Solved

Cryptowall

Posted on 2014-09-23
10
1,750 Views
1 Endorsement
Last Modified: 2016-08-16
Is it possible to expand upon Microsoft's extremely weak quota options? What I mean: Is it possible to set up a GPO to block sharing to a user if they have accessed say - 50 files in a matter of 5 minutes? I would think this would at least stop the bleeding for the CryptoWall andCryptoLocker virus. Or does anyone have any other suggestions that will stop this and any future variants? Other than switching to Linux? LOL
1
Comment
Question by:accellis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +4
10 Comments
 
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 40340835
Make all domain users 'standard users' and not admins.  This simple step stopped 94% of last years infections and 100% of iE vunerabilities.
0
 

Author Comment

by:accellis
ID: 40341634
All of these users must be local admins to run certain programs.
0
 
LVL 88

Expert Comment

by:rindi
ID: 40347581
Fix those programs so they don't need to be run as admins. Or at least make sure that if it can't be fixed, the user still logs on as standard user, and when such a program needs to be run, he has to enter the admin's credentials when UAC pops up.

Don't use mapped drive letters, but rather the full UNC paths when accessing shares. That way current cryptolocker versions can't attack files on servers.

Have a good backup retention policy, so that when you need to fix a cryptolocker infection, you are still likely to have a good version of the file you can restore from.
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 43

Expert Comment

by:Davis McCarn
ID: 40347582
The first step is to disable autorun on all network shares.
This article links to a utility which will prevent CryptoWall from running: http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information#prevent
0
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 40348125
You will have to minimally have a Host intrusion protection s/w in each endpoint for a long term continuous monitoring, I am doubtful we just rely on the Windows GPO .
just an example HIPS (via appl control) may have adhoc oncifguration in event of such to detect and deter
http://www.symantec.com/connect/forums/cryptolocker-and-adc-policies

The latter can be useful in deploying applocker or its predecessor software restriction policy (srp) to whitelist appl that your endpoint is supposed to run (based on hash, publisher, path of executable etc) - it i snot silver bullet. Also do not give user admin right and user right login by default.

there are past resource on preventing cryptowall for info
e.g.  a set of group policies that can be used to block CryptoLocker infections across a  domain
http://www.thirdtier.net/2013/10/cryptolocker-prevention-kit-updates/
e.g. CryptoPrevent is a tiny utility to lock down any Windows OS
https://www.foolishit.com/vb6-projects/cryptoprevent/

to safely be immune and have panecea is not possible and I see we need just have to always be educating th user on phishing, use of USB keys and those low hanging fruits as partof security awareness, and reduce the attack surface and constrain/inspect via network security sensor such as ids/ips etc on the strategic pt of entry/exit to the organisation resources.
1
 

Author Comment

by:accellis
ID: 40351304
We have decided to do a search every 5 minutes for "C:\decrypt_instruction.html" as this seems to be the only commonality here. But I do accept btan's post as it is the most informational.
0
 

Expert Comment

by:1alphatech
ID: 40383432
is there a group policy on the servers to not allow  files to be encrypted ?
0
 
LVL 64

Expert Comment

by:btan
ID: 40383475
you may want to open an question but short answer is "no" - enforce app whitelisting to deter the s/w to encrypt to run. there is EFS on windows also unless we disable that etc...
1
 

Expert Comment

by:Alyson Sparks
ID: 41757871
David Johnson, thanks for really simple method.
0
 
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 41758879
AV is useless since it is signature based and in the last 6 months the # of unique's has increased and the # of repeats have decreased (honeypot collection stats) This means that every message containing malware is different enough so that signature based will fail and there are not enough samples to base signature detection on.  Checkpoint Software has a good appliance but alas the only true fix is a current offline backup, reinforced by user education..  While your systems are getting cleaned and data restored is a good time to do a postmortem educational session with the users. They are also implementing delayed activation.. to start encrypting after a week or so after being activated.  For some people remembering 5 minutes ago is hard enough. Last week never happened.
0

Featured Post

The Ultimate Checklist to Optimize Your Website

Websites are getting bigger and complicated by the day. Video, images, custom fonts are all great for showcasing your product/service. But the price to pay in terms of reduced page load times and ultimately, decreased sales, can lead to some difficult decisions about what to cut.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

VM backups can be lost due to a number of reasons: accidental backup deletion, backup file corruption, disk failure, lost or stolen hardware, malicious attack, or due to some other undesired and unpredicted event. Thus, having more than one copy of …
This article is an update and follow-up of my previous article:   Storage 101: common concepts in the IT enterprise storage This time, I expand on more frequently used storage concepts.
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question