Cryptowall
Is it possible to expand upon Microsoft's extremely weak quota options? What I mean: Is it possible to set up a GPO to block sharing to a user if they have accessed say - 50 files in a matter of 5 minutes? I would think this would at least stop the bleeding for the CryptoWall andCryptoLocker virus. Or does anyone have any other suggestions that will stop this and any future variants? Other than switching to Linux? LOL
David Johnson, CD
Make all domain users 'standard users' and not admins. This simple step stopped 94% of last years infections and 100% of iE vunerabilities.
ASKER
All of these users must be local admins to run certain programs.
Fix those programs so they don't need to be run as admins. Or at least make sure that if it can't be fixed, the user still logs on as standard user, and when such a program needs to be run, he has to enter the admin's credentials when UAC pops up.
Don't use mapped drive letters, but rather the full UNC paths when accessing shares. That way current cryptolocker versions can't attack files on servers.
Have a good backup retention policy, so that when you need to fix a cryptolocker infection, you are still likely to have a good version of the file you can restore from.
Don't use mapped drive letters, but rather the full UNC paths when accessing shares. That way current cryptolocker versions can't attack files on servers.
Have a good backup retention policy, so that when you need to fix a cryptolocker infection, you are still likely to have a good version of the file you can restore from.
The first step is to disable autorun on all network shares.
This article links to a utility which will prevent CryptoWall from running: http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information#prevent
This article links to a utility which will prevent CryptoWall from running: http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information#prevent
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
We have decided to do a search every 5 minutes for "C:\decrypt_instruction.ht
is there a group policy on the servers to not allow files to be encrypted ?
you may want to open an question but short answer is "no" - enforce app whitelisting to deter the s/w to encrypt to run. there is EFS on windows also unless we disable that etc...
David Johnson, thanks for really simple method.
AV is useless since it is signature based and in the last 6 months the # of unique's has increased and the # of repeats have decreased (honeypot collection stats) This means that every message containing malware is different enough so that signature based will fail and there are not enough samples to base signature detection on. Checkpoint Software has a good appliance but alas the only true fix is a current offline backup, reinforced by user education.. While your systems are getting cleaned and data restored is a good time to do a postmortem educational session with the users. They are also implementing delayed activation.. to start encrypting after a week or so after being activated. For some people remembering 5 minutes ago is hard enough. Last week never happened.