Preventive Measure


Description
Preventive measures based on the ransomware document overview as published in https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml# . The preventive measures are quite generic and can fit any standard Windows infrastructure and their security measures.
Owning organization
Validating JSON schema
Recommendations (provided by MONARC)
Creator
License
Creative Commons Zero v1.0 Universal

Definition of the object
{
    "authors": [
        "Various"
    ],
    "label": "Preventive Measure",
    "uuid": "1a8e55eb-a0ff-425b-80e0-30df866f8f65",
    "values": [
        {
            "code": "Backup and Restore Process",
            "description": "Make sure to have adequate backup processes on place and frequently test a restore of these backups.(Schrödinger's backup - it is both existent and non-existent until you've tried a restore",
            "meta": {
                "complexity": "Medium",
                "effectiveness": "High",
                "impact": "Low",
                "refs": [
                    "http://windows.microsoft.com/en-us/windows/back-up-restore-faq#1TC=windows-7."
                ],
                "type": [
                    "Recovery"
                ]
            },
            "uuid": "5f942376-ea5b-4b23-9c26-81d3aeba7fb4"
        },
        {
            "code": "Block Macros",
            "description": "Disable macros in Office files downloaded from the Internet. This can be configured to work in two different modes:A.) Open downloaded documents in 'Protected View'B.) Open downloaded documents and block all macros",
            "meta": {
                "complexity": "Low",
                "effectiveness": "High",
                "impact": "Low",
                "refs": [
                    "https://support.office.com/en-us/article/Enable-or-disable-macros-in-Office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6?ui=en-US&rs=en-US&ad=US",
                    "https://www.404techsupport.com/2016/04/office2016-macro-group-policy/?utm_source=dlvr.it&utm_medium=twitter"
                ],
                "type": [
                    "GPO"
                ]
            },
            "uuid": "79563662-8d92-4fd1-929a-9b8926a62685"
        },
        {
            "code": "Disable WSH",
            "description": "Disable Windows Script Host",
            "meta": {
                "complexity": "Low",
                "effectiveness": "Medium",
                "impact": "Medium",
                "possible_issues": "Administrative VBS scripts on Workstations",
                "refs": [
                    "http://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/AdminTips/Customization/DisableWindowsScriptingHostWSH.html"
                ],
                "type": [
                    "GPO"
                ]
            },
            "uuid": "e6df1619-f8b3-476c-b5cf-22b4c9e9dd7f"
        },
        {
            "code": "Filter Attachments Level 1",
            "description": "Filter the following attachments on your mail gateway:.ade, .adp, .ani, .bas, .bat, .chm, .cmd, .com, .cpl, .crt, .exe, .hlp, .ht, .hta, .inf, .ins, .isp, .jar, .job, .js, .jse, .lnk, .mda, .mdb, .mde, .mdz, .msc, .msi, .msp, .mst, .ocx, .pcd, .ps1, .reg, .scr, .sct, .shs, .svg, .url, .vb, .vbe, .vbs, .wbk, .wsc, .ws, .wsf, .wsh, .exe, .pif, .pub",
            "meta": {
                "complexity": "Low",
                "effectiveness": "Medium",
                "impact": "Low",
                "type": [
                    "Mail Gateway"
                ]
            },
            "uuid": "7055b72b-b113-4f93-8387-e6f58ce5fc92"
        },
        {
            "code": "Filter Attachments Level 2",
            "description": "Filter the following attachments on your mail gateway:(Filter expression of Level 1 plus) .doc, .xls, .rtf, .docm, .xlsm, .pptm",
            "meta": {
                "complexity": "Low",
                "effectiveness": "High",
                "impact": "High",
                "possible_issues": "Office Communication with old versions of Microsoft Office files (.doc, .xls) ",
                "type": [
                    "Mail Gateway"
                ]
            },
            "uuid": "8c9bbbf5-a321-4eb1-8c03-a399a9687687"
        },
        {
            "code": "Restrict program execution",
            "description": "Block all program executions from the %LocalAppData% and %AppData% folder",
            "meta": {
                "complexity": "Medium",
                "effectiveness": "Medium",
                "impact": "Medium",
                "possible_issues": "Web embedded software installers",
                "refs": [
                    "http://www.fatdex.net/php/2014/06/01/disable-exes-from-running-inside-any-user-appdata-directory-gpo/",
                    "http://www.thirdtier.net/ransomware-prevention-kit/"
                ],
                "type": [
                    "GPO"
                ]
            },
            "uuid": "6a234b1d-8e86-49c4-91d6-cc3be3d04f74"
        },
        {
            "code": "Show File Extensions",
            "description": "Set the registry key \"HideFileExt\" to 0 in order to show all file extensions, even of known file types. This helps avoiding cloaking tricks that use double extensions. (e.g. \"not_a_virus.pdf.exe\")",
            "meta": {
                "complexity": "Low",
                "effectiveness": "Low",
                "impact": "Low",
                "refs": [
                    "http://www.sevenforums.com/tutorials/10570-file-extensions-hide-show.htm"
                ],
                "type": [
                    "User Assistence"
                ]
            },
            "uuid": "5b911d46-66c8-4180-ab97-663a0868264e"
        },
        {
            "code": "Enforce UAC Prompt",
            "description": "Enforce administrative users to confirm an action that requires elevated rights",
            "meta": {
                "complexity": "Low",
                "effectiveness": "Medium",
                "impact": "Low",
                "possible_issues": "administrator resentment",
                "refs": [
                    "https://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx"
                ],
                "type": [
                    "GPO"
                ]
            },
            "uuid": "3f8c55db-611e-4831-b624-f9cbdc3b0e11"
        },
        {
            "code": "Remove Admin Privileges",
