Crypto (Ransomware) prevention tactics!!

This article attempts to detail Crypto infections (Ransomware) and the prevention tactics that admins are implementing in their networks. Nobody is immune!   First I would like to give you a brief background on the currently state of Crypto code.

The Russian Government (Putin, KGB, Russian Mafia and Russian Organized Crime) is one of the leading culprits for current Crypto infections (state sponsored).

All A/V companies are struggling with this, and the best that any A/V product can currently do, is to stop 90% of Crypto infections (avast! is one of these!) There are other A/V programs that Industry professionals have said “XYZ anti-virus doesn’t stop Crypto at all!” So, at best, that is still 1 out of 10 infections that are getting through! Anti-virus software alone is not enough. A multi-layered approach to security now becomes the requirement.

The problem with these new versions of Crypto, is that they are all Polymorphic code, where every sample is unique. Anti-virus vendors / testers can’t even analyze the code without being attacked.  Once the 2nd sample is requested to the same IP address, a trip wire unleashes an attack against their IP address. The latest version of CryptoWall 2.0 was signed using a “Bit9” signature and uses Flash as the infection vector.  These types of infections are the Achilles’ Heel for all anti-virus vendors. Nobody A/V is immune, that’s why we stress again that the layered approach to security is now the necessity!


What is Polymorphic?


New Ad-borne CryptoWall 2.0 ransomware is spreading through malvertising through Yahoo, AOL, etc.

This is the most recent vector, where legitimate advertisement companies were hacked so the ads contained a CryptoWall 2.0 infection vector.

This vulnerability can be blocked by using an ad blocking protocol. For Internet Explorer, AdBlock Plus will stop ALL advertising, by clearing the checkbox “Allow some non-intrusive advertising” And we use AdBlock for the Chrome browser.

Check out this ADBlock Plus GPO template for Chrome:

there are also IE MSI’s that can be deployed via GPO for IE:



How to recover files from Crypto (Ransomware) infection


CryptoLocker Prevention Kit for Domains (updated)

The SMBKitchen Crew and Third Tier staff have put together a group materials that were published as part of our SMBKitchen Project and only available to subscribers. However because this virus is spreading so rapidly and is so serious, they made these materials available to everyone.

The kit includes an article on cleaning up after infection, but more importantly, provides materials and instruction for deploying preventative block using software restriction policies. The articles provide instruction for installing them via GPO on domain computers and terminal servers, and non-domain joined machines too. They have also provided GPO settings that you can important into your environment.

Note: This kit is being updated on a frequent basis, so if you’ve downloaded it before, you should check the blog about the updates at  and download the kit again to have the latest information on CryptoLocker and what you can do to prevent it in your networks.


How to add additional measures to prevent Crypto infections

The current version of CryptoWall 2.0 is using a vulnerability in Flash. Here are multiple measures to help prevent these infection vectors:

1)       Virtualize Flash using the avast! sandbox
2)       Do not install Flash or Java at all, then use Chrome and it’s built in Flash / Java emulators (not every app is compatible with Chrome emulators)
3)       Implement an ad blocking protocol
4)       Implement an anti-spam protocol
5)       Keep your backups current, as Shadow Copy doesn’t always work
6)       Train your users about Advanced Persistent Threat (I personally receive over 50 different email phishing attempts daily)

7)       Implement a gateway using anti-malware filters, or install Malwarebytes real-time Anti-spyware scanning. (avast! and Malwarebytes play well together)

I personally receive over 50 different email phishing attempts daily. And a recent report from the folks at Enterprise Management during from April 2014,  shows that 56% of employees still receive NO security awareness training.  According to employee responses in the survey report:
– 30% leave mobile devices unattended in their vehicle
– 33% use the same password for both work and personal devices
– 35% have clicked on a link in an email from an unknown sender
– 58% have sensitive information on their mobile devices
– 59% store work information in the Cloud

