Posted on 2013-11-07
Medium Priority
Last Modified: 2013-11-16
Hi Experts

Hot topic at the moment  I suspect :-)

We are all looking for an effective defense, in a moment of lateral thinking ?

Is there a way (group policy, whatever,etc) to prevent a process trying to encrypt currently unencryted files from being encrypted ?  

If the bad guys cannot achieve this, then there is no ransom?
Question by:cpmcomputers
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +3
LVL 22

Accepted Solution

Nick Rhode earned 400 total points
ID: 39631709
You could user software restriction policies or an app locker


Decent article about software restriction but it might cause a little bit of a headache for you.  But cryptolocker is a headache itself.
LVL 12

Assisted Solution

piattnd earned 400 total points
ID: 39631725
We are using the following:


Direct download link:


This is not a group policy, though you could create a GPO to install it.  Make sure you test it thoroughly on a few computers to make sure it doesn't break anything specific to your environment before you deploy it.
LVL 24

Assisted Solution

aadih earned 400 total points
ID: 39631794
Please do read the article, "CryptoLocker: A particularly pernicious virus." It shows how using Local Security Policy, you can prevent this virus. The article is at:

http://windowssecrets.com/top-story/cryptolocker-a-particularly-pernicious-virus/ >
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

LVL 15

Assisted Solution

by:Giovanni Heward
Giovanni Heward earned 400 total points
ID: 39631920
Here's a solution which will render Cryptolocker, it's variants, and a majority of all Malware threats inert-- those which do not feature 0-day vm escape exploits anyway (something EMET could possibly mitigate.)


A variant could easily be created which avoids the %appdata% and %LocalAppData% folders altogether, securely deletes/encrypts your shadow volumes, etc.  

While SRP/AppLocker whitelisting is potentially viable, there appears to be trivial bypass techniques a subsequent variant could exploit.

LVL 56

Assisted Solution

McKnife earned 400 total points
ID: 39632011
@x66_x72_x65_x65: don't call those techniques trivial - as you could read, applocker is different, it is not, like SRP, controlled in the user space, so the user cannot circumvent it that easy. So applocker is an option if you run win7 ultimate/enterprise or win8 enterprise.

Another option are simple backups. If the data is encrypted, so what? Restore it from backup.
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39632267
The context in which I mention "trivial" is relating to a competent malware author, not an end-user or IT professional.  LoadLibraryEx has a feature (LOAD_IGNORE_CODE_AUTHZ_LEVEL) to circumvent SRP and AppLocker.  Used in conjunction with dll hijacking or macro loading-- for example-- it's very possible to create a malicious dll (loaded by a white-listed application, such as Microsoft Office) which bypasses both.

Without the hotfix I referenced above:
...malware in the %TEMP% or %system drive%:\Users directory can be executed by using the SANDBOX_INERT and LOAD_IGNORE_CODE_AUTHZ_LEVEL flags, even if access to these directories is limited by AppLocker rules.

Privilege escalation techniques could also be deployed as needed (KiTrap0D (In Memory/User), etc.)

Don't get me wrong, I'm a defense in depth advocate-- hardening systems, data backup/recovery, business continuity, etc., etc. should all be part of the design.

I'm merely posing the question, which is much more effective and efficient?  

Having an vulnerable applications run in virtual containers which automatically revert to clean states upon infection or deploying human resources for diagnosing, recovering, reimaging, and restoring?

Encrypting documents aside-- Call me eccentric, but I'd rather have malware with remote access/reverse shell firewall extrusion capability (effectively giving the author access to the victims private network) occur in an (isolated network) virtual container, as opposed to my actual network.

My recommendation is a paradigm shift, which by its very nature is destined to be resisted by the archaic paradigms of the day.
LVL 56

Expert Comment

ID: 39632899
> ...to circumvent SRP and AppLocker.
Yes, I read so, but will the authors use it? It would require to trick people into using certain white listed applications and open an attached document that uses that dll trick, that might not even work with any (to-the-author-unknown-) version of (for example) word (if even present) or whatever program.
So applocker poses quite a problem to the authors.
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39651364
There are many other examples available.  Consider compromising the white listed applications themselves; a recent example is CVE-2013-3918 (MS13-090).  In this case the end user would need only visit a specially crafted web page to become exploited.  Exploitation could inject its payload directly into the memory space of the white listed application (IE).  The malware authors could also negate the need for initial C&C "phone home" requests (for the public key) by dynamically providing a (pre-generated) key upon introduction of the payload.  This could have the side effect of creating unique code for every payload instance-- which would easily bypass signature based solutions.

Again, I'd personally prefer exploitation to take place in an isolated protected space as opposed to my primary OS and private network.

Such attack vectors may be mitigated against by deploying EMET on all Windows systems.

So I pose the question, what is the wisdom in opposing "DMZ for your endpoint" architectures?  My recommendations are not made lightly.  They are thoroughly researched and proved.  I recommend you research FireEye, Invincea, EMET, and OpenDNS.

but will the authors use it?
Is your organization willing to accept the risk that they (and all other malware authors) won't?
LVL 10

Author Closing Comment

ID: 39653476
Thanks for all the feedback
Some practical solutions and some information that made me realise just how little I know about these threats

Been surfing the net for hours following your links :-)
LVL 24

Expert Comment

ID: 39653522
[If] known, no threat.
Unknown, menace.

LVL 15

Expert Comment

by:Giovanni Heward
ID: 39653532
Your welcome.  Take a look at the following course syllabus on Securing Windows and Resisting Malware.  Much of the techniques described above are discussed.

Featured Post

WatchGuard's M Series Appliances - Miecom Approved

WatchGuard's newest M series appliances were put to the test by Miercom.  We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Worried about if Apple can protect your documents, photos, and everything else that gets stored in iCloud? Read on to find out what Apple really uses to make things secure.
The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question