Solved

Cryptowall

Posted on 2014-09-23
10
1,708 Views
1 Endorsement
Last Modified: 2016-08-16
Is it possible to expand upon Microsoft's extremely weak quota options? What I mean: Is it possible to set up a GPO to block sharing to a user if they have accessed say - 50 files in a matter of 5 minutes? I would think this would at least stop the bleeding for the CryptoWall andCryptoLocker virus. Or does anyone have any other suggestions that will stop this and any future variants? Other than switching to Linux? LOL
1
Comment
Question by:accellis
  • 2
  • 2
  • 2
  • +4
10 Comments
 
LVL 79

Expert Comment

by:David Johnson, CD, MVP
ID: 40340835
Make all domain users 'standard users' and not admins.  This simple step stopped 94% of last years infections and 100% of iE vunerabilities.
0
 

Author Comment

by:accellis
ID: 40341634
All of these users must be local admins to run certain programs.
0
 
LVL 88

Expert Comment

by:rindi
ID: 40347581
Fix those programs so they don't need to be run as admins. Or at least make sure that if it can't be fixed, the user still logs on as standard user, and when such a program needs to be run, he has to enter the admin's credentials when UAC pops up.

Don't use mapped drive letters, but rather the full UNC paths when accessing shares. That way current cryptolocker versions can't attack files on servers.

Have a good backup retention policy, so that when you need to fix a cryptolocker infection, you are still likely to have a good version of the file you can restore from.
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 43

Expert Comment

by:Davis McCarn
ID: 40347582
The first step is to disable autorun on all network shares.
This article links to a utility which will prevent CryptoWall from running: http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information#prevent
0
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 40348125
You will have to minimally have a Host intrusion protection s/w in each endpoint for a long term continuous monitoring, I am doubtful we just rely on the Windows GPO .
just an example HIPS (via appl control) may have adhoc oncifguration in event of such to detect and deter
http://www.symantec.com/connect/forums/cryptolocker-and-adc-policies

The latter can be useful in deploying applocker or its predecessor software restriction policy (srp) to whitelist appl that your endpoint is supposed to run (based on hash, publisher, path of executable etc) - it i snot silver bullet. Also do not give user admin right and user right login by default.

there are past resource on preventing cryptowall for info
e.g.  a set of group policies that can be used to block CryptoLocker infections across a  domain
http://www.thirdtier.net/2013/10/cryptolocker-prevention-kit-updates/
e.g. CryptoPrevent is a tiny utility to lock down any Windows OS
https://www.foolishit.com/vb6-projects/cryptoprevent/

to safely be immune and have panecea is not possible and I see we need just have to always be educating th user on phishing, use of USB keys and those low hanging fruits as partof security awareness, and reduce the attack surface and constrain/inspect via network security sensor such as ids/ips etc on the strategic pt of entry/exit to the organisation resources.
1
 

Author Comment

by:accellis
ID: 40351304
We have decided to do a search every 5 minutes for "C:\decrypt_instruction.html" as this seems to be the only commonality here. But I do accept btan's post as it is the most informational.
0
 

Expert Comment

by:1alphatech
ID: 40383432
is there a group policy on the servers to not allow  files to be encrypted ?
0
 
LVL 62

Expert Comment

by:btan
ID: 40383475
you may want to open an question but short answer is "no" - enforce app whitelisting to deter the s/w to encrypt to run. there is EFS on windows also unless we disable that etc...
1
 

Expert Comment

by:Alyson Sparks
ID: 41757871
David Johnson, thanks for really simple method.
0
 
LVL 79

Expert Comment

by:David Johnson, CD, MVP
ID: 41758879
AV is useless since it is signature based and in the last 6 months the # of unique's has increased and the # of repeats have decreased (honeypot collection stats) This means that every message containing malware is different enough so that signature based will fail and there are not enough samples to base signature detection on.  Checkpoint Software has a good appliance but alas the only true fix is a current offline backup, reinforced by user education..  While your systems are getting cleaned and data restored is a good time to do a postmortem educational session with the users. They are also implementing delayed activation.. to start encrypting after a week or so after being activated.  For some people remembering 5 minutes ago is hard enough. Last week never happened.
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
In this article we will learn how to backup a VMware farm using Nakivo Backup & Replication. In this tutorial we will install the software on a Windows 2012 R2 Server.
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question