Macrium Support Forum

Macrium 6 and Cryptolocker

https://forum.macrium.com/Topic211.aspx

By lovelyjubbly - 26 February 2015 6:05 AM

I'd like to find out what we can do to protect our Clients from Cryptolocker encrypting our Image Backups?

Most of my clients are using USB external drives.

One such client got hit by Crypto and all her documents were encrypted.

Fortunately it didn't encrypt our Macrium backup images, however I've read that some variants go for all files on all attached drives.

How do ensure the nasties can't get at our Backup Images?

Thanks, and well done re V6 Smile
By Froggie - 26 February 2015 2:04 PM

In my case, the backup of my images is done into a fully protected folder that any RansomeWare task cannot get access to.  I use FolderGuard and any storage device/folder may be protected.  If those attached storage volumes don't have to share lots of access with other processes, this method should protect you.  If they do, then place your images in a specific folder and protect that folder instead.  But remember... that folder will only be protected on the system that has the protecting software installed.  If the attached device/folder is shared, the protection will not be shared.
By Arvy - 26 February 2015 2:21 PM

Reflect's backup images are just files.  As with anything else, the only kind of immunity that is absolute (or nearly so) is disconnected isolation from any potential sources of infection and other damage.  I use rotation in swappable drive bays for off-site protection myself, but USB-(dis)connected externals would do just as well.
By Seekforever - 26 February 2015 3:28 PM

Like Arvy says, the only thing approaching absolute protection is to physically remove the backup from the PC and this includes networked PCs and NAS. This means unplugging the backup device. Malware is not written with the same constraints as regular programs so you cannot rely on other methods providing the same level of security as isolation. They may improve the safety considerably but you have no way of knowing if they will protect against all malware.

Having more than one removable drive provides better protection and if you are serious about protecting your files you should be using more than one and rotating it. Securing data files is much, much more important than preserving a Windows and applications installation. That can always be put back.

By Merlin - 26 February 2015 11:31 PM

The best way is not to have the drive connected, but a question.
Froggie, with Folderguard, do you need to unlock the folder for the image to proceed, then relock it?
Or is there some way to give Macrium access to the folder and no other processes?
If the folder needs to be unlocked, anything can happen.
By Drac144 - 27 February 2015 12:01 AM

I don't know how those encryption programs work.  I assume it takes them some time to encrypt every file.  Not sure if it possible to notice what is going on and power off the computer to prevent all files from getting hit.  If the program starts on drive C and works its way up the drive letters, it might be possible to realize email or other software no longer works before other files are hit. 

While I keep a copy of my weekly full backup on a normally disconnected external drive, I could lose up to a weeks worth of data if I were to get hit by such a virus.
By lovelyjubbly - 27 February 2015 12:11 AM

Thanks Frog,

I can't seem to find Folder Guard on the web, first 2 Google results give:

http://www.winability.com/folderguard/

http://www.folder-guard.com/

which seem to be unwell.
By Froggie - 27 February 2015 12:13 AM

Merlin, any type of Explorer access is blocked without a password.  At the program level it gets an ACCESS DENIED.

Yes, you can allow certain processes access to the protected area based on program name and hash.  I've given only my file replication software access to the special folder... everyone else needs password access.
By lovelyjubbly - 27 February 2015 12:13 AM

Thanks to everyone who's replied re unplugging the usb drive.

Unfortunately I have real trouble getting my Clients to plug it in !

No way would I be able to get them to plug in and remove the drives.

I'm hoping Macrium will respond to this.

What about password protecting the backup in Macrium, would that do any good?
By Froggie - 27 February 2015 12:14 AM

LovelyJubbly, that is the program, authored by Winability.
By lovelyjubbly - 27 February 2015 12:36 AM

LovelyJubbly, that is the program, authored by Winability.                               

Sadly I can't get to that website.

I have BitDefender Free, MalwareBytes Pro, Windows Firewall and Cryptoprevent.

Can't find anything in them that would block them.
By Froggie - 27 February 2015 12:47 AM

LovelyJubbly, here's Winability's FolderGuard 30-day TRIAL from my DropBox, and here's their USER's GUIDE (also in my DropBox) if you'd like to play...
By khmikael - 27 February 2015 1:23 AM

lovelyjubbly (2/27/2015)

What about password protecting the backup in Macrium, would that do any good?


No.

Password protecting backup files and encrypting them are measures meant to stop unauthorized parties from looking at and restoring the backups.

