How to protect from Ransomwares: the RunAs approach

IT Secutity, , , , , , , , ,

Ultimo aggiornamento: 09-09-2016

I don’t know if this tenchique just was released on blogs before December 6, 2015.

Introduction

The first idea to defeat from Ransomware softwares are to use Virtual Machines for Internet navigation and email, just because they offer a good isolation (an example is my Fir3vuan project). The only problem is that they are too CPU/Memory expensive, primarily for old computers with Windows XP.
In this tutorial I’ll show you how to protect from Ransomwares as CBT, CryptoWall or Tesla using only Windows security features as Windows Integrity Mechanism (see also User Account Control)

The idea

My (simply) idea is to use the Integrity Mechanism: in Windows a standard user can’t access to Administrator files, so you can login into administrative account, but sensitive process as browsers, mailers, editors, etc.. have to run as standard user!
So if a Ransoware attack your pc, the files into standard user directory will be crypt and not them in Administrator directory.

How to protect

The first thing to do is to make a Windows standard account, I suggest with password (as on the Administrative). I make an account “infectme” . Then you can only use runas command but it’s unhandly, I prefer Microsoft PsExec

psexec.exe” -u infectme -p your_password -d  “C:\Program Files\Mozilla Firefox\firefox.exe”

I suggest you to change (or to make desktop shutcuts), with the link calling psexec and than, passing as argument the path of process to call.

Software to install!

I suggest you to install a zip manager as winzip, winrar, 7zip to don’t open zip directly with  Windows!

Results

I tested my approach in Windows XP and 7, and here there are some videos. In the video “nome” is the Administrator, the others are standard users.

Example of CryptoWall on Windows 7:

Example of TeslaCrypt on Windows 7:

When the admin password is request , you have to click “No”, be carefull!

This is the isolation prof on  Windows XP after CBT execution:

 

For other programs

To get the same result, you can also use the right-click functionality “Run as different user“. I suggest you to use it when you want to execute unknow software.

 

Final notes

This tecnique can protect you from viruses and current versions of Ransomwares (December 2015), but if some viruses execute a privilege exhalation the tecnique is useless,  you should remeber this!