Virus attack – Windows Defender Security Scam – Ransomwear

Topic

New Reply

I have searched the forums, could not find any useful information. I hope this is the correct forum to ask this question:

I manage a small network of Windows 10 pro computers for a medical office. They are connected in a peer-to-peer network. No server. No domain

The installed anti virus is Windows Defender. The staff have to frequently find telephone numbers for doctor’s offices or for pharmacies. One staff member clicked on a Walmart link and their computer was immediately infected with the Windows Defender Security scam. Apparently Windows Defender cannot detect this scam.

All the computers have backups so I restored the computer from the previous day. The computer seems to be working now.

I read every Woody’s newsletter. Perhaps Ms Bradley has suggestions?

Q1.) What must be done to prevent these attacks? I cannot ask the staff to stop searching for phone numbers.

Q2.) There is no hardware firewall connected to this network. How would a hardware firewall help prevent these attacks?

Q3.) If a hardware firewall would help, then what features should such a firewall have? Perhaps you can suggest some models .

Q4.) I am very concerned about a ransomware attack . What would you do to prevent a ransomware attack?

Reply | Quote

Replies

The WDSS is just a browser hijack and does not infect the computer, unless you have managed to download and run software. Browser hijacks cannot really be prevented by AV – it would need to sanity check every page / script and your browsing would be very slow.

Hardware firewalls could only prevent these attacks if they inspect every browser page / script and then they can’t really warn you about the code they have removed, so users would have weird results and probably complain to IT.
And cost is an issue at your level.

Ransomware attempts to encrypt / prevent access to your data. The only real solution is a backup, which you already have. The problem is preventing the backup being compromised because the computer effectively needs write access to the backup location. The same is true for shared storage.

My solution is to use a backup / shared store (NAS) that has “snapshots”. These are read only (hidden from users/machines) copies of all data that has changed and is saved on the storage disk along with the normal files. If a malicious program / user mistake changes the data, restoring the snapshot takes minutes.
Alternatively, using a master / client backup utility from a shared store prevents access because the backup client has special privileges to access the backup location. These products often come with a NAS.

You can buy a NAS (Synology / QNAP) for about $500 that will do all of the above. Very cheap insurance in my book.
https://www.ebuyer.com/992049-synology-ds220-8tb-2-x-4tb-sgt-iw-2-bay-desktop-nas-ds220-8tb-iw

cheers, Paul

p.s. please don’t paste from other screens / apps unless you use the “paste text only” option – usually right click. The html makes posts hard to read.

1 user thanked author for this post.

cellsee6

Reply | Quote

cellsee6 wrote:

What must be done to prevent these attacks? I cannot ask the staff to stop searching for phone numbers.

Install a proper a/v software
Windows Defender is a basic A/V and not good enough.

Reply | Quote

Alex, sorry but I have to disagree. Windows Defender has worked just fine for me for years on multiple machines both mine and friends, family, and neighbors. Used in conjunction with a little common sense (staying away from dicey sites, pοrn, gambling, etc., checking the actual URL in search results for the actual location, etc.)

Along with a weekly scan with Malwarebytes free.

And of course, as stated by the OP, always have recent Image Backups, and you should be fine.

Most third party AVs, IMHO, add too much overhead, get in the way of too many programs and things I want to do on my computer. Of course YMMV.

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

4 users thanked author for this post.

Coldheart9020, cellsee6, bbearren, LHiggins

Reply | Quote

Alex5723 wrote:

cellsee6 wrote:

What must be done to prevent these attacks? I cannot ask the staff to stop searching for phone numbers.

Install a proper a/v software
Windows Defender is a basic A/V and not good enough.

I’m wondering if anyone can recommend a good AV/Internet Security program to purchase. I am running Win 10 Pro v 22H2 on a new Thinkpad. So far I have only used Defender but, on two older laptops – one Win 10 and one Win 7, I have used ESET for several years.

Should I purchase a single license of ESET for this new laptop – they are having a sale for New Year’s – and just renew my other two when they come due? Or is there something else that might work better? Newegg has a 1 year, 1 computer license for AVG Internet Security for $9.99 today – might that be an alternative to try?

Or something else?

Thanks!

Reply | Quote

I think Susan only runs Defender. I do, but with regular manual checks with free MalwareBytes Anti Malware.
Some here run paid MBAM in real time along with Defender with no issues.

cheers, Paul

2 users thanked author for this post.

cellsee6, LHiggins

Reply | Quote

Thanks! I do have the free version of MBAE running and also occasionally run Emsisoft Toolkit, so maybe along with Defender, that’s enough for now till I figure out if I need something else.

Reply | Quote

Remember Alt+F4 is your friend. That key combination closes the Active Window.
Most browser hi-jacks are just a window that tries to get you to do something, e.g. click a link or call a number. Most can be subverted by simply pressing Alt+F4!

If that doesn’t work, Press and hold the Power Button.