It would not prevent the backup files from being encrypted by the crypto malware.
By Merlin - 27 February 2015 1:55 AM


What about password protecting the backup in Macrium, would that do any good?

No. That would stop anyone else from access to the files in the image, but wouldn't stop a rogue program from encrypting it.
Edit: sorry. see it's been answered above me.

By lovelyjubbly - 27 February 2015 2:15 AM

Thanks Froggie,

How do ensure Reflect can get to the protected drive/folder?
By Seekforever - 27 February 2015 3:32 AM

Drac144 (2/27/2015)
I don't know how those encryption programs work.  I assume it takes them some time to encrypt every file.  Not sure if it possible to notice what is going on and power off the computer to prevent all files from getting hit.  If the program starts on drive C and works its way up the drive letters, it might be possible to realize email or other software no longer works before other files are hit. 

While I keep a copy of my weekly full backup on a normally disconnected external drive, I could lose up to a weeks worth of data if I were to get hit by such a virus.


Cryptolocker doesn't really care about your Windows and apps files themselves. It goes after document type files such as jpegs, xls, doc, and a whole lot of others. Here is probably a pretty good description on how it works, how you can setup your Windows to avoid encryption, etc. Image files are not on the list but you can't rely on that happening forever. OTOH, when you get right down to it, compared to all the PCs in the world, there are more  than enough opportunities for locking files than worrying about image files especially since they are so big.
http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

Interestingly, they say that shares accessed by the UNC method rather than a drive letter are safe and cloud backups are safe. Again, who knows how long that will last.  You will notice that every solution such as Malwarebytes says to have a backup!

By lovelyjubbly - 27 February 2015 3:40 AM

You will notice that every solution such as Malwarebytes says to have a backup!

Trouble is, the backup could be encrypted then your really hosed Sad

My Client is also using Sugarsync which doesn't have a bulk rollback so you'd have to restore thousands of files manually.

I'll be looking to move all my Sugarsync Clients to Dropbox, they do have a global rollback feature, see here:
https://www.dropbox.com/help/400#rollback

I'm also checking with Soonr who I use for my Corporate Client Backups.

But I'd still love my Macrium Backups to be immune to anyone or anything messing with my Image Backups, except Macrium.

Ie you can't encrypt or maybe even delete except within Macrium...
By Seekforever - 27 February 2015 4:21 AM

I'm sure the implication is that you have a secure backup.
Given that the image file is a file I don't see how it can be under the sole control of Reflect in this case. I've used programs where the backup file was intended to be managed by the program but it didn't stop anybody with the proper permissions from deleting the files (and thus screwing up the database).

Cloud-based backup or secondary storage of data files seems like a solution but if you are using automatic syncing it is essential that you have a version capability in the cloud storage. If the file gets modified by Cryptolocker then it will be seen as changed and synced with the cloud causing your good file to be overwritten with an encrypted file. If you have versioning then you can revert to the previous unencrypted version.
By lovelyjubbly - 27 February 2015 4:56 AM

Cloud-based backup or secondary storage of data files seems like a solution but if you are using automatic syncing it is essential that you have a version capability in the cloud storage. If the file gets modified by Cryptolocker then it will be seen as changed and synced with the cloud causing your good file to be overwritten with an encrypted file. If you have versioning then you can revert to the previous unencrypted version.



The trouble is Sugarsync for example doesn't have rollback, so if you have 20,000 files to re-version, one by one, its not going to be fun.

Worse case scenario, your macrium images are corrupted and you're faced with weeks of manually restoring files.

Dropbox does rollback to an event, so I'll be moving my Clients to them.

By Dreamer2004 - 27 February 2015 1:55 PM

The best protection against Cryptolocker is your own brain.exe!


By theo - 27 February 2015 3:17 PM

you can use MR with a couple of batch files inserted into a MR generated vbscript job to unlock and lock a bitlocker encrypted drive.  it may require you to be running as
an administrator and have a tpm module, idk.  but it's relatively simple to do.
By Seekforever - 27 February 2015 3:28 PM

I agree to a point except that the thinking part of the brain is notorious for falling asleep when we are dong something - how many times over the years have we gone click, click, click and then said something like, "darn, shouldn't have done that last click"? Also, the original poster is dealing with a number of clients whose computer knowledge may vary considerably and who see the PC as nothing more than a tool to accomplish something else and there is no way he can rely on their following good security practices. The clients have hired him to ensure their data is safe and if it gets lost, telling the boss-man that Charlie shouldn't have clicked on that message isn't going to cut it.


By Arvy - 27 February 2015 3:39 PM

Not knowing how this particular client service is currently organized, I'd still be strongly inclined to look for some kind of centralized or otherwise coordinated solution that allows for destination drive swapping and off-site protection.  But I suppose that's just my own "belt and suspenders" personality speaking.
By Seekforever - 27 February 2015 4:00 PM

theo (2/27/2015)
you can use MR with a couple of batch files inserted into a MR generated vbscript job to unlock and lock a bitlocker encrypted drive.  it may require you to be running as
an administrator and have a tpm module, idk.  but it's relatively simple to do.


I'm not certain this is a solution. Bitlocker is intended to make data inaccessible when a computer is stolen or lost. While the machine is running the files are essentially decrypted or at least decrypted on the fly. If the person clicks on the Cryptolocker deliver mechanism and can access the files then they are essentially plaintext but even if they weren't there is nothing that says an encrypted file can't be encrypted again.

From MS info on Bitlocker:
BitLocker cannot protect a computer against all possible attacks. For example, if malicious users, or programs such as viruses or rootkits, have access to the computer before it is lost or stolen, they might be able to introduce weaknesses through which they can later access encrypted data. And BitLocker protection can be compromised if the USB startup key is left in the computer, or if the PIN or Windows logon password are not kept secret.

By Seekforever - 27 February 2015 4:31 PM

Arvy (2/27/2015)
Not knowing how this particular client service is currently organized, I'd still be strongly inclined to look for some kind of centralized or otherwise coordinated solution that allows for destination drive swapping and off-site protection.  But I suppose that's just my own "belt and suspenders" personality speaking.


It's anything but your own "belt and suspenders" method especially if the data is important at least to you. As I've said before, your personally created data deserves the most protection since it cannot be purchased anywhere else at any price; OS and apps can.

 Anybody who is dealing with business data is a fool who doesn't have a similar approach and that sure means off-line and off-site protection. All it takes is a good lightning strike to wipe out a whole network and theft or fire to remove all your data from the premises. A theft can be even more catastrophic if the data pertains to other people's personal information (e.g., doctor's office, financial,etc) or sensitive proprietary product information. Bitlocker is a solution for the theft situation.
By theo - 27 February 2015 5:16 PM

Seekforever (2/27/2015)
theo (2/27/2015)
you can use MR with a couple of batch files inserted into a MR generated vbscript job to unlock and lock a bitlocker encrypted drive.  it may require you to be running as
an administrator and have a tpm module, idk.  but it's relatively simple to do.


I'm not certain this is a solution. Bitlocker is intended to make data inaccessible when a computer is stolen or lost. While the machine is running the files are essentially decrypted or at least decrypted on the fly. If the person clicks on the Cryptolocker deliver mechanism and can access the files then they are essentially plaintext but even if they weren't there is nothing that says an encrypted file can't be encrypted again.

From MS info on Bitlocker:
BitLocker cannot protect a computer against all possible attacks. For example, if malicious users, or programs such as viruses or rootkits, have access to the computer before it is lost or stolen, they might be able to introduce weaknesses through which they can later access encrypted data. And BitLocker protection can be compromised if the USB startup key is left in the computer, or if the PIN or Windows logon password are not kept secret.



we can imagine all sorts of senerios but while the machine is running  with a locked drive,  not just encrypted,  it still is inaccessible to even the administrator without the password. 

I just booted running as an administrator, password needed.  crypto could, I suppose, run the batch file to unlock d:\  but I doubt it. 

the true unkown is: when does malware reveal itself?  immediately?  when you attach an external drive?  Have you backed up your malware too.

http://forum.macrium.com/uploads/images/154778af-0791-4a2e-b062-9020.jpg




By Seekforever - 27 February 2015 6:31 PM

I
can see that but how do you lock up the internal HD after you've unlocked it and written your image or other data to it? I don't see a command other than shutting the machine down or perhaps logging off the account   
If an external USB drive was use and it was removed that would indeed do it but the original poster has a problem getting his clients to use externals.
-----------  OK I found "-lock" in manage-bde in command mode..----------------------------------
It appears that Bitlocker would do the job of protecting the backup files except for the time the drive is unlocked and that risk would be very small as long as the drive is kept locked until the backup is initiated. If a user has the password and unlocks it without locking it after use then the risk will increase.

