2 min read

Do Your Bit to Limit Cryptowall

Răzvan STOICA

November 17, 2014

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Do Your Bit to Limit Cryptowall

Bitdefender antimalware researchers have put together a checklist of things to do to avoid getting infected with Cryptowall.

Cryptowall is a form of ransomware that uses the same encryption and extortion mechanisms as a previous threat, dubbed Cryptolocker. Local files are encrypted using a randomly generated 2048-bit RSA key pair that’s associated with the infected computer.

While the public key is copied on the infected computer, the private key can only be obtained by paying for it within an allocated amount of time. If payment is not delivered, the private key is supposed to be deleted, leaving no possible unencrypting method for recovering the locked files.

One of the most common infection vectors relies on drive-by-attacks through infected ads on legitimate websites, but it has also been known to infect via infected downloaded apps.

Cryptowall infection can be limited and sometimes prevented with:

Best practices

 

  • Use an antivirus solution that’s constantly updated and able to perform active scanning;
  • Schedule file backups – either locally on in the cloud – so data can be recovered in case of corruption;
  • Follow safe internet practices by not visiting questionable websites, not clicking links or opening attachments in emails from uncertain sources, and not providing personally identifiable information on public chats rooms or forums;
  • Implement / enable ad-blocking capacities and anti-spam filters
  • Virtualize or completely disable Flash, as it has been repeatedly used as an infection vector
  • Train employees in identifying social engineering attempts and spear-phishing emails.

 

Aside from these general recommendations, you should also:

Enable software restriction policies.

System administrators need to enforce group policy objects into the registry to block execution from specific locations. This can only be achieved if you’re running a Windows Professional or Windows Server edition. The Software Restriction Policies option can be found in the Local Security Policy editor.

cw

After clicking the New Software Restriction Policies button under Additional Rules, the following Path Rules should be used with “Dissallowed” Security Level:

o “%username%\\Appdata\\Roaming\\*.exe”

o “%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\\.*exe”

o C:\\<random>\\<random>*.exe

o “%temp%\\*.exe”

o “%userprofile%\\Start Menu\\Programs\\Startup\\*.exe”

o “%userprofile%\\*.exe”

o “%username%\\Appdata\\*.exe”

o “%username%\\Appdata\\Local\\*.exe”

o “%username%\\Application Data\\*.exe”

o “%username%\\Application Data\\Microsoft\\*.exe”

o “%username%\\Local Settings\\Application Data\\*.exe”

Setting these mechanisms in place could limit or block Cryptowall.

tags


Author



Right now

Top posts

LuminousMoth – PlugX, File Exfiltration and Persistence Revisited

LuminousMoth – PlugX, File Exfiltration and Persistence Revisited

July 21, 2021

9 min read
How We Tracked a Threat Group Running an Active Cryptojacking Campaign

How We Tracked a Threat Group Running an Active Cryptojacking Campaign

July 14, 2021

10 min read
A Note from the Bitdefender Labs Team on Ransomware and Decryptors

A Note from the Bitdefender Labs Team on Ransomware and Decryptors

May 26, 2021

2 min read
New Nebulae Backdoor Linked with the NAIKON Group

New Nebulae Backdoor Linked with the NAIKON Group

April 28, 2021

1 min read
Good riddance, GandCrab! We’re still fixing the mess you left behind.

Good riddance, GandCrab! We’re still fixing the mess you left behind.

June 17, 2019

5 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Digitally-Signed Rootkits
are Back – A Look at
FiveSys and Companions Digitally-Signed Rootkits are Back – A Look at FiveSys and Companions
Bitdefender

October 20, 2021

1 min read
LuminousMoth – PlugX, File Exfiltration and Persistence Revisited LuminousMoth – PlugX, File Exfiltration and Persistence Revisited
Bogdan BOTEZATUVictor VRABIE
9 min read
Debugging MosaicLoader, One Step at a Time Debugging MosaicLoader, One Step at a Time
Janos Gergo SZELESBogdan BOTEZATU
1 min read