Cryptolocker Ransomware has the potential to cripple your business. It will sneak in through emails and websites, and rapidly steal and hold-ransom your intellectual property. Discover these seven simple ways to protect yourself against a potentially devastating Cryptolocker attacker.
Cryptolocker isn’t new, but has seen a resurgence over the last couple of years. This form of malware will encrypt all the files it can find (including on your network drives) and upload the private key to the remote server. In order to decrypt your files you need that private key, and to get that private key you are required to pay a ransom.
Thankfully, there are a few good ways you can protect your corporate network to try and prevent this sort of disaster from occurring.
1. Email Filtering
This sort of malware is primarily distributed via email attachments and email links. Ensuring you email filter is up to date is your first line of defence. If you manage your own email, ensure you have an up-to-date, reputable virus and content scanner on all incoming emails (Such as GFi or MailTitan). If you don’t manage your own email, contact your provider to see how they protect you.
2. Restrict email links to IP Addresses
Ensure that your mail filter blocks out any embedded links to IP addresses. There are generally no legitimate reasons for your users to receive emails with IP addresses in them. This can be done via content filtering rules, such as the Data Loss Protection rules (similar to filtering out credit card numbers).
3. Outbound Firewall Rules and DNS
Restrict outbound access to ports 80 and 443. Ensure DNS and NTP are always run via your domain controllers, and only certain machines have access to services such as FTP and SMTP. Leaving everything open is asking for trouble.
By forcing all DNS connections via your domain controller, it gives you the option to drop-in a solution such as OpenDNS as an extra layer of protection.
DNS-based filtering is theoretically quite effective, as Cryptolocker malware uses centralised “command and conquer” servers found via Domain Generation Algorithms. OpenDNS and other providers use intelligence to block access to these domains.
4. No One Should Be a Local Administrator
There are very few good reasons these days for users to be a local administrator on their PC. Even the IT staff probably don’t need to be a local administrator all the time. Have a separate set of credentials, and elevate yourself via UAC when needed.
If corporate apps require administrative permissions, sniff out their real requirements via Process Monitor and set some ACLs appropriately to work around it.
You could also consider sandboxing problematic apps using RemoteApp or VDI.
5. Restrict Executables in AppData
Many malware applications (and malware-like applications such as Google Chrome) live in your AppData folder. Using Group Policy, setup a Software Restriction Policy to ensure no unwanted code can be executed from the %AppData% folder.
6. TLDs and IP Range Blocks for Known Problematic Countries
My guess is that you probably don’t need to access domains or IP Address Ranges in countries such as Russia, China and Indonesia. However, much malware originates from these countries. Setup your web filter and firewall to block access to these locations.
If you have a genuine need to access certain domains or addresses, then consider whitelisting them.
7. Volume Shadow Services
If you do have a breach and need to roll back some files, ensure you have Volume Shadow Services enabled on all your file servers. This will allow you to easily roll back files to previous versions without needing to pull it off backup tapes. It’s generally quicker and easier.
None of these measures can be 100% effective, but by taking the time to lock down your network and think through the potential security flaws, you are giving yourself the best fighting chance against this nasty malware.