I believe Cryptolocker reveals itself after the work is done. Backing up malware in images is always an issue which is why you should have a chronological history of several images available. IMO, it is also a reason not to use incremental image consolidation methods especially if you just keep re-working a chain based on one full image. I'm interested in opinions on this.
By theo - 27 February 2015 7:42 PM

Seekforever (2/27/2015)
I
can see that but how do you lock up the internal HD after you've unlocked it and written your image or other data to it? I don't see a command other than shutting the machine down or perhaps logging off the account   
If an external USB drive was use and it was removed that would indeed do it but the original poster has a problem getting his clients to use externals.
-----------  OK I found "-lock" in manage-bde in command mode..----------------------------------
It appears that Bitlocker would do the job of protecting the backup files except for the time the drive is unlocked and that risk would be very small.

I believe Cryptolocker reveals itself after the work is done. Backing up malware in images is always an issue which is why you should have a chronological history of several images available. IMO, it is also a reason not to use incremental image consolidation methods especially if you just keep re-working a chain based on one full image. I'm interested in opinions on this.


Notepad-----
c:\windows\system32\manage-bde -unlock d: -recoverypassword   xxxxxx-out to 48 digits-xxxxxx   name it unlock.bat
c:\windows\system32\manage-bde -lock d:  name it lock.bat

add the batch files to run before,  run after in macrium defaults for vbscripts'  
convert your mr backup definition to vbsript,  schedule the vb

the difficulty is configuring the mr winpe to carry the bitlocker drivers.  obviously you'd like to avoid unlocking the drive
if you have a know C:\ infection from within windows to restore.  wish they would configure the rescue media with the -bde drivers.

By Arvy - 27 February 2015 9:13 PM

theo (2/27/2015)

 wish they would configure the rescue media with the -bde drivers.

Do the optional WinPE_OCs for Reflect's PE5 builds not cover what you're looking for?  They appear to include the manage-bde.exe executable along with related .DLL and .SYS files.

As an aside but closely related to this topic, I would suggest a glance or two at Microsoft's own Security TechCenter might be worthwhile for anyone seriously interested in Windows security issues.  There are some interesting tips in this month's newsletter regarding infrastructure management in particular.
By GlennChambers - 28 February 2015 12:48 PM

Can you just not unmount the drive? That's what I do. I have a powershell script that runs in the background and when my USB external drive is mounted it kicks off the backup script, after the backup completes the drive is unmounted automatically.
By Merlin - 28 February 2015 2:49 PM

GlennChambers (2/28/2015)
Can you just not unmount the drive? That's what I do. I have a powershell script that runs in the background and when my USB external drive is mounted it kicks off the backup script, after the backup completes the drive is unmounted automatically.

Yes, but anything can happen while it's mounted and vulnerable.
By Seekforever - 28 February 2015 3:32 PM

Probably the same level of vulnerability as using Bitlocker to unlock drive for backup then lock it again at end. I really think the risk would be very low.

The scenario would have to be something like:
The Cryptolocker malware is loaded on the machine and is searching for and encrypting files just as you start a backup and mount/unlock the drive. This is a fairly remote possibility and at present even less likely to be a problem because it doesn't look like the malware goes after anything other than "document" files.  I assume that once the Cryptolocker ransom message is displayed it stops searching but in any case, you wouldn't be running the machine anyway.

This scenario can't even be avoided by keeping the USB backup drive in a drawer until you need it because as soon as you plug it in it is vulnerable.

You could run Reflect from the USB rescue drive but that even entails the risk of backing up encrypted files and if you image the C drive you now have an image containing Cryptolocker. So, make sure you have more than one backup so you can roll-back!


By Dreamer2004 - 28 February 2015 10:23 PM

My basic backup-device is an external HDD that is encrypted with BestCrypt. This software offers fast initial encryption!
If your CPU supports "AES-NI" you won't notice any speed differences at all!!

By theo - 3 March 2015 4:45 PM

http://forum.macrium.com/uploads/images/7aaaf9d3-f1d8-4621-8fcb-9b77.jpg
theo (2/27/2015)
Seekforever (2/27/2015)
I






the difficulty is configuring the mr winpe to carry the bitlocker drivers.  obviously you'd like to avoid unlocking the drive
if you have a know C:\ infection from within windows to restore.  wish they would configure the rescue media with the -bde drivers.



Found it.  SmileSmile



By lovelyjubbly - 5 March 2015 10:39 PM

Hi everyone,

Thanks for all the comments and advice.

An update to my original post:

The trojan had encrypted a bunch of other files, including jpgs and avi files.

We think she noticed suspicious activity before all the files were encrypted, she ran her antivirus which nuked the trojan.

