Using Local Security Policy and Group Policy to Fight Ransomware

Posted on December 1, 2016


In an article in Forbes Magazine dated July 15, 2016, a new crypto application called Stampado is being sold on the dark web for $39, targeting buyers who want to make ransom money without having to write any code.  With revenues of over $18 million dollars in 2015, ransomware continues to be the fastest growing type of malware in the world today.  And now that just about any armature can acquire ransomware as a service, there seems to be no end to this malicious menace of malware that seems to infect more and more devices and networks every day.

Ransomware primarily relies on social engineering tricks to propagate such as email attachments consisting of malicious files and covert or maliciously forged documents with embedded scripts. In addition, it uses malicious URLs that point to vulnerable and compromised sites. Internet surfing and downloading software with unknown publishers is also likely the cause of infection. For this reason, it is imperative today to integrate your network with advanced SPAM and web filtering.

This is why ransomware continues to be such a hot topic of technical blog posts and articles.  In previous blogs we have highlighted the comforting thought of how ransomware’s incursion is limited to local volumes and mapped drives and that an up-to-date backup will prevent you from losing all of your data no matter what technical breakdown may occur in your security perimeter.  We’ve also discussed the importance of integrating a web filtering solution within your network to prevent users from connecting with or anonymous sites or known malware launching pads.

It is actually fairly simple to prevent current strains of ransomware from establishing a foothold on network devices.  That’s because the current strains of ransomware target the same specific folders such as AppData and Temp folders.  It is within these folders that the malevolent app takes root.

Those familiar with Windows Group Policy may have utilized software restriction policies to target designated executables such as local proxy applications that K12 students may use while at school to skirt around the system’s web filter.  You can use software restriction policies to prevent unauthorized executables from being launched from these folders.

You can make a SRP and then configure a rule set for all executables within the two mentioned folders as well as any subfolders contained within them.  If you are using Group Policy, make a GPO on the computer side and select Software Restriction Policies.  If your computer isn’t domain joined, you can still implement SRP on any professional version of Windows 10, 8 and 7 through Local Security Policy.  You can specify files for SRP by a number of ways such as their hash identity but in this case, configuring a path rule is the most effective.  Once you create the policy, make a rule using “New Path Rule” for the folders as is shown below.

%AppData%\*.exe Disallowed
%AppData%\*\*.exe Disallowed
%TEMP%\*.exe Disallowed
%TEMP%\*.\*.exe Disallowed
%TMP%\*.exe Disallowed


Keep in mind that this blanket like strategy of disallowing executable files within these folders will also prevent any legitimate applications from running as well.  Though few applications fall in this category, you can easily make rules for legitimate executable files the same way but assign their security level to “Allow.”

AppLocker is an even better alternative to SRP but it is only applicable to certain client operating systems such as Windows 7 Ultimate and Enterprise, Windows 8 Enterprise, and Windows 10 Enterprise and Educational versions.  AppLocker gives you the ability to more easily whitelist applications and then simply deny all others.  You can also only allow executables that are signed by a publisher.

There are additional steps you can take to harden your devices from this malware threat.  For starters you can always ensure that your users are using the most secure and up-to-date browser, one that has the ability to scan file downloads for malware and will block reported attack sites.  You can even disable the ability to download files all together within the browser settings.

Ransomware is a malicious form of malware that can wreak havoc on your organization.  The old adage that an ounce of prevention is worth a pound of cure is applicable to the protection of your enterprise as well.  There is no impregnatable defense against ransomware, but the combination of network filter protection combined with local device measures can enforce lasting protection from the disrupting force of ransomware.