Antimalware Tips, prevention measures

Antimalware Tips, prevention measures

November 7, 2019

As many of you may know, during the last few days, the media have reported a series of attacks in organizations such as La Ser or Everis due to a ransomware organizations such as La Ser or Everis due to a ransomware that has encrypted most of the files stored in their workstations and even their infrastructure.

This type of situation has been caused on a massive scale over the last few months due, in large part, to the resurgence of an old acquaintance like Emotet, which started a specific infection campaign in Europe during the second half of September and has wreaked havoc in many national companies during this period of time.

Over the past month, Midway has helped many companies manage these crisis situations and ensure the successful removal of such ransomware, not only through automated threat cleanup, but also by establishing specific action plans to prevent as much as possible future infections using the same attack vectors.

What we would like to share with you in this blog post are a series of measures that we strongly urge you to take, as they could reduce a high percentage of future infections and lateral movements within your company.

Before starting, it is important that we are clear about the phases ollowed to infect a computer in a company and then spread laterally to infect more computers:


Our recommendations are focused on mitigating the first part ofthe infection process as, by doing so, we will prevent to a great extent the "trigger" of the whole sequence:

1. Disable Powershell. It can be done by means of a GPO through the Software Restriction Policies (SRP) by applying this policy to the OU/OUs where all the computers of our organization are located:

  • Navigate to Computer Configuration ➜ Windows Settings ➜ Security Settings
  • Right-click on Software Restriction PoliciesNew Software Restriction Policies
  • On the Additional Rules node, right-click and select New Path Rule and enter the path where the Powershell executable is stored C:Windows System32.
Figure 1: Add path where powershell is stored
  • On the Software Restriction Policies node, click on Enforcement ➜ Properties and select the options shown in the image below.
  • In case you have applications or some software installation that relies on Powershell and that is used by a local administrator user(not recommended), you will be required to select the option circled in orange ➜ All users except local administrators. Otherwise, if you want to deploy applications either with Microsoft System Center Configuration Manager or with another tool that uses the SYSTEM context, or if you do not perform automatic application deployments, you will need to select the option circled in green ➜ All users option
Figure 2: Defining the scope of the restriction

NOTE: Note that this GPO can be avoided by copying powershell.exe to a different path in the operating system- However in such case, a malware running powershell through an embedded macro is unlikely (though not impossible) to copy powershell to a different location before running it. Ideally, a combination of Path + File Hash would be a must, but the latter would require more maintenance because in some updates the powershell.exe file could change and therefore its hash would change as well.

2. Disable Macros in Office. At least in Word and PowerPoint. As Excel could have an impact on certain legitimate processes in your company. It is recommended to perform an analysis and exclude those users who do need to use macros in Excel. To achieve this, we simply need to create the following GPO and link it to the OU/OUs where all the users of our organization are located with the following configuration:

  • Navigate to User Configuration ➜ Preferences ➜ Windows Settings ➜ Registry
  • Right-click on the Registry and select the New ➜ Registry Item option.

NOTE: The Office version for which this GPO applies is for Office 2016 (16.0) in the Key column. In case you want to apply this configuration for older versions of Office simply change the 16.0 in each registry key for the appropriate number. To know the number that corresponds to each version of office, see the list below:

  • Office 2010 - 14.0
  • Office 2013 - 15.0
  • Office 2016 and Office 2019 - 16.0

3. Cloud Delivery Protection and Automatic Sample Submission. In case you are using Windows 7, 8 or 10 with Defender installed, you should enable this option to upload a potentially suspicious file to the Microsoft Cloud and confirm whether it is a malicious file. More information at the following link.

Known Folder Move (KFM) in OneDrive. In case you use Windows 10 and have Office 365 as your productivity platform, we recommend you to activate the free OneDrive feature that will allow you to automatically copy your relevant information (Desktop, Downloads, Images, Documents, etc.) to OneDrive. In case of encryption, you will be able to recover it quickly.

If you also have Windows 10 version 1709 or higher, enable the Ransomware Protection feature, which automates the entire recovery process. For more information on how it works and how to configure, click the following link.

You already know that at Midway we are improving day after day so that, through the implementation of basic security measures and without making large investments, our customers can be able to reduce as much as possible the infections in their corporate environments by using any of the security solutions of Microsoft 365 and Microsoft Azure.

If you have any questions, you are affected by any kind of malware or simply want us to advise you and help you in the remediation and/or implementation of specific action plans to increase the security of your systems, do not hesitate to contact us.

Midway Technologies ® 2024 | technologies with love!
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram