Cryptowall

Is it possible to expand upon Microsoft's extremely weak quota options? What I mean: Is it possible to set up a GPO to block sharing to a user if they have accessed say - 50 files in a matter of 5 minutes? I would think this would at least stop the bleeding for the CryptoWall andCryptoLocker virus. Or does anyone have any other suggestions that will stop this and any future variants? Other than switching to Linux? LOL
accellisAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
Make all domain users 'standard users' and not admins.  This simple step stopped 94% of last years infections and 100% of iE vunerabilities.
0
accellisAuthor Commented:
All of these users must be local admins to run certain programs.
0
rindiCommented:
Fix those programs so they don't need to be run as admins. Or at least make sure that if it can't be fixed, the user still logs on as standard user, and when such a program needs to be run, he has to enter the admin's credentials when UAC pops up.

Don't use mapped drive letters, but rather the full UNC paths when accessing shares. That way current cryptolocker versions can't attack files on servers.

Have a good backup retention policy, so that when you need to fix a cryptolocker infection, you are still likely to have a good version of the file you can restore from.
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

Davis McCarnOwnerCommented:
The first step is to disable autorun on all network shares.
This article links to a utility which will prevent CryptoWall from running: http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information#prevent
0
btanExec ConsultantCommented:
You will have to minimally have a Host intrusion protection s/w in each endpoint for a long term continuous monitoring, I am doubtful we just rely on the Windows GPO .
just an example HIPS (via appl control) may have adhoc oncifguration in event of such to detect and deter
http://www.symantec.com/connect/forums/cryptolocker-and-adc-policies

The latter can be useful in deploying applocker or its predecessor software restriction policy (srp) to whitelist appl that your endpoint is supposed to run (based on hash, publisher, path of executable etc) - it i snot silver bullet. Also do not give user admin right and user right login by default.

there are past resource on preventing cryptowall for info
e.g.  a set of group policies that can be used to block CryptoLocker infections across a  domain
http://www.thirdtier.net/2013/10/cryptolocker-prevention-kit-updates/
e.g. CryptoPrevent is a tiny utility to lock down any Windows OS
https://www.foolishit.com/vb6-projects/cryptoprevent/

to safely be immune and have panecea is not possible and I see we need just have to always be educating th user on phishing, use of USB keys and those low hanging fruits as partof security awareness, and reduce the attack surface and constrain/inspect via network security sensor such as ids/ips etc on the strategic pt of entry/exit to the organisation resources.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
accellisAuthor Commented:
We have decided to do a search every 5 minutes for "C:\decrypt_instruction.html" as this seems to be the only commonality here. But I do accept btan's post as it is the most informational.
0
1alphatechCommented:
is there a group policy on the servers to not allow  files to be encrypted ?
0
btanExec ConsultantCommented:
you may want to open an question but short answer is "no" - enforce app whitelisting to deter the s/w to encrypt to run. there is EFS on windows also unless we disable that etc...
1
Alyson SparksCommented:
David Johnson, thanks for really simple method.
0
David Johnson, CD, MVPOwnerCommented:
AV is useless since it is signature based and in the last 6 months the # of unique's has increased and the # of repeats have decreased (honeypot collection stats) This means that every message containing malware is different enough so that signature based will fail and there are not enough samples to base signature detection on.  Checkpoint Software has a good appliance but alas the only true fix is a current offline backup, reinforced by user education..  While your systems are getting cleaned and data restored is a good time to do a postmortem educational session with the users. They are also implementing delayed activation.. to start encrypting after a week or so after being activated.  For some people remembering 5 minutes ago is hard enough. Last week never happened.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.