We are still having incidents, where Crytolocker is getting through to our KES clients and putting us at great risk, when will this be dealt with?The latest official version of AVG doesn't appear to have this problem:
Anthony Vincent GreenAVG is protecting you against all known variants of this threat. We recommend updating your operating system as well as other apps including AVG regularly to make sure you have the highest level of protection.Thanks,Anthony AVG Customer Care
We've seen a lot of success with the Hitman Pro product cryptoguard: www.surfright.nl/.../cryptoguard
Also, where ever possible, setup your networks to only accept DNS from trusted servers. Crytpolocker relies on its own dns servers.
I second this. Our organisation is constantly under threat of this ransomware and AVG seems powerless to detect it when distributing it via KES.
In this case, AVG may not be the problem. Unfortunately, I have spent a decent amount of time looking into Cyrptolocker prevention recently.
I have checked the support forums of many different AV products, and folks are having trouble with it everywhere. The problem seems to be keeping up with the variants. I am not sure if there are more frequent variants of Cryptolocker released, or the impact of infections is so large, but it doesn't seem like anyone has a bullet proof AV solution.
The best solution seems to be locking down the folder it runs from, but that breaks a lot of legitimate apps and you have to spend time correcting that.
There are some traffic filtering services that promise to block the traffic so that even if you get infected, you files shouldn't be encrypted. I am just starting to look into that option, so I am not sure how reliable it is.
In my personal experience, most effective solution has been to pay the ransom after the infection. I hate doing it, but it does seem to work.
We have ~600 endpoints behind OpenDNS. So far, no infections.
Have you gotten any infections that were reported by AV, but didn't encrypt because OpenDNS blocked the traffic?
I don't have an answer to that. I'll check.
I don't see anything that shows AV detected CrytpoLocker.
All I had time to check was the KAV report. It does list some generic Malware, etc., but I don't know if those categories cover CryptoLocker.
"In my personal experience, most effective solution has been to pay the ransom after the infection. I hate doing it, but it does seem to work."
After a computer's been encrypted, there's nothing else you can do if you don't have backups.
Ah, I see the confusion, I meant to say after it's been infected.
Although, depending on how many infections you get, $300 once every few months might be a lot less than the expense and time of implementing additional layers of prevention just for CryptoLocker. I use a non-Kaseya AV solution. I have seen about 5 infections out of several thousand computers in the last few months. Maybe 2 didn't have backups. At that rate the paying the "extortion" after the fact may be less than buying and implementing additional solutions prior.
What are you using these days as an AV management solution?
My clients use multiple AV solutions, but primarily they use KAV and KES. We had two bad cases of CryptoLocker, a non-critical (terminal server) outbreak and a new variant CryptoDefender (that machine didn't have AV).
I have hard coded items in group policy for about 70 clients that prevent workstations from executing applications from the effected locations. It was a pain in the but to set up, but it seems to have worked. The largest type of application is updaters. Java updater, firefox updater, and the like. I have the following software restriction policies in the "User Configuration" section of group policy:
%AppData%\*.exe - Restricted
%AppData%\*\*.exe - Restricted
%AppData%\join.me\join.me.exe - Unrestricted
%AppData%\Local\Foxit Updater.exe - Unrestricted
%AppData%\Local\Google\Update\GoogleUpdate.exe - Unrestricted
%AppData%\Local\Temp\ose00000.exe - Unrestricted
%AppData%\Microsoft Firefox\firefox.exe - Unrestricted
%AppData%\Spotify\Spotify.exe - Unrestricted
%AppData%\Spotify\SpotifyLauncher.exe - Unrestricted
%AppData%\Temp\jre-*.exe - Unrestricted
%localAppData%\*.exe - Restricted
%localAppData%\*\*.exe - Restricted
%Temp%\7z*\*.exe - Restricted
%Temp%\Rar*\*.exe - Restricted
%Temp%\wz*\*.exe - Restricted
Exceptions are very easy to hard code in because event viewer will give you the executable location so all you have to do is add it in as unrestricted. It's also helpful to remove Domain/Enterprise administrators from the scope of this GPO.
Any one use this: www.foolishit.com/.../cryptoprevent
Might save some time, if it works.
I used the foolishIT kit on a few non-domain PC's and it works. That being said, there isn't the ability to roll it out to domain computers. FoolishIT makes reference and hyperlinks to the: Cryptolocker Prevention Kit. That's the kit I built the exceptions I am using. There is (maybe was) a desktop shortcut in that to a 3rd party blog, so make sure to cut that out of your GPO prior to implementation.
Nice find Norman! I think that's the best suggestion so far, I've tested it on several machines with success :)
Shame there isn't a silent install switch for it...