Mitigation

This page should give you a brief overview on how to prevent becoming a victim of Ransomware. The page is split into recommendations for home users and enterprises.

No matter if you are a home user or an enterprise, the golden rule when it comes to Ransomware is: Make backups frequently!

Make sure that you have a backup plan and that you are backing up important files regularly. Also, make sure that you store your backups offline, e.g. on a external hard drive (for home users) or a backup tape (for enterprises). Once a backup has completed, ensure that you detach / remove the device where you store your backups on. This is very important, since the files on it might get encrypted as well when your computer gets infected with Ransomware. If that ever happens, your backup will be useless! Also make sure that you have more than just the most recent backup handy (backup versioning). Should your system create a backup in the moment your files are already encrypted, an older backup will be very useful.

There are tons of open source and commercial tools that may help you with your backups. As @Bry_Campbell suggested, you may also use Windows on-board tool Wbadmin to create and restore backups of your Windows PC or server. For further information on Wbadmin, please consult Microsoft Technet.

If you should become victim of Ransomware, do not pay! Your payment will allow cybercriminals to fund their cybercrime operation and the infrastructure that they are using to commit further fraud. The most important motivation for cybercriminals using ransomware is the money from people that pay.

Tips for Home Users

Antivirus: Your first line of defense is your Antivirus. Make sure that you have an Antivirus Software installed and that it is up to date. If you are using an commercial Antivirus solution, don't forget to renew your subscription in order to always get the most recent signature updates.

Think before click: Before opening email attachments, following links in emails or clicking on any message box that unexpectedly appear on your computer, think twice. Does that email come from someone you trust? Did you actually order something from the internet? Are you really expecting a package to be delivered to you? If suddenly a weird message box appears on your computer that is completely unexpected, you should consider to press "no". If you don't know what the message is about, do not simply press "yes". This may harm your computer.

Keep your software up to date: Keep any software you have installed on your computer up to date, such as Adobe Reader, Adobe Flash, Oracle Java etc.

Tips for Enterprises

Windows AppLocker: Any newer Windows versions come with a handful awesome features that allow you to secure your computers. One of these features is Windows AppLocker. By using Windows AppLocker, you can define which applications should be allowed to run on your machines (application whitelisting). If your IT environment is well managed, you already have a detailed overview on what software runs on your clients. With AppLocker you can easily allow users to use the software they need for their daily business, but e.g. deny to run any other software that haven't been approved by the administrator. Using Windows AppLocker, you prevent the vast majority of the infections these days. AppLocker is fully integrated into Group Policy and System Center Configuration Manager.

Enhanced Mitigation Experience Toolkit (EMET): EMET is a tool that helps you to prevent the exploitation of unpatched vulnerabilities in the Windows operating system or any other software installed on the computer. By this, EMET provides you with some sort of "0day protection" against known and unknown software vulnerabilities that you didn't patch on your clients yet or for which no patch exists at the moment (0day exploits). Using EMET, you can mitigate the vast majority of the attacks from exploit kits that are threatening and infecting your users every day. EMET is fully integrated into Group Policy and System Center Configuration Manager.

Block dangerous email attachments: As an enterprise, you should block any dangerous attachments entering your network, by either blocking them at your network border or sending them into the users quarantine. The following file types / file extensions should be considered as dangerous for your environment:

Ensure that you filter out such attachments, no matter if they are attached to the email directly, in a archive (e.g. ZIP, RAR, etc) or even in a password encrypted archive (e.g. password protected ZIP).

In addition to the file extensions above, you should also block any email attachment that come with Macros (e.g. Word, Excel or PowerPoint attachments that come with Marcos). You can either block them at your email gateway or by Group Policy, e.g. by denying Macros or by only allowing signed Macro to run. Macros are a very famous infection vector these days to spread Trojans, including Ransomware.

When it is already too late

If you are reaching this page and it its already too late (means: you already became victim of Ransomware), you may want to take a look at the following websites. In some cases, it is possible to decrypt files that have already been encrypted by ransomware without paying the ransom. This depends on the Ransomware family and the encryption used by it.

Further Reading

The recommendations made above can be considered as key points when it comes to defending against Ransomware. However, there are many other things you can do to prevent you from becoming a victim of Ransomware. You may read further about potential mitigation strategies: