Crytpowall 4.0 is the newest version of Cryptowall ransomware – one of the most destructive computer viruses of all time.
It can be spread by malicious emails. Once on your machine, it scans the entire system to find your personal files, and locks them using an encryption algorithm that’s almost impossible to crack.
Then it leaves ransom notes on several folders informing you what needs to be done in order to recover the encrypted data.
Not very nice.
Prevention is always better and we found this comment on a thread on the Spiceworks.com community forum about the security measures you should take to avoid such attacks.
In no particular order of importance, do ALL of them…
- Make some real firewall rules – DON’T just leave the default allow-any-outbound rules – ONLY allow traffic outbound on ports that you actually use/need – Example for DCs: 53,80,123,443,3544 Example for End-Users: 80,443,1935,3544
- CryptoPrevent: https://www.foolishit.com/cryptoprevent-malware-prevention/ or some other Group Policy based software run restrictions – don’t let any executable run from a temp location.
- An end-user should never be a local admin. Admit it, you did this once-upon-a-time only cause you were tired/lazy and didn’t take the time to set the permissions right on something.
- Automatically remove all shares if/when the encryption starts to happen: http://jpelectron.com/sample/Info%20and%20Documents/Stop%20crypto%20badware%20before%20it%20ruins%20… This can also be setup to email you the moment it happens, the filename, and the user who did it.
- Use an Internet filter to block all the ccTLD’s and IDN’s your company doesn’t really need – also block the known bad/malware domains – better yet also block advertisements (the source of much badware) – we use DNS Redirector: http://dnsredirector.com it’s great and it doesn’t cost a fortune.
- Prevent access to any URL with an IP in it – only bad guys do links like http://188.8.131.52 – everything else should be a DNS name like http://example.com and therefore a DNS lookup (which is filtered) before getting out to the Internet.
- User training: re-enforce that users should not click on things that look phishy, are spelled wrong, or they were not expecting – even if the email looks like it’s someone they know.
- Implement spam/email message filtering, if your users can’t get to a bad link, then they can’t click on a bad link.
- Do backups, check that they are actually working. Make a “compliance game” if someone else (in your IT department) can delete a file (they should make their own backup first) and you can’t restore it – then you owe them lunch. Shit get’s solved real fast.
- Try executable whitelisting, the idea being only software you know about can run, I think this is extreme and haven’t resorted to doing it myself.
Another comment provided a 20 Step Security Defence in Depth Strategy:
- Two anti-malware email filters (separate services).
- Anti-malware at perimeter and at endpoints (separate services).
- Firewall at perimeter and endpoints blocking inbound and outbound (separate services).
- Content filtering at endpoints and perimeter (separate services).
- Geo-IP filtering at perimeter.
- End-user security training.
- Quarterly phishing tests.
- Block malicious attachments (bat, scr, exe, etc).
- Require admin review of all ZIP attachments.
- Software restriction policy white listing.
- Windows shadow copies.
- Block-level snapshot’s of shared drives.
- Daily backups that are secured from end users.
- Offsite replication of critical storage and backups.
- Regular patching of apps and operating systems.
- Firmware updates of firewalls, storage and servers.
- Restricted admin rights.
- Restrict RDP and VPN access using AD permissions and IP blocking by valid login attempts.
- Strict password policies.
- Test, test and re-test.
The most important thing is to always remain vigilant, never open a suspicious email and be wary about the websites you visit.
Hopefully these user tips will prove useful to you. If you have any other tips you’d like to share, please leave a comment below.