We should slowly give ransomware the finger, we can already protect file servers and identify infected clients:
- https://www.frankysweb.de/windows-fileserver-vor-ransomware-crypto-locker-schuetzen/
- https://www.frankysweb.de/windows-fileserver-vor-ransomware-schuetzen-update/
- https://www.frankysweb.de/locky-verseuchte-clients-identifizieren/
Something can also be done on the clients to prevent an infection. However, there is no one-size-fits-all solution here, but with GPOs you have a powerful tool at hand to at least be able to react to current situations.
Here are 3 GPOs that can protect Windows clients from ransomware infections. Of course, the following principles _ALWAYS_ apply:
- The user is NOT a local administrator
- The Windows Firewall is activated
- The virus protection is up-to-date (in this case, up-to-date means that the signatures are not older than 12 hours)
- Windows UAC is activated
You can argue about one or all of the above points? Gladly, just not with me :-) These measures should be seen as an additional stage, ideally the ransomware doesn't even make it to the client. But since there are so many infections, I prefer to take precautions...
Deactivate macros
Locky currently spreads mainly via Word documents that are sent by email. The Word document then contains a macro that loads the actual malicious code. Macros can be deactivated using GPOs. To do this, the corresponding templates for Office must be downloaded:
Here is an example for Office 2016:
The EXE file only unpacks the templates, which must now be copied to the appropriate location. So either in the local Policy Store on the DC or the Central Store.
In this case, the directories and files from the unpacked EXE are copied to C:\Windows\PolicyDefinitions (local storage):
A new GPO can now be created in Group Policy Management and the computer configuration settings can be deactivated:
The macros can now be switched off within the GPO:
As soon as the GPO has been tested with a certain number of users, the GPO can be assigned to all users.
Here it is important to test the GPO beforehand, perhaps certain users or departments need macros for their daily work. This can then be filtered accordingly.
Deactivate Java Script in Internet Explorer
While writing this article, I read that the ransomware Teslacrypt is also spreading via infected websites (mainly Joomla-based). This happens via JavaScript:
To deactivate Java Script, another GPO can be created, this time with deactivated user configuration settings:
You can now edit the GPO and navigate to the following point:
- Computer configuration
- Guidelines
- Administrative templates
- Windows components
- Internet Explorer
- Internet system control
- Security page
- Internet zone
In der Zone „Internet“ lässt sich jetzt „Active Scripting“ deaktivieren:
Now the GPO can be tested again and then linked to the domain:
Configure software restriction
Viruses and Trojans often follow the same pattern, some vulnerability is exploited, the virus/Trojan is downloaded and executed, often from a temporary folder or from the APPDATA folders, so you can also start here.
Create a new GPO again, user configuration settings deactivated
The GPO can now be edited and the software restriction activated:
The restrictions can now be activated under additional rules:
The following path rules are now configured as above:
- %appdata%\*.exe
- %appdata%\*\*.exe
- %localappdata%\*.exe
- %localappdata%\*\*.exe
- %temp%\*exe
- %temp\*\*.exe
Applications from the directories are no longer executed:
Again, test the GPO and only then assign it to the domain or OU.