are additional to "fully patched OS, fully patched AV, high frequency offline backups and high frequency off-site backups". The question could also be rephrased to "is it worth it?". – SEJPM Mar 03 '16 at 13:06
  • 1
    This is basically how the Bitdefender anti-ransomware works (the payed one), certain drives are flagged read only and when a program to access them a warning pops up. If you allow it the program gets write access. Otherwise it is banished to purgatory. I think of it like a firewall for files. Note: I am not affiliated with Bitdefender, I just use their anti-ransomware. – AstroDan Mar 03 '16 at 13:28

3 Answers3

4

Can be done? Yes, it can.

It is worth? I doubt.

It is effective? Probably, probably not.

If you set the folder as read-only using your normal user account, ransomware can revert it to read-write, and encrypt your files. The read only folders will be in your way every time you want to save anything.

If you use the admin account to do that, you must start an elevated Windows Explorer every time you want to save anything on the protected folders. And it's easy to forget to return it to read-only after writing.

If you intend to put yourself on a restricted system to prevent ransomware, implement Windows Application Whitelisting to only allow the execution of approved programs. Any ransomware you not add to the list will not be executed.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142
2

"As part of this strategy I've come up with the idea to block myself from writing to as many locations (and files) as possible."

It is worth it, I believe, if you change your strategy considering your write access need to many locations.

It may be more practical not to block yourself from writing as many locations as possible as this would hinder your usage of your locations. Instead, you may block yourself from writing to your backup location only.

You can apply this by doing the following:

  1. Schedule your backup software to run as administrator in the background, regularly and automatically.
  2. Setup your backup software to make incremental backups, as a precaution against malicious overwrite.
  3. Give write access of your local backup location only to your administrator, restrict all other users, including yourself.
  4. Never use your computer with administrator account for things other than administrative jobs, and be offline during such times, if possible.

Of course, it is always better to adapt this strategy in addition to "fully patched OS, fully patched AV, high frequency offline backups and high frequency off-site backups" as mentioned in the comments to other answers.

Luke
  • 173
  • 6
0

There are infinite number of places ransomware may install itself in Windows.

For example:

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run: one may launch ransomware and then disable task manager (CTRL+ALT+DEL) with policy (set 1 in HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskmgr) and display itself in full screen mode.

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon one may fake userinit here and winlogon will launch it.

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\: it may add ransomware dll for userinit or winlogon or explorer to be loaded with process. This hive was created for debuggers, but may be used by ransomware.

Even if you clean your registry, malware can:

  • Use group policy (physically stored in %SYSTEMROOT%\System32\GroupPolicy) to update registry and add itself there again
  • Add itself right after autochk (or even patch it!) in BootExecute key in HKLM\SYSTEM\CurrentControlSet\Control\Session Manager (may update another control sets as well), so it will be launched at early boot stage and install itself somewhere.

So, asnwering your queestion: NTFS permissions have nothing to do with ransomware. It may me installed anywhere (including %TEMP%) and then add link in your registry.

In theory, you may try to stop it my denying your user to write to registry hives I mentioned here, but list is not complete. I am sure there are lots of places in registry I do not know about.

To protect your self, do the following:

user996142
  • 308
  • 1
  • 7
  • 1
    But a finite set of files that it wants to change. I think that those are what the OP is talking about protecting. – AstroDan Mar 03 '16 at 14:01
  • It wants to change registry. Registry is stored in several files in ``%SYSTEMROOT%\System32\config`` and updated by system, (so called "configuration manager") and not user. – user996142 Mar 03 '16 at 14:06
  • 2
    I indeed don't want to prevent the malware from implanting itself (for this I do use a regular account, UAC, latest antivirus, latest OS, ...) but I rather want to limit the impact ransomware can have once it (tried to) start encrypting stuff. – SEJPM Mar 03 '16 at 14:11
  • I think the best way to prevent against ransomware is the way you protect against viruses and other malware. Stop them before they get on your computer, because once they are on your computer, it's essentially like swiss cheese. There are so many holes for it to use, it's impossible to block every hole at the same time and still be able to use your computer. Edit: I guess the only other thing i could mention, the only other option is to keep regular backups. So you can restore the computer back to a previous state, and lose X amount of work. – dakre18 Mar 03 '16 at 14:37