#virus #cryptowall #scam #bitcoin
Cryptowall, an infamous name many of us have heard within the past year or so. A bug so infamous that it can't be beat due to its implementation. Anyone who isn't familiar with it, this thing will break your life, brick your computer, and destroy your history... assuming you don't back anything up of course. What is it? How does it work? Who benefits? And how do you beat it?
First off this thing sucks, this is one of the newest cryptographic viruses that feeds on people who do one or two things. Don't back up their important files to a cloud or external backup device and/or is afraid to the point they are willing to pay anyone at any time. First lesson of the day, backup your stuff. What is a cryptographic virus? If you look in the picture above it says "your files have been encrypted with RSA 2048 encryption", or something along those lines. What this means is, there is a 2,048 bit encryption on your files, every single one of them. Or more simply put, imagine a key with 2,048 peaks and valleys, recreating that without seeing it? Next to impossible. And this is the type of lock put on all of the files affected by the cryptowall, there is literally no computer powerful enough to crack a lock that complex. That's 3.2317e+616 possible keys' for anyone curious as to how big the number is. 616 numbers long, that's a damn long number, and we think trillion is big? HA.
Now we know that this bug locks your files permanently with an extortion notice, pay them in bitcoin, or never see your beloved files again. Bitcoin is a crypto currency, or more easily put an online digital currency with no governmental backing. A side perk of untraceable and no taxation, means this type of currency is beloved by the underground. Give money that can't be traced that can buy things on a black market, and as of recent real companies in the light? Great for that sort of thing.
You have a choice, you can pay the extortion price, and your money is gone, without a trace, but you get your files back. Or not pay it and say goodbye to your files. Sadly, even though we can beat cryptowall from happening, we can't beat what it has done, if you've backed things up, you are fully capable of getting them back. If you didn't... say bye bye baby pictures.
How do we beat it though? Group Policy Objects, or GPO's for short. This can be done surprisingly easily on a computer network and be distrubuted to everyone within a couple of hours, and no need to even sit at their desks, and can even be done on your home computer. If you're just now learning how to implement this for a business, I'm going to give you the GP path and information needed, but I'm going to do it for in a way that can be done for home users.
GPEDIT.MSC <-- the group policy editing program for LOCAL group policies, by typing this into your search bar in the start menu, only this program will come up that looks like this.
The local group policy editor, yay. From here you're going to open this path. Computer configuration > Windows Settings > Security Settings > Software Restriction Policies
Now software restriction policies will most likely be empty, right click and say you want to make a new policy. You're going to have to add a few paths, and check to see if they are there by default. This is what you'll need to add.
- %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ ProgramFilesDir%
- %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ ProgramFilesDir (X86)%
- *.lnk
- %appdata%
Set the first 3 on that list to "unrestricted" as their security level, and set %appdata% to Disallowed. What this does is allows your start programs to run, and allows any program in your program files directories to run. Which lets be honest, is where we should be running from anyway. Unless you have extra drives on your computer, like a D: or F: of some short, in these cases, make sure you make exceptions to them in the rule list. Make a path to D: or F: as a rule. But what it does do that helps us is block all programs from the appdata directory from running, this is where cryptowall and cryptolocker get in, they paste themselves here and run. If there is a rule that strictly gives a destination programs can't run from, these programs will do nothing. Thus, preventing any bug from getting in and really messing up your work.
One thing I'd like to state, is from time to time, a program you do need to run will have a piece of it located in a temp folder, if it doesn't open up when you click it to run, you can find the path thats blocked in your event viewer under warning code 866. And the beauty of these rules, is the rule that takes precedence is the one that's more descriptive. So you can say %appdata% is blocked, and %appdata%\local\temp\spiceworks* is not. The more descriptive tag will take precedence over the less descriptive. (yes spiceworks needs an exception for a vbs file)
Other than that, we've just helped not just harden your computer, but we've set it up to help you be more secure in your work. And as always, be safe my goblins.
Blogger Comment
Facebook Comment