Description
Preventive measures based on the ransomware document overview as published in https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml# . The preventive measures are quite generic and can fit any standard Windows infrastructure and their security measures.
Owning organization
Validating JSON schema
Recommendations (provided by MONARC)
Creator
License
Creative Commons Zero v1.0 Universal
Related objects
Definition of the object
{
"authors": [
"Various"
],
"label": "Preventive Measure",
"uuid": "1a8e55eb-a0ff-425b-80e0-30df866f8f65",
"values": [
{
"code": "Backup and Restore Process",
"description": "Make sure to have adequate backup processes on place and frequently test a restore of these backups.(Schrödinger's backup - it is both existent and non-existent until you've tried a restore",
"importance": 0,
"uuid": "5f942376-ea5b-4b23-9c26-81d3aeba7fb4"
},
{
"code": "Block Macros",
"description": "Disable macros in Office files downloaded from the Internet. This can be configured to work in two different modes:A.) Open downloaded documents in 'Protected View'B.) Open downloaded documents and block all macros",
"importance": 0,
"uuid": "79563662-8d92-4fd1-929a-9b8926a62685"
},
{
"code": "Disable WSH",
"description": "Disable Windows Script Host",
"importance": 0,
"uuid": "e6df1619-f8b3-476c-b5cf-22b4c9e9dd7f"
},
{
"code": "Filter Attachments Level 1",
"description": "Filter the following attachments on your mail gateway:.ade, .adp, .ani, .bas, .bat, .chm, .cmd, .com, .cpl, .crt, .exe, .hlp, .ht, .hta, .inf, .ins, .isp, .jar, .job, .js, .jse, .lnk, .mda, .mdb, .mde, .mdz, .msc, .msi, .msp, .mst, .ocx, .pcd, .ps1, .reg, .scr, .sct, .shs, .svg, .url, .vb, .vbe, .vbs, .wbk, .wsc, .ws, .wsf, .wsh, .exe, .pif, .pub",
"importance": 0,
"uuid": "7055b72b-b113-4f93-8387-e6f58ce5fc92"
},
{
"code": "Filter Attachments Level 2",
"description": "Filter the following attachments on your mail gateway:(Filter expression of Level 1 plus) .doc, .xls, .rtf, .docm, .xlsm, .pptm",
"importance": 0,
"uuid": "8c9bbbf5-a321-4eb1-8c03-a399a9687687"
},
{
"code": "Restrict program execution",
"description": "Block all program executions from the %LocalAppData% and %AppData% folder",
"importance": 0,
"uuid": "6a234b1d-8e86-49c4-91d6-cc3be3d04f74"
},
{
"code": "Show File Extensions",
"description": "Set the registry key \"HideFileExt\" to 0 in order to show all file extensions, even of known file types. This helps avoiding cloaking tricks that use double extensions. (e.g. \"not_a_virus.pdf.exe\")",
"importance": 0,
"uuid": "5b911d46-66c8-4180-ab97-663a0868264e"
},
{
"code": "Enforce UAC Prompt",
"description": "Enforce administrative users to confirm an action that requires elevated rights",
"importance": 0,
"uuid": "3f8c55db-611e-4831-b624-f9cbdc3b0e11"
},
{
"code": "Remove Admin Privileges",
"description": "Remove and restrict administrative rights whenever possible. Malware can only modify files that users have write access to.",
"importance": 0,
"uuid": "168f94d3-4ffc-4ea6-8f2e-8ba699f0fef6"
},
{
"code": "Restrict Workstation Communication",
"description": "Activate the Windows Firewall to restrict workstation to workstation communication",
"importance": 0,
"uuid": "fb25c345-0cee-4ae7-ab31-c1c801cde1c2"
},
{
"code": "Sandboxing Email Input",
"description": "Using sandbox that opens email attachments and removes attachments based on behavior analysis",
"importance": 0,
"uuid": "7960740f-71a5-42db-8a1a-1c7ccbf83349"
},
{
"code": "Execution Prevention",
"description": "Software that allows to control the execution of processes - sometimes integrated in Antivirus softwareFree: AntiHook, ProcessGuard, System Safety Monitor",
"importance": 0,
"uuid": "bfda0c9e-1303-4861-b028-e0506dd8861c"
},
{
"code": "Change Default \"Open With\" to Notepad",
"description": "Force extensions primarily used for infections to open up in Notepad rather than Windows Script Host or Internet Explorer",
"importance": 0,
"uuid": "3b7bc1b2-e04f-4492-b3b1-87bb6701635b"
},
{
"code": "File Screening",
"description": "Server-side file screening with the help of File Server Resource Manager",
"importance": 0,
"uuid": "79769940-7cd2-4aaa-80da-b90c0372b898"
},
{
"code": "Restrict program execution #2",
"description": "Block program executions (AppLocker)",
"importance": 0,
"uuid": "feb6cddb-4182-4515-94dc-0eadffcdc098"
},
{
"code": "EMET",
"description": "Detect and block exploitation techniques",
"importance": 0,
"uuid": "5f0a749f-88f2-4e6e-8fd8-46307f8439f6"
},
{
"code": "Sysmon",
"description": "Detect Ransomware in an early stage with new Sysmon 5 File/Registry monitoring",
"importance": 0,
"uuid": "1b1e5664-4250-459b-adbb-f0b33f64bf7e"
},
{
"code": "Blacklist-phone-numbers",
"description": "Filter the numbers at phone routing level including PABX",
"importance": 0,
"uuid": "123e20c5-8f44-4de5-a183-6890788e5a81"
},
{
"code": "ACL",
"description": "Restrict access to shares users should not be allowed to write to",
"importance": 0,
"uuid": "3e7a7fb5-8db2-4033-8f4f-d76721819765"
}
],
"version": 3
}