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

2 users thanked author for this post.

F A Kramer, LHiggins

Reply | Quote

To prevent even seeing such fake alerts, install a good ad and content blocker addon/extension such as the free uBlock Origin.

https://ublockorigin.com

https://github.com/gorhill/uBlock

WRT real ransomware you might want to read: Best Defensive Strategy against ransomware (crypto malware)

3 users thanked author for this post.

Coldheart9020, cellsee6, wavy

Reply | Quote

LHiggins wrote:

I’m wondering if anyone can recommend a good AV/Internet Security program to purchase. I am running Win 10 Pro v 22H2 on a new Thinkpad. So far I have only used Defender but, on two older laptops – one Win 10 and one Win 7, I have used ESET for several years.

Should I purchase a single license of ESET for this new laptop – they are having a sale for New Year’s – and just renew my other two when they come due?

ESET offers licenses for 1, 3, or 5 devices. Newegg regularly sells these licenses at a deep discount. You could stay with Defender on your new Thinkpad for now while you watch for the ESET 3-device license to go on sale. Then renew with that 3-device license when your two current licenses expire. Just be aware that the clock starts ticking on the new license as soon as you activate the first device with it.

1 user thanked author for this post.

LHiggins

Reply | Quote

RetiredGeek wrote:

Most third party AVs, IMHO, add too much overhead, get in the way of too many programs and things I want to do on my computer. Of course YMMV.

I use Kaspersky for years which never adds too much overhead, get in the way of too many programs and things…

Along with a weekly scan with Malwarebytes free.

What good does a weekly scan after you have infected like the OP did ?
The fact is that Defender hasn’t stopped the malware scam. A proper A/V which also checks web downloads… would have.

I recommend adding uBlock Origin to any browser.

2 users thanked author for this post.

cellsee6, LHiggins

Reply | Quote

Alex,

I use uBlock Origin also, along with NoScript!

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

2 users thanked author for this post.

LHiggins, Alex5723

Reply | Quote

Retired Geek:  What parameters do you set when you use NoScript.  NoScript will block just about everything to the point where web sites will not work.

The staff in the medical office  will not fiddle with NoScript settings to get  a web site to work.  They will scream and complain.   I’d really like to know more about how you manipulate NoScript  to get it to prevent problems but still allow web sites to work.

Reply | Quote

FCC added Kaspersky to its “Covered List” in March 2022, labeling the firm an unacceptable security risk.

Reply | Quote

@cellsee6 –

Which browser(s) is/are being used by the staff? That can help to give browser-specific guidance on settings within them that can be used to avoid that kind of junk from being displayed in the first place. Obviously, that would be in addition to any add ins such as NoScript or uBlock Origin.

At home, I use Firefox nearly exclusively, but at work I use and help coworkers with Edge’s use and settings as well as Chrome’s use and settings.

1 user thanked author for this post.

cellsee6

Reply | Quote

Cellsee,

My normal procedure when a new site doesn’t work properly is to first mark the main URL as Trusted and see if that fixes things. after that I’ll allow Temp access to URLs one at a time and see what works. Once I have that figured out I’ll mark the appropriate ones as Trusted. Now that site is set and I don’t have to worry about again.

When trying a new site that I may only use once I just give temp access to items one at at time until it works knowing that when I leave the page I’m once again protected.

It’s pretty much like seat belts. Yeah, they are a pain but the consequences out weigh that pain!

Of course, in a business environment you can test “approved” sites and then publish the settings for your employees.

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

1 user thanked author for this post.

cellsee6

Reply | Quote

Bob99:  The staff has to use Chrome. They must use certain web sites to post insurance claims and those sites specifically state they are built to use Chrome and nothing else.

What security parameters do you set in Chrome?

 

1 user thanked author for this post.

Bob99

Reply | Quote

[Bob99]

cellsee6 wrote:

those sites specifically state they are built to use Chrome and nothing else.

At work, we’ve recently had to deal with that exact type of situation, until the operators of the websites decided to recode their sites to work as well in Edge as they did in Chrome.

cellsee6 wrote:

What security parameters do you set in Chrome?

I’m off work today, but will be in tomorrow, so I’ll take a look and reply to you below this post. Since I don’t even have Chrome installed at home, I don’t want to go off misguiding you from memory. I’ll write down the locations and names of what I’ve tightened up and where to make it really easy on you.

With browsers tightened up enough, there might not be any need for you to employ the use of any add-ons such as UbO or NoScript.

If, after tightening up the browser in use and possibly employing one of the aforementioned (and VERY popular) addons, the browsers still get hit by the fake update notices, it might be time to explore anticrapware solutions that can assist Defender, such as Malwarebytes. Also, end user education can go a long way to avoiding clicking on “clickbait” links in search results (that’s one source of possible infection).

You’re in a tough spot since the office has to abide by the current HIPAA data security guidelines (but, hey, you knew that).

