Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Cryptolocker: How to avoid getting infected and what to do if you are

Jonathan Hassell | Oct. 28, 2013
There's a new piece of ransomware in town and here's how to protect your company's assets

WinRAR and 7Zip are the names of compression programs commonly used in the Windows environment.

Close the policy.

To protect Windows Vista and newer machines, create another GPO and call this one "SRP for Windows Vista and up to prevent Cryptolocker." Repeat the steps above to create the SRP and create path rules based on the table above.

Close the policy.

Once these GPOs get synchronized down to your machines — this can take up to three reboots to happen, so allow some time — when users attempt to open executables from email attachments, they'll get an error saying their administrator has blocked the program. This will stop the Cryptolocker attachment in its tracks.

Unfortunately, taking this "block it all in those spots" approach means that other programs your users may install from the web, like GoTo Meeting reminders and other small utilities that do have legitimate purposes, will also be blocked. There is a solution, however: You can create ad-hoc allow rules in the software restriction policy GPOs. Windows allows these "whitelisted" apps before it denies anything else, so by defining these exceptions in the SRP GPO, you will instruct Windows to let those apps run while blocking everything else. Simply set the security level to Unrestricted, instead of Disallowed as we did above.

AppLocker
AppLocker is the SRP feature on steroids. However, it only works on Windows 7 Ultimate or Windows 7 Enterprise editions, or Windows 8 Pro or Windows 8 Enterprise edition, so if you're still on Windows XP for the time being or you have a significant contingent of Windows Vista machines, AppLocker will not do anything for you.

But if you are a larger company with volume licenses that is deploying the enterprise editions of the OS, AppLocker is really helpful in preventing Cryptolocker infections because you can simply block programs from running — except those from specific software publishers that have signed certificates.

Here's what to do:

  1. Create a new GPO.
  2. Right-click on it to edit, and then navigate through Computer Configuration, Windows Settings, Security Settings, Application Control Policies and AppLocker.
  3. Click Configure Rule Enforcement.
  4. Under Executable Rules, check the Configured box and then make sure Enforce Rules is selected from the drop-down box. Click OK.
  5. In the left pane, click Executable Rules.
  6. Right-click in the right pane and select Create New Rule.
  7. On the Before You Begin screen, click Next.
  8. On the Permissions screen, click Next.
  9. On the Conditions screen, select the Publisher condition and click Next.
  10. Click the Browse button and browse to any executable file on your system. It doesn't matter which.
  11. Drag the slider up to Any Publisher and then click Next.
  12. Click Next on the Exceptions screen.
  13. Name the policy something like "Only run executables that are signed" and click Create.
  14. If this is your first time creating an AppLocker policy, Windows will prompt you to create default rules — go ahead and click Yes here.

 

Previous Page  1  2  3  4  5  Next Page 

Sign up for CIO Asia eNewsletters.