So I'm not sure whether the Macrium Files would have been safe.

I've also been thinking about network drives.

We use Synology Nas which are password protected. We do NOT map the drives.

However we do add these details in User Credentials so Macrium can access these network folders.

So I'm wondering whether this makes us vulnerable?
By lovelyjubbly - 8 March 2015 3:01 AM

Bad news I'm afraid, it looks like even unmapped drives are at risk Sad

http://www.bleepingcomputer.com/forums/t/569157/cryptofortress-a-torrentlocker-clone-that-also-encrypts-unmapped-network-shares/

I'm not sure how we can protect networked drives?

Perhaps remove Windows User Credentials to the NAS from users and only use these credentials in Macrium:

Other Tasks>Edit Defaults>Network   ?

BTW, Macrium have responded to my request for a formal response to this problem. They've been watching this thread and have said they will post a guide on their blog next week Smile
By Seekforever - 8 March 2015 6:35 PM

Bad news alright, I was feeling pretty smug about my unmapped NAS.

Looking forward to the Macrium blog on this topic. Glad you raised the issue with Macrium.
By Scott - 11 March 2015 10:48 AM

Hi all.

Just to let you all know we have published an article in our Knowledgebase with some information and advice on this issue:

Protection Strategies Against Ransomware

Hope you find it useful.
By Arvy - 11 March 2015 1:23 PM

So, basically, it's just endorsing what I said back at the beginning of this thread. The best protection strategy is to make your backups inaccessible to the threats. 
By Seekforever - 11 March 2015 3:05 PM

That's about it for the best protection. There are other ways of reducing the risk such as making sure things are setup with ACLs etc but you can never rely on them ultimately being compromised. That doesn't mean it isn't a good idea to use other mechanisms to reduce the possibility of malware access but you just can't say it will always give 100% protection.

I don't think anything protects you against the very remote possibility of making your backup with Cryptolocker running and you backup already encrypted files. This is where you need to ensure that you have available a history of backups or some other versioning mechanism.

I miss the days of being able to push the "write-lock" switch on a real disk drive - lot cooler than plugging and unplugging.


By lovelyjubbly - 11 March 2015 8:11 PM

Scott (3/11/2015)
Hi all.

Just to let you all know we have published an article in our Knowledgebase with some information and advice on this issue:

Protection Strategies Against Ransomware

Hope you find it useful.



I must say I found that response underwhelming Sad

Backup to DVD, not with 100 + GB Images.

FTP,  again, I'm not sure this is entirely practical.

I'd like to see something built into Macrium so that there is an option to "lock" the images unless Macrium is manipulating the file.
By Trapper - 12 March 2015 3:57 AM

I'd like to see something built into Macrium so that there is an option to "lock" the images unless Macrium is manipulating the file.


Although not built into MR, Froggie explained how to do exactly this in the 2nd post in this thread.  It's dead simple to do with FolderGuard.

In my case, the backup of my images is done into a fully protected folder that any RansomeWare task cannot get access to.  I use FolderGuard and any storage device/folder may be protected.  If those attached storage volumes don't have to share lots of access with other processes, this method should protect you.  If they do, then place your images in a specific folder and protect that folder instead.  But remember... that folder will only be protected on the system that has the protecting software installed.  If the attached device/folder is shared, the protection will not be shared.                               


Besides protecting your MR files with FolderGuard, you can also protect other backed up data files with FolderGuard against ransomware type viri.  Simply add the appropriate  .exe to FolderGuard's Trusted List, and then only the allowed processes / programs are granted access to your protected files.  It's dead simple and effective. 

I've used FolderGuard for many years. It's a great program.
http://www.winability.com/folderguard/
                               
By morph - 18 January 2016 3:12 PM

Hi - I've read through these replies and have a probably noob question.

If you set the MR backup file as READ_ONLY won't that prevent such apps crypting the file (without first changing the permissions itself)?  That would seem to be an easy way to at least stop most of the problem.  If that is seen as reasonable, is there a "trivial" VB/BAT/Powershell script that someone could post to set the perms as RO after MR has finished?  Are there repercussions of doing this wrt MR and its retention policy, i.e. does a RO file also prevent MR deleting that file when it comes round to recycling space?

