Defending against CryptoLocker with Group Policy Software Restriction

Defending against CryptoLocker with CryptoLocker Group Policy Software Restriction

Latest variants of CrytoLocker can bypass Microsoft Endpoint Protection and latest Definitions.. :-

Please use the following Group Policy to stop its ability to execute from %AppData%:-

Computer Configuration\Policies\Windows Settings\Security Settings\Software Restrictions Policies\Additional Rules

*.SCR *.TMP are known virus extensions

  • %AppData%\*.exe Disallowed
  • %AppData%\*\*.exe Disallowed
  • %TEMP%\*.exe Disallowed
  • %TEMP%\*.\*.exe Disallowed
  • %TMP%\*.exe Disallowed
  • %TMP%\*.\*.exe Disallowed

2014-11-27 16_23_29-Group Policy Management Editor


** I would suggest block all files *.* or just selected executable file extensions:-

.bat, .cmd, .com, .lnk, .pif, .scr, .vb, .vbe, .vbs, .wsh,.htm

2014-12-19 16_53_21-Group Policy Management

More Locations to protect:

  • %UserProfile%\Local Settings\Temp\Rar*\*.exe
  • %UserProfile%\Local Settings\Temp\7z*\*.exe
  • %UserProfile%\Local Settings\Temp\wz*\*.exe
  • %UserProfile%\Local Settings\Temp\*.zip\*.exe
  • %LocalAppData%\Temp\Rar*\*.exe
  • %LocalAppData%\Temp\7z*\*.exe
  • %LocalAppData%\Temp\wz*\*.exe
  • %LocalAppData%\Temp\*.zip\*.exe

Registry lock down

I would suggest restricting these keys for users, but more testing is required

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall


Command to check: accesschk -w -s -q -u Interactive “C:\Windows”

2014-11-27 16_34_01-Command Prompt


If you do get hit:

  1. Shutdown the the affected workstation ASAP.
  2. Stop all File Shares
  3. Recover from the last known good backup. (We had VSS and NetApp) So only lost 4 hours of work
  4. Check Personal Storage Software like Dropbox, which got hit as well
  5. Upload the Virus File to or (This way virus engines will create a definition and help others not to get infected)

Deep Investigation

I looked a bit closer how these virus actually get executed:

  1. First method is to update the ICON file which is a executable *.exe to a of a PDF icon. Users normaly can’t see file extensions and will double click it thinking its a PDF File
  2. “Unitrix” exploit by Avast Unicode character is U+202E: Right-to-Left Override

 Other protection

  1. Edcuate Users
  2. Turn on Data Execution Prevention – System Properties / Advanced / Performance Options / Data Execution Prevention / Turn on DEP for essential Windows programs and services only
  3. User Access Control Settings – Always notify
  4. Internet Options / Security Settings – Local Intranet Zone
  5. Application Whitelisting

Educate Users

This kind of malware authors are releasing updates very quickly and changing significant characteristics of the malware families involved, evading anti-malware signatures. We see on a daily basis a lot of ransomware around 50 new sub-variants per day. The people who write this malware constantly make changes to the malware and test it against a large group of AV engines with the latest definitions to make sure it is not detected. Compare this with a website like only they have their own private environment. So it just like a race between the malware author with the AV software.

The use of public/private key cryptography makes it infeasible to discover/calculate the decryption key.
The malware encrypts files locally and on any mapped network drives expands the potential for damage.

Encrypted files are registered here : -HKEY_CURRENT_USER\Software\CryptoLocker\Files

Here is a latest blog from Microsoft Malware Protection Center for this kind of ransom. You can get some information about the common infection vectors.

Some others blogs;

  • Word OneNote Blog -
  • BGP Blog -
  • Excel Blog -

Emphasis the importance about educating the users, the attacker always try to infected the users by spam email and malicious website.

  1. On most of the infecting vectors, the attacker relies on social engineering to get you to run the program much the same way a con man gets your bank account details. Therefore the VERY FIRST line of defense to prevent this virus is DO NOT RUN ATTACHMENTS UNLESS YOU KNOW THEY ARE SAFE. You may also need to educate the users about the common attacking method the attacker use.
  2. Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
    Please also evaluate the write permission the share folder. Remove the unnecessary write permission.
  3. Always keep your patch levels up-to-date. Especially the Java, Adobe and IE. This may help to get rid of the attacker to use known vulnerabilities to infected the users. Simply visiting a compromised Web site can cause infection if certain vulnerabilities of the browser or the add-in are not patched.
  4. Filter the spam email on the email server. you can use some anti-spam software. Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  5. We also need to back up our important documents regularly.

Offical Symantec MSS Alert


Symantec MSS Threat Landscape Update – Cryptowall 2.0


On October 15th, 2014, researchers from the Bleeping Computer forum released a blog article about a new variant of Cryptowall, a.k.a Cryptodefense. This malware is your traditional “ransomware” with some added features.


