In a recent blog post by Symantec Android Nougat prevents ransomware from resetting device passwords | Symantec Connect , They delve into one small change which will have a large impact on the ability for ransomware to negatively impact a target device.
The way this works, is by removing the ability of the "resetpassword" API, to be able to change a password. It is able to set a password, but if the user already has one set, then even with administrative privileges, the malware will not be able to after the password.
While this change is overall positive, Symantec does raise some concern over the ability of "Disinfector tools" too undo the damage of a successful malware infection. For example, suppose a user did not set any password protection on their device, and they install a malicious application which sets a password, a disinfector utility, will not be able to use that same API to reset the password set by the malware.
The takeaway form this, is to make sure you have at least some password set. If you do not want any password protection, then compromise, set something weak, and use the smart lock function to reduce how often it asks for it. The key is that if you have something set, then malware will face a significant challenge when attempting to lock the device.
While the post did not delve into the psychology of this change in determining why it can be so effective in mitigating the damage caused by ransomware.
If we look at this from a psychological standpoint, we can see that no longer attempts to encrypt user data on a smartphone, this is because smartphones have made it easy to backup data, and it is far less common for a user to have a smartphone without at least 1 other copy of their data somewhere else. Since it is uncommon for a smartphone to have the only copy of a file in existence, a user will not feel as much of a need to pay money in order to decrypt their bulk data (photos, music, videos, etc.); they are far more likely to just reset the device restore a backup. On the other hand, with so many smartphone makers going out of their way to lock their devices down, and restricting what you can do at the pre-boot state, thus presenting the user with a ransom notice, and password protecting the device with a randomly generated alphanumeric password, will be a larger inconvenience. If the malware is unable to lock the device, then it will be a little harder to inconvenience a user in a way that will encourage them pay out the 0.1 bitcoin or however much they are demanding to unlock the device.
On the laptop and desktop PC side of things, the primary tool of ransomware, is to encrypt all user created data on all local storage, as well as any non password protected network shares. The best damage mitigation strategy in these cases, are to password protect the network shares, and have at least one cold backup, e.g., periodic backups to bare drives that you then disconnect and place in a fire/water resistant safe. If managing a network for your business, then ensure a sufficient number of snapshots are maintained (a little fragmentation is better than an employee installing some random malware, or getting hit by a malicious banner add on some website, and having malware wreak havoc on the SAN).