EDIT:

OMG, I forgot that since I have an Android phone, I’ve got Chrome on it by default, even though I don’t use it (I use Firefox instead as the default browser).

Looking into the settings I’ve got on the Android version of Chrome, I believe that most of them are for privacy and security should be available on a Windows-based Chrome installation

So, here goes:

Under the “Site settings” banner, I have the following items set that may help you: Allow cookies except third party ones; block pop ups and redirects (if you haven’t already); ads are set to “Off”, which blocks “ads on sites that show intrusive or misleading ads”; JavaScript is allowed, since so many sites don’t work well with it disabled; I have “Notifications” blocked within Chrome’s settings under the “Site settings” list. However, this also will block legitimate notifications from a website, such as the ones the staff needs to use for claims submission. Try it and see how things go on the forms submission sites…if they work, leave this setting on, if they don’t work, turn it back off. This setting is completely different than the Notifications setting within Android for the browser. This setting only deals with notifications from websites that are displayed within the browser;

Under the “Privacy and security” banner, I have Safe Browsing set to “Enhanced”, and I have also enabled Secure DNS using Cloudflare’s server at 1.1.1.1;

I hope this works for you as a starting point. More info to follow tomorrow, and I’ll try to post any clarification on just where these settings are within the desktop version of Chrome.

• This reply was modified 2 months, 3 weeks ago by Bob99. Reason: Added basic info for Chrome settings

Reply | Quote

As promised, here’s the rundown on a desktop installation of Chrome.

The settings are labeled the same, but are in slightly different locations than in an Android version of Chrome. For most all of these settings, to get to them initially, click on the three dots in the upper right corner of the browser’s window. These dots are on top of each other from top to bottom, and the word “More” may be next to them. Once you click on them, then select “settings” from the menu that appears. The word “settings” should also have a “gear”-looking symbol next to it.

The settings themselves are identical to the settings in my post above that’s based upon Chrome in my Android device. The actual names themselves in a desktop installation are the same as in the Android version, but the way to get to them is a bit different, as I noted above.

So, here goes:

Cookies and other site data: Block third party; Safe Browsing: Enable it and set it to “Enhanced protection”; if this breaks too many sites then set it to “Standard protection”. Always use secure connections: turn it on and set it to use Cloudflare at 1.1.1.1;

For the Site settings, there is an entire category unto itself that you should find that’s labeled “Site settings”. These settings will apply to ALL sites unless you specify otherwise deeper within the settings. Anyway, the ones that I’ve made a note of to help you avoid having a repeat of the pop-ups with the fake warnings/alerts are as follows: “Notifications” should be set to OFF. This is separate and totally distinct from notifications from Windows or even Chrome itself. This deals with notifications from websites, and just might be the way that these false alarms are being presented on the screen if they’re presented while browsing. Javascript should be set to ON, as too many sites will not work properly these days without it. Pop ups and redirects should be set to not allow them.

Now, there’s a thing on the “Site Settings” page that is towards the bottom of the settings listing that says “Additional content settings”. Click on it to reveal the following setting to be changed. “Ads” should be set to “Block ads on sites that show intrusive or misleading ads”. this setting being enabled might also block those annoying false alarms from popping up again as well as the others.

That’s it! One other item, though. In keeping with the suggestions in this thread about an alternative anti-crapware solution, I offer the following: I have and run Defender as my primary line of defense against crapware. BUT, I also backstop it with the free version of Malwarebytes. I use Malwarebytes to run unscheduled periodic full scans of both of my computers in addition to the default settings within Defender. With that combination, I’ve yet to get infected, but I also rely on my senses and a modest amount of judgement…if something’s too good to be true, then I don’t click on it, nor do I click on unsolicited emails from unknown entities/people nor do I open any unsolicited attachments to any email without verifying it with the sender first.

I hope these settings help you out!

Reply | Quote

Sounds like Ctrl+W is the solution. Just close the tab, it’s a fake warning.

In addition to Windows Defender, you can install a browser extension from a reputable security company, such as:

• Trend Micro Check
• Malwarebytes Browser Guard

Additionally, you can configure the router, each PC (ie Windows), or the browser to use a safer DNS provider such as:

• Quad9
• CloudFlare

Finally, some ISPs offer protection against malicious sites at the router level.

Also, make sure that SmartScreen (reputation-based protection) is enabled in Windows settings and that “Standard Protection” is enabled in Chrome (if they use Chrome).

Reply | Quote

technic:  Please tell me more about Quad9 and CloudFlare. Where do I get more information about these? Perhaps you can share some url’s?

Please share how you use these and why you have found them to be useful.  Thank you.

Reply | Quote

“Safer” DNS is a marginal term that assumes your existing DNS may be susceptible to hacking / poisoning. Up to date AV, user education and backup are your best protections IMO.

cheers, Paul

Reply | Quote