From the Virus Doctor, Ken Dwight, on Crypto prevention measures

• Subscribe to a cloud-based, automatic backup service.  External hard drives, thumb drives, and mapped network drives will all be encrypted by any of these ransomware programs; only a cloud-based backup service is beyond their reach.
• Use a commercial (paid) Internet Security Suite, keep the definitions up to date, and perform a full scan daily.
• Add secondary protection against encrypting ransomware, such as CryptoPrevent.
• Apply all Windows Updates automatically, as soon as they are released.
• Be suspicious of any links in e-mails, even those to apparently legitimate sites.
• Be especially leery of opening any attachment, especially from alleged shippers (UPS, FedEx, DHL, USPS, Banks, etc.)

• Keep Adobe Flash, Air, Reader, and Shockwave updated at all times; ditto for Java, QuickTime, RealPlayer, SilverLight and other ancillary programs.

(NOTE: the avast! Software Updater will help to simplify this process)


How to step up the default Security settings for avast! Endpoint Protection versions

Also, here are the changes we make to the default settings of avast! Endpoint Protection versions (Plus, Suite, and Suite Plus)

Under “File System” Shield settings, choose Sensitivity:

Set the “Heuristics sensitivity” to high, and enable “Scan for potentially unwanted programs”

Under “Mail” Shield settings, choose Sensitivity:

Set the “Heuristics sensitivity” to high, and enable “Scan for potentially unwanted programs”

Under “Web” Shield settings, choose Sensitivity:

Set the “Heuristics sensitivity” to high, and enable “Scan for potentially unwanted programs”

Cloud services should be enabled for the best protection:

For those users of the “Plus” versions using the Microsoft Outlook mail client, here are the most aggressive settings for the avast! anti-spam filter:


How to virtualize Flash Player in avast! Endpoint Protection versions


CryptoWall FireWalled – Spiceworks

CryptoWall attempted to call home over various ports such as FTP (21), SSH (22), SMTP (25), and POP3 (110). – Port 22 – Port 110 – Port 21 – Port 110 – Port 25 – Port 21 – Port 21 – Port 110 – Port 22 – Port 21


J.R.  Guthrie
Advantage Micro Corporation | Computer Repair Tucson | Computer Store Tucson | PC Repair Tucson
call 520-290-0595 for Malware Removal Tucson, virus removal tucson and data recovery tucson.


“At this point in time, the Internet should be regarded as an Enemy Weapons System!”

computer repair tucson speedway | dell computer repair tucson | computer repair tucson broadway | computer repair tucson near me | tucson computer repair service | apple computer repair tucson | computer repair oro valley | computer store tucson | computer repair tucson az | computer repair tucson reviews | computer services tucson | computer support tucson | computer services tucson arizona | computer troubleshooting tucson | computer repair technician tucson | tucson used computer stores | used computer tucson | computer work tucson | computer parts tucson az | tucson computer repair | computer accessories tucson | computer renaissance tucson az | computer revival tucson az | computer doctor tucson | computer fix tucson | computer guru tucson | arizona computer guru tucson az | computer help tucson | computer hardware tucson | computers in tucson arizona | computer repair in tucson | mac computers tucson az | used computer monitors tucson | mac computer repair tucson az | computer repair northwest tucson | computer services near tucson | computer parts tucson | computer parts tucson arizona | used computer parts tucson | computer repair tucson | computer renaissance tucson | computer recycling tucson | computer revival tucson | tucson pc repair | pc gaming tucson | used pc tucson | pc repair in tucson | pc repair in tucson az | pc parts tucson | pc repair tucson | pc store tucson | tucson laptop repair | laptop sales tucson | sell used laptop tucson | laptops tucson az | laptop repair tucson az | refurbished laptops tucson az | laptop repair in tucson | laptop repair tucson | dell laptop repair tucson | lenovo laptop repair tucson | tucson mac repair | mac computers tucson | mac repair in tucson | imac repair tucson | mac repair tucson

Leave a Reply

Your email address will not be published. Required fields are marked *