Tuesday, March 15, 2016

Protect your systems against Ransomware / CrypVault using GPO

Hi guys,
In this post I will show you how to block the gpg.exe that is used by Ransomware named CrypVault for file encryption.

Create a GPO (I will attach my GPO so you can import the settings!)
User Configuration/Policies/Windows Settings/Software Restriction Policies/Additional Rules
Create Path and Hash Rules for the known gpg.exe Versions.

The virus will not able to execute the tool anymore.

I would recommend to add all gpg.exe hashes to the Policy, because the exclusion of gpg.exe and gpg2.exe will not apply if the EXE will be renamed!

The attached GPO including the paths and all Hashes of gpg.exe up to version 2.3.0.

You can import this GPO by creating a new GPO, right-click it and Select Import Settings. Follow the wizard to import the settings.

Please test before you implement this setting and also verify that this tool is not used by your users.

If your users are using the gpg.exe, you can only restrict the execution to %temp%, because the virus will copy the gpg.exe to this location the most time...

No comments:

Post a Comment