Solved

Cryptowall

Posted on 2014-09-23
10
1,720 Views
1 Endorsement
Last Modified: 2016-08-16
Is it possible to expand upon Microsoft's extremely weak quota options? What I mean: Is it possible to set up a GPO to block sharing to a user if they have accessed say - 50 files in a matter of 5 minutes? I would think this would at least stop the bleeding for the CryptoWall andCryptoLocker virus. Or does anyone have any other suggestions that will stop this and any future variants? Other than switching to Linux? LOL
1
Comment
Question by:accellis
  • 2
  • 2
  • 2
  • +4
10 Comments
 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 40340835
Make all domain users 'standard users' and not admins.  This simple step stopped 94% of last years infections and 100% of iE vunerabilities.
0
 

Author Comment

by:accellis
ID: 40341634
All of these users must be local admins to run certain programs.
0
 
LVL 88

Expert Comment

by:rindi
ID: 40347581
Fix those programs so they don't need to be run as admins. Or at least make sure that if it can't be fixed, the user still logs on as standard user, and when such a program needs to be run, he has to enter the admin's credentials when UAC pops up.

Don't use mapped drive letters, but rather the full UNC paths when accessing shares. That way current cryptolocker versions can't attack files on servers.

Have a good backup retention policy, so that when you need to fix a cryptolocker infection, you are still likely to have a good version of the file you can restore from.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 43

Expert Comment

by:Davis McCarn
ID: 40347582
The first step is to disable autorun on all network shares.
This article links to a utility which will prevent CryptoWall from running: http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information#prevent
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 40348125
You will have to minimally have a Host intrusion protection s/w in each endpoint for a long term continuous monitoring, I am doubtful we just rely on the Windows GPO .
just an example HIPS (via appl control) may have adhoc oncifguration in event of such to detect and deter
http://www.symantec.com/connect/forums/cryptolocker-and-adc-policies

The latter can be useful in deploying applocker or its predecessor software restriction policy (srp) to whitelist appl that your endpoint is supposed to run (based on hash, publisher, path of executable etc) - it i snot silver bullet. Also do not give user admin right and user right login by default.

there are past resource on preventing cryptowall for info
e.g.  a set of group policies that can be used to block CryptoLocker infections across a  domain
http://www.thirdtier.net/2013/10/cryptolocker-prevention-kit-updates/
e.g. CryptoPrevent is a tiny utility to lock down any Windows OS
https://www.foolishit.com/vb6-projects/cryptoprevent/

to safely be immune and have panecea is not possible and I see we need just have to always be educating th user on phishing, use of USB keys and those low hanging fruits as partof security awareness, and reduce the attack surface and constrain/inspect via network security sensor such as ids/ips etc on the strategic pt of entry/exit to the organisation resources.
1
 

Author Comment

by:accellis
ID: 40351304
We have decided to do a search every 5 minutes for "C:\decrypt_instruction.html" as this seems to be the only commonality here. But I do accept btan's post as it is the most informational.
0
 

Expert Comment

by:1alphatech
ID: 40383432
is there a group policy on the servers to not allow  files to be encrypted ?
0
 
LVL 63

Expert Comment

by:btan
ID: 40383475
you may want to open an question but short answer is "no" - enforce app whitelisting to deter the s/w to encrypt to run. there is EFS on windows also unless we disable that etc...
1
 

Expert Comment

by:Alyson Sparks
ID: 41757871
David Johnson, thanks for really simple method.
0
 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 41758879
AV is useless since it is signature based and in the last 6 months the # of unique's has increased and the # of repeats have decreased (honeypot collection stats) This means that every message containing malware is different enough so that signature based will fail and there are not enough samples to base signature detection on.  Checkpoint Software has a good appliance but alas the only true fix is a current offline backup, reinforced by user education..  While your systems are getting cleaned and data restored is a good time to do a postmortem educational session with the users. They are also implementing delayed activation.. to start encrypting after a week or so after being activated.  For some people remembering 5 minutes ago is hard enough. Last week never happened.
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Storage devices are generally used to save the data or sometime transfer the data from one computer system to another system. However, sometimes user accidentally erased their important data from the Storage devices. Users have to know how data reco…
The Delta outage: 650 cancelled flights, more than 1200 delayed flights, thousands of frustrated customers, tens of millions of dollars in damages – plus untold reputational damage to one of the world’s most trusted airlines. All due to a catastroph…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question