This new variant provides a unique bitcoin payment address to every infected user. Previously, all infected users paid into the same payment address, which meant that one infected user could redirect funds paid by another infected user.

Another new feature is the ability to securely delete the original files after they are encrypted. In the previous version, deleted files could be recovered using file recovery tools. Cryptowall 2.0 wipes the original files, making recovery impossible unless you pay the ransom or restore from backup.

All of Cryptowall’s ransom servers are located on the anonymous TOR network. Before, users had to install TOR on their systems in order to pay the ransom. This was a confusing process for the user, so the attackers moved to a web-to-TOR gateway which allows users to access TOR servers without having to install software. The old version of Cryptowall used a third party provider for this service, but once this was discovered it was blacklisted. The new version of TOR now uses its own web-to-TOR gateways, avoiding any blacklisting.

Cryptowall currently uses four web-to-TOR gateways as outlined by Bleeping Computer. They are the following:

  • Tor4pay[.]com
  • Pay2tor[.]com
  • Tor2pay[.]com
  • Pay4tor[.]com

This new variant is being distributed through phishing emails using the RIG Exploit kit.


For customers with our IDS/IPS Security Management services, vendor-based signatures will be automatically deployed, as per the vendor’s recommendation. If you would like further information regarding signature states on your devices, or would like to request the activation of a specific signature, we can be reached by requesting help via phone, e-mail, chat, or by visiting the MSS portal at

For customers with monitor-only IDS/IPS devices, Symantec MSS stands ready to provide security monitoring once your IDS/IPS vendor releases signatures and those signatures are enabled on your monitored devices.

MSS SOC Analytics Detection

  • URL Analytics (WSM Signatures)

[MSS URL Detection] Possible Trojan.Cryptodefense(Cryptowall) C&C Traffic

Vendor Detection

  • Symantec AV




  • Symantec IPS

System Infected: Trojan.Cryptodefense Activity

Web Attack: Exploit Toolkit website 47

Web Attack: Malicious Executable Download 2

Web Attack: MSIE CVE-2013-2551 3

Web Attack: Rig Exploit Kit Website 5

Web Attack: Rig Exploit Kit Website 9

Web Attack: Rig Exploit Kit Website 4

Web Attack: Rig Exploit Kit Website 21

  • Snort/Emerging Threats (ET)

SID – 2809047 – ETPRO TROJAN Possible Cryptowall Infection in Windows Roaming Profile (DECRYPT_INSTRUCTION.URL ascii)

SID – 2018452 – ET TROJAN CryptoWall Check-in

SID – 2016809 – ET TROJAN Likely CryptoWall .onion Proxy DNS Lookup

SID – 2018610 – ET TROJAN Likely CryptoWall .onion Proxy Domain in SNI

SID – 2018397 – ET TROJAN Cryptodefense DNS Domain Lookup

  • Snort/Sourcefire

SID – 31450 – MALWARE-CNC Win.Trojan.CryptoWall Outbound Connection Attempt

SID – 31449 – MALWARE-CNC Win.Trojan.CryptoWall Downloader Attempt

SID – 32225 – MALWARE-CNC Win.Trojan.CryptoWall Variant Outbound Connection Attempt

SID – 31223 – MALWARE-CNC Win.Trojan.CryptoWall Variant Outbound Connection Attempt

SID – 31447 – BLACKLIST DNS Request for Known Malware Domain mediaocean[.]home[.]pl – Win.Trojan.CryptoWall

SID – 31448 – BLACKLIST DNS Request for Known Malware Domain nofbiatdominicana[.]com – Win.Trojan.CryptoWall

SID – 31369 – EXPLOIT-KIT Rig Exploit Kit Outbound Microsoft Silverlight Request

SID – 31455 – EXPLOIT-KIT Rig Exploit Kit Outbound DGA Request

  • TippingPoint

HTTP: CryptoWall Communication Attempt

  • FireEye


This list represents a snapshot of current detection. As threats evolve, detection for those threats can and will evolve as well.


  • Rig Exploit Kit Used in Recent Website Compromise

  • Updated CryptoWall 2.0 ransomware released that makes it harder to recover files

  • Recovering Ransomlocked Files Using Built-In Windows Tools

  • CryptoWall and DECRYPT_INSTRUCTION Ransomware Information Guide and FAQ

Thank you for choosing Symantec as your Managed Security Services Provider. Should you have any questions or feedback, please contact your Services Manager, or the Analysis Team can be reached by requesting help via phone, e-mail, chat, or by visiting the MSS portal at

Global Client Services Team

Symantec Managed Security Services

MSS Portal:

MSS Blog:

1 Comment

  1. Pingback: CryptoWall CryptoLocker – Here’s what you should be doing

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s