Protecting Against Crypto Malware

The newest threat to computer security  is referred to as “crypto malware”.  Some of the prevalent variants are named Cryptolocker, Teslacrypt, and Locky.  Crypto malware, which is a form of ransomware, goes through your network and encrypts everything of value, and then presents the user with a ransom demand to get the files back.  A new way this is being distributed is via JavaScript files (.js).  It’s recommended you block emails with JS file attachments at the spam filtering level, but if you don’t have email filtering that allows for granular blocking like that (in which case you should re-evaluate your spam solution, but I digress…) you can do the following to protect yourself as well.  Even if you can block at the email gateway, these files can be downloaded from the web, too, so completely blocking them is ideal.  Here’s a screenshot of JS malware blocked at our spam filter from the past few days:  



Windows has a feature called Software Restriction Policies, which is application control that can be configured as either a blacklist or a whitelist.  It is recommended to implement application whitelisting, but even if you’re not prepared to go that far yet you can still make use of the blacklisting feature to block Javascript files from executing on your workstations. To start, create a new Group Policy Object.  Open it up, go to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Software Restriction Policies.  




Right-click on Software Restriction Policies and choose “New Software Restriction Policy”.  You’ll now have a few more subfolders.  Right-click “Additional Rules” and select “New Path Rule”.




Configure the Path Rule as shown below.  This will block all .js files from executing on the machine.  Note: this doesn’t include within the web-browser, which while not immune from say a zero-day, is much less of a risk than executing a script directly on the machine.




Click “OK”, then make sure to apply the GPO to an OU that contains the computer accounts you wish to protect.  Alternatively you can apply this to the root of your domain, to configure every machine in the environment.


Software Restriction Policies are great for blacklisting malware from running in common locations.  An example would be to create a new Path Rule to block “%TEMP%\*.exe” and “%TEMP%\*\*.exe”, or even “%USERPROFILE%\*.exe” and “%USERPROFILE%\*\*.exe”, as well as whatever other file extensions you think are appropriate.  Be careful though; unless you know with 100% certainty that no legitimate programs need to run from the TEMP or USERPROFILE folders you may unknowingly block something needed which causes the usual panic amongst end users.