How to stop ransomware—even if your system has been taken over by a hacker

How to stop ransomware—even if your system has been taken over by a hacker

Our ransomware experts have recently observed a number of incidents whereby threat actors were able to disable the antivirus software on a compromised machine because the antivirus software had no authentication system to prevent them from doing so.

After disabling the antivirus software (and other installed security solutions), the threat actors simply deployed the malicious payload without worrying about detection or intervention.

Thankfully, there is one very simple thing you can do to harden your network and prevent this type of attack: set an administrator password for your antivirus software.

Why organizations continue to fall to ransomware

Despite the fact that just about every reputable company on the planet is protected by some form of antivirus software, organizations continue to fall to ransomware at an alarming rate.

This usually isn’t due to antivirus software failing to detect malicious activity. Every legitimate antivirus solution on the market can reliably detect and stop the vast majority of ransomware variants, provided, of course, that the antivirus solution is active when the ransomware is deployed – and therein lies the rub.

When a machine in an organization is compromised (through, say, a phishing scam or exploitation of unpatched software), the threat actors responsible for the attack essentially become the organization’s new sysadmin. They have the power to do anything within the hacked account’s privileges, including the ability to disable antivirus software and other security processes before the ransomware is deployed.

This style of attack would not be possible if threat actors were unable to deactivate antivirus software on the compromised machine.

How to stop attackers disabling your antivirus software

The simplest and most effective way to stop attackers disabling antivirus software — and, by extension, protect your organization from ransomware — is to set an administrator password.

Setting an administrator password makes it all but impossible for threat actors to shut down and uninstall security software, even if they have gained unauthorized access to the network. If allowed to run as intended, a good antivirus solution will stop the ransomware threat when it’s deployed and alert you of suspicious activity.

To set an administrator password for Emsisoft protection software:

  1. Log in at MyEmsisoft.
  2. Navigate to your workspace and click Protection Policies.
  3. Select the root policy (your workspace name) and scroll down to the ‘PASSWORD’ section near the bottom of the settings list.
  4. Toggle the option to ‘ON’ and enter an administrator password of your choice. Remember that passwords should be long, unique and random.

From now on, every time a user on any of your devices tries to disable Emsisoft protection software, the following password prompt will be displayed:

Setting an administrator password is particularly important for MSPs, which are often a prime target for ransomware. See this blog post for more information on how MSPs can prevent targeted ransomware attacks.

Note: While administrator passwords can be set locally on endpoints, we strongly encourage our users to make use of the Emsisoft Management Console, which is secured with mandatory multi-factor authentication. Using the Emsisoft Management Console means that even in a worst-case scenario that results in total data loss on your local device, you will still be able to check the logs at MyEmsisoft to see exactly what happened. The Emsisoft Management Console can also be configured to trigger notifications when protection components are disabled.

Reduce admin permissions to further secure your antivirus

For an additional layer of security, we recommend reducing permissions for local admin user accounts. In the event that an attacker manages to obtain an admin account with ‘Full access’, they could potentially exclude entire drives from protection or disable individual real-time protection components.

Reducing local admin permissions can prevent this from happening. To do so:

  1. Log in at MyEmsisoft.
  2. Navigate to your workspace and click ‘Permission Policies’.
  3. Select the ‘Administrators’ group.
  4. In the ‘Level’ section, click the dropdown box and select ‘Basic access’. Note: you must set an administrator password before you can reduce administrator permissions.

Ransomware attacks are often only made possible because threat actors are able to deactivate and uninstall security processes on a compromised machine. Setting an administrator password on your antivirus software is a simple and effective way to create an additional layer of security and protect your systems from ransomware.

Become a security hero with our monthly newsletter for MSPs.

Get expert security tips straight to your inbox and join 7,500+ IT professionals staying at the top of their game.

 

Jareth

Jareth

Writer. A picture is worth a thousand words but unfortunately I can't draw. The world of IT security has always fascinated me and I love playing a small role in helping the good guys combat malware.

What to read next