Inhibition of CryptoLocker Ransomeware
As you've probably heard, CryptoLocker and similar viruses called 'ransomeware' encrypt important business files and then demand payment through untraceable means like bitcoin in order to unlock the files. This past week we became aware of the second CryptoLocker infection at a single firm within the past month. Therefore, although it falls outside of our normal duties, we wanted to share our research and tips on inhibiting this type of destructive virus from striking your organization.
The infections are typically occuring when individuals click and run zip files and faux PDFs in email messages that are camouflaged to look like routine corporate traffic - such as a UPS shipment notification. Files run from malicious websites can also cause infection.
- A. Having good, frequent backups is obviously an important measure because you will have to rollback business operations and restore the data files from backup if you do not pay the ransome.
- B. If possible and not already done, you should block all .EXE files at the email server level.
- C. At the desktop level, the best means of inhibiting these attacks comes down to creating a Software Restriction Policy (SRP) against running executables from the user's AppData folders where web and email attachments are handled.
- On standalone computers, run SecPol.msc. For a Domain, run gpedit.msc from a Domain Controller and see
for best practices on creating a new GPO and policy.
- In the policy editor, navigate to the Sofware Restriction Policy node
- Right-click and Add New SRP
- Leave default values as-is, but add the following additional Path Rules as DISALLOWED.
After creating the policy on a standalone computer, reboot for the policy to take effect. Just reloading is not enough.
On a domain computer, you can run "gpupdate.exe /Force".
When the Software Restriction Poicy (SRP) is working, trying to launch an EXE in the applicable path(s) returns a critical message box titled 'winver.exe' and the message "This program is blocked by group policy. For more information, contact your system administrator." From DOS, it says, "The system cannot execute the specified program."
In either case, it writes to the Application Log, EventID 865 Source: Software Restriction Policy.
A very good outline of the CryptoLocker Ransomeware, including unencrypt guidance is located at: