Ransomware is a common and apt to be recurring theme in many businesses. There is no particular industry that is safe, at least, by the malware statistics provided by Symantec and Kaspersky, along with other Anti-Viral agencies.
Worse yet, combating these threats often seems a painful process. In many companies the effort is one which ultimately relies upon backups and up-to-date virus prevention tools which, hopefully, do not slip on a new strain.
So, what does an IT Team do, proactively?
Since 2017 Microsoft has provided an interesting feature named “AppLocker” for Windows 7, 8, and 10 (along with comparable server versions.)
Windows Enterprise is sadly required to use “AppLocker.” But, this is well worth the cost.
By enforcing AppLocker through Group-Policy (GPO), you can set a custom whitelist which blocks non-approved executable and MSI files from running.
As in, period. Nothing. Nada.
If a user gets malware, anti-virus may detect it but the malicious code itself simply won’t execute at all.
I have seen how useful this is on a multiple case example basis myself, whereby some users had even infected themselves with Ransomware!
And yet, thankfully, the file failed to run.
AppLocker is what you make of it.
If the company is big, there is little excuse not to use Applocker since enterprise should be installed.
This free tool (if using Windows Enterprise) works for any situation where an attacker is not specifically trying to bypass with using one of your existing Whitelist criteria.
Over the years I’ve seen dozens of ransomware files get onto a user’s computer and then, fail to run, saving an IT team countless hours of recovery time.
An IT team should still of course treat the computer as infected, take the unit off network, and provide the user a new computer or confirm all traces of infection are removed (choose your path depending on severity.)
Key Concepts of Setting AppLocker (Brief)
To be clear, you can set execution to be limited to specific locations and create an install folder that would never normally exist. This will prevent Malware and other Ransomware from running unless exclusively moved to a predetermined obscure location. This makes it very difficult for any program let alone Malware to run. IT training on this helps significantly.
Ensure you DO NOT whitelist any user folders in your Group Policy.
(Defeats the purpose of having AppLocker if a Temporary Data, Download, or Roaming Data location can run random non-trusted files!)
Personally, I find the “path condition” is most effective along with adding specific programs based on hash that are previously company approved and solely distributed by IT staff members.
Create a “random” agreed upon folder path that IT can run files from, installers, and don’t forget to approve the Program Files / Program Files (x86) paths.
So long as your users are not Local Administrators, whitelisting the program files are good.
Links to Microsoft’s AppLocker Information
(example) Microsoft Directions from the above links
To create a new rule with a path condition
- Open the AppLocker console, and then click the rule collection that you want to create the rule for.
- On the Action menu, click Create New Rule.
- On the Before You Begin page, click Next.
- On the Permissions page, select the action (allow or deny) and the user or group that the rule should apply to, and then click Next.
- On the Conditions page, select the Path rule condition, and then click Next.
- Click Browse Files to locate the targeted folder for the app.
Note: When you browse to a file or folder location, the wizard automatically converts absolute file paths to use AppLocker path variables. You may edit the path after browsing to specify an absolute path, or you may type the path directly into the Path box. To learn more about AppLocker path variables, see Understanding the path rule condition in AppLocker.
- Click Next.
- (Optional) On the Exceptions page, specify conditions by which to exclude files from being affected by the rule. Click Next.
- On the Name page, either accept the automatically generated rule name or type a new rule name, and then click Create.