            "description": "Remove and restrict administrative rights whenever possible. Malware can only modify files that users have write access to.",
            "meta": {
                "complexity": "Medium",
                "effectiveness": "Medium",
                "impact": "Medium",
                "possible_issues": "Higher administrative costs",
                "type": [
                    "Best Practice"
                ]
            },
            "uuid": "168f94d3-4ffc-4ea6-8f2e-8ba699f0fef6"
        },
        {
            "code": "Restrict Workstation Communication",
            "description": "Activate the Windows Firewall to restrict workstation to workstation communication",
            "meta": {
                "complexity": "Medium",
                "effectiveness": "Low",
                "impact": "Low",
                "type": [
                    "Best Practice"
                ]
            },
            "uuid": "fb25c345-0cee-4ae7-ab31-c1c801cde1c2"
        },
        {
            "code": "Sandboxing Email Input",
            "description": "Using sandbox that opens email attachments and removes attachments based on behavior analysis",
            "meta": {
                "complexity": "Medium",
                "effectiveness": "High",
                "type": [
                    "Advanced Malware Protection"
                ]
            },
            "uuid": "7960740f-71a5-42db-8a1a-1c7ccbf83349"
        },
        {
            "code": "Execution Prevention",
            "description": "Software that allows to control the execution of processes - sometimes integrated in Antivirus softwareFree: AntiHook, ProcessGuard, System Safety Monitor",
            "meta": {
                "complexity": "Medium",
                "effectiveness": "Medium",
                "type": [
                    "3rd Party Tools"
                ]
            },
            "uuid": "bfda0c9e-1303-4861-b028-e0506dd8861c"
        },
        {
            "code": "Change Default \"Open With\" to Notepad",
            "description": "Force extensions primarily used for infections to open up in Notepad rather than Windows Script Host or Internet Explorer",
            "meta": {
                "complexity": "Low",
                "effectiveness": "Medium",
                "impact": "Medium",
                "possible_issues": "Some extensions will have legitimate uses, e.g., .vbs for logon scripts.",
                "refs": [
                    "https://bluesoul.me/2016/05/12/use-gpo-to-change-the-default-behavior-of-potentially-malicious-file-extensions/"
                ],
                "type": [
                    "GPO"
                ]
            },
            "uuid": "3b7bc1b2-e04f-4492-b3b1-87bb6701635b"
        },
        {
            "code": "File Screening",
            "description": "Server-side file screening with the help of File Server Resource Manager",
            "meta": {
                "complexity": "Low",
                "effectiveness": "Medium",
                "impact": "Low",
                "refs": [
                    "http://jpelectron.com/sample/Info%20and%20Documents/Stop%20crypto%20badware%20before%20it%20ruins%20your%20day/1-PreventCrypto-Readme.htm"
                ],
                "type": [
                    "Monitoring"
                ]
            },
            "uuid": "79769940-7cd2-4aaa-80da-b90c0372b898"
        },
        {
            "code": "Restrict program execution #2",
            "description": "Block program executions (AppLocker)",
            "meta": {
                "complexity": "Medium",
                "effectiveness": "Medium",
                "impact": "Medium",
                "possible_issues": "Configure & test extensively",
                "refs": [
                    "https://technet.microsoft.com/en-us/library/dd759117%28v=ws.11%29.aspx",
                    "http://social.technet.microsoft.com/wiki/contents/articles/5211.how-to-configure-applocker-group-policy-to-prevent-software-from-running.aspx"
                ],
                "type": [
                    "GPO"
                ]
            },
            "uuid": "feb6cddb-4182-4515-94dc-0eadffcdc098"
        },
        {
            "code": "EMET",
            "description": "Detect and block exploitation techniques",
            "meta": {
                "complexity": "Medium",
                "effectiveness": "Medium",
                "impact": "Low",
                "refs": [
                    "www.microsoft.com/emet",
                    "http://windowsitpro.com/security/control-emet-group-policy"
                ],
                "type": [
                    "GPO"
                ]
            },
            "uuid": "5f0a749f-88f2-4e6e-8fd8-46307f8439f6"
        },
        {
            "code": "Sysmon",
            "description": "Detect Ransomware in an early stage with new Sysmon 5 File/Registry monitoring",
            "meta": {
                "complexity": "Medium",
                "effectiveness": "Low",
                "impact": "Low",
                "refs": [
                    "https://twitter.com/JohnLaTwC/status/799792296883388416"
                ],
                "type": [
                    "3rd Party Tools"
                ]
            },
            "uuid": "1b1e5664-4250-459b-adbb-f0b33f64bf7e"
        },
        {
            "code": "Blacklist-phone-numbers",
            "description": "Filter the numbers at phone routing level including PABX",
            "meta": {
                "complexity": "Low",
                "effectiveness": "Medium",
                "impact": "Medium",
                "refs": [
                    "https://wiki.freepbx.org/display/FPG/Blacklist+Module+User+Guide#BlacklistModuleUserGuide-ImportingorExportingaBlacklistinCSVFileFormat"
                ]
            },
            "uuid": "123e20c5-8f44-4de5-a183-6890788e5a81"
        },
        {
            "code": "ACL",
            "description": "Restrict access to shares users should not be allowed to write to",
            "meta": {
                "complexity": "Medium",
                "effectiveness": "Medium",
                "impact": "Medium",
                "refs": [
                    "https://docs.microsoft.com/en-us/windows/desktop/secauthz/access-control-lists"
                ]
            },
            "uuid": "3e7a7fb5-8db2-4033-8f4f-d76721819765"
        }
    ],
    "version": 3
}