Mike
PS: EDIT after looking at how my (Linux-based) QNAP NAS and it's Samba server work (allowing Windows to access it natively through a shared exported folder) I have found that permissions do not work as expected.  I set them on a sample file on the NAS to (UNIX) 444 which is r--r--r-- (read only) and then was still able to edit that file directly from my PC over the mapped drive :-(

So .. the read-only permissions probably only work with true NTFS local drives.  Even setting the owner of the file on the NAS to be a unique person (not the guest or admin) did not help.  The SMB process (and thus so would cryptolocker) still overwrote my file.  The only way I could get it to do this was to change ownership to "admin" which then thwarted any attempt to edit/overwrite the file.  So ... that would seem to be the only way if you are using a NAS, to actually enforce read-only.
By lovelyjubbly - 21 March 2016 4:24 AM

                                    

I'm testing a program called Secure Folders (SF) below which looks promising.

I found it on the Wilders Forums:

http://www.wilderssecurity.com/threads/secure-folders-to-protect-folders-and-use-as-anti-executable.369503/page-11

If you go to the following youtube page, there's a demo and download link:

https://www.youtube.com/watch?v=051WlQRsG0U&feature=youtu.be

You'll see how it fares against a range of Ransomeware.

I'm testing it on an external usb drive with just 1 folder:

Folder = Macrium Reflect System Backup, set to Read Only in SF.

The only allowed program to write to this folder in SF is Reflect.

This way I can backup all my user's computers using Macrium Reflect, and not have to worry about them having to remember to unplug their usb drives after backups.

Let me know if I've missed something....

                                 
By CubaMadre - 22 March 2016 2:04 PM

lovelyjubbly - 26 February 2015 6:05 AM
I'd like to find out what we can do to protect our Clients from Cryptolocker encrypting our Image Backups?


Only my backup user has permission to write at the backup medias, some users are allowed to read backup medias!
_No_ admin has write permission!
(as others suggested, offline disks is an additional way to protect your backups).
Software whitelisting helps to keep your system clean.
Regards,
CubaMadre;


By Seekforever - 22 March 2016 3:44 PM

While programs like Secure Folder and modifying permissions can help protect your data, you still run into the terrorist paradigm, you have to right 100% of the time, the malware only needs to be right once. We can also go into the situation that nobody can do computer protection that nobody will ultimately find a way around.  So while these solutions offer a benefit, the safest solution is to physically keep a copy of the data off the system. Forgetting about malware, it is always a good idea to have copies stored off-line and off-site in case of lightning strikes or power surges that take out the whole system and fire or theft that takes your whole system period.
By Stephen - 22 March 2016 5:18 PM

Ransomware has become quite a scary type of malware. Everyday we get tickets from our customers worried (some even terrified) of the consequences. 

Here are some tips on how I deal with the ransomware threat.


Education
Most malware infections originate from suspicious emails, websites and installing questionable software.
I've always helped users identify suspicious email and advised them not to open attachments unless they are expecting the email and they know the sender.
Don't stay too long on websites that have questionable content or are full of advertisements. If someone sends you a link don't click on it unless you trust the sender.
Try to avoid installing software unless you have a business/personal need for it and have read reviews. It is also a good idea to test software in a virtual machine first.

Technical
A good spam filter (local or on the mail server) should also help prevent malware and phishing emails getting through. *
A web content filter will help prevent users from visiting websites they shouldn't visit however, if you are not in a business environment this is likely something you won't have available (some ISPs in the UK do provide a content filter). A good parental web filter or modern antivirus should help detect malicious and compromised sites. Sophos offer a free AV with web filtering for home use, I personally use this.
A good firewall that has IP reputation features should help protect your network (more relevant for business). Most malware "calls home" to function or install its payload. Blocking the access to these IP's help prevent further infection. Firewalls appliances from Sophos, Untangle and ThreatStop are good choices. 
Installing an modern antivirus is also a must. Some vendors are now targeting ransomware specifically and are worth a look. 
           Malwarebytes Anti-Ransomware
           HitmanPro
Keep you computer and installed software patched. Especially browsers and use ad-blocking extensions if you can.

Minimising Impact
Log on to Windows using an account without administrative privileges, if you do get a malware infection this should limit the effect. For example If you logon as a domain administrator and get infected, the malware will have full access to all your systems where, if Bob from sales gets an infection it will be limited to the areas he has access to.
Take regular backups and have backups stored offsite. (Thanks SeekForever)
Log file/folder changes on a network share. 

Dealing with an Infection
You only have two option when dealing with modern ransomware:
1) Pay up (not recommended)
2) Restore from a backup.

This is by no means an exhaustive list but it gives an idea of what can be done. If you would like to add to my tips I will happily pin the post for all to see.

* If you wish to discuss firewalls/spam filters etc please open a thread in the watercooler