?
Solved

Cryptowall

Posted on 2014-09-23
10
Medium Priority
?
1,777 Views
1 Endorsement
Last Modified: 2016-08-16
Is it possible to expand upon Microsoft's extremely weak quota options? What I mean: Is it possible to set up a GPO to block sharing to a user if they have accessed say - 50 files in a matter of 5 minutes? I would think this would at least stop the bleeding for the CryptoWall andCryptoLocker virus. Or does anyone have any other suggestions that will stop this and any future variants? Other than switching to Linux? LOL
1
Comment
Question by:accellis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +4
10 Comments
 
LVL 82

Expert Comment

by:David Johnson, CD, MVP
ID: 40340835
Make all domain users 'standard users' and not admins.  This simple step stopped 94% of last years infections and 100% of iE vunerabilities.
0
 

Author Comment

by:accellis
ID: 40341634
All of these users must be local admins to run certain programs.
0
 
LVL 88

Expert Comment

by:rindi
ID: 40347581
Fix those programs so they don't need to be run as admins. Or at least make sure that if it can't be fixed, the user still logs on as standard user, and when such a program needs to be run, he has to enter the admin's credentials when UAC pops up.

Don't use mapped drive letters, but rather the full UNC paths when accessing shares. That way current cryptolocker versions can't attack files on servers.

Have a good backup retention policy, so that when you need to fix a cryptolocker infection, you are still likely to have a good version of the file you can restore from.
0
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

 
LVL 43

Expert Comment

by:Davis McCarn
ID: 40347582
The first step is to disable autorun on all network shares.
This article links to a utility which will prevent CryptoWall from running: http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information#prevent
0
 
LVL 64

Accepted Solution

by:
btan earned 1500 total points
ID: 40348125
You will have to minimally have a Host intrusion protection s/w in each endpoint for a long term continuous monitoring, I am doubtful we just rely on the Windows GPO .
just an example HIPS (via appl control) may have adhoc oncifguration in event of such to detect and deter
http://www.symantec.com/connect/forums/cryptolocker-and-adc-policies

The latter can be useful in deploying applocker or its predecessor software restriction policy (srp) to whitelist appl that your endpoint is supposed to run (based on hash, publisher, path of executable etc) - it i snot silver bullet. Also do not give user admin right and user right login by default.

there are past resource on preventing cryptowall for info
e.g.  a set of group policies that can be used to block CryptoLocker infections across a  domain
http://www.thirdtier.net/2013/10/cryptolocker-prevention-kit-updates/
e.g. CryptoPrevent is a tiny utility to lock down any Windows OS
https://www.foolishit.com/vb6-projects/cryptoprevent/

to safely be immune and have panecea is not possible and I see we need just have to always be educating th user on phishing, use of USB keys and those low hanging fruits as partof security awareness, and reduce the attack surface and constrain/inspect via network security sensor such as ids/ips etc on the strategic pt of entry/exit to the organisation resources.
1
 

Author Comment

by:accellis
ID: 40351304
We have decided to do a search every 5 minutes for "C:\decrypt_instruction.html" as this seems to be the only commonality here. But I do accept btan's post as it is the most informational.
0
 

Expert Comment

by:1alphatech
ID: 40383432
is there a group policy on the servers to not allow  files to be encrypted ?
0
 
LVL 64

Expert Comment

by:btan
ID: 40383475
you may want to open an question but short answer is "no" - enforce app whitelisting to deter the s/w to encrypt to run. there is EFS on windows also unless we disable that etc...
1
 

Expert Comment

by:Alyson Sparks
ID: 41757871
David Johnson, thanks for really simple method.
0
 
LVL 82

Expert Comment

by:David Johnson, CD, MVP
ID: 41758879
AV is useless since it is signature based and in the last 6 months the # of unique's has increased and the # of repeats have decreased (honeypot collection stats) This means that every message containing malware is different enough so that signature based will fail and there are not enough samples to base signature detection on.  Checkpoint Software has a good appliance but alas the only true fix is a current offline backup, reinforced by user education..  While your systems are getting cleaned and data restored is a good time to do a postmortem educational session with the users. They are also implementing delayed activation.. to start encrypting after a week or so after being activated.  For some people remembering 5 minutes ago is hard enough. Last week never happened.
0

Featured Post

[Webinar] How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is an update and follow-up of my previous article:   Storage 101: common concepts in the IT enterprise storage This time, I expand on more frequently used storage concepts.
Create your own, high-performance VM backup appliance by installing NAKIVO Backup & Replication directly onto a Synology NAS!
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question