How to Block Ransomware using Policy Group Exceptions

Tips for Prevention

Unfortunately, there’s no product that’s 100 percent effective blocking ransomware.

But there are precautions you can take to lower the risk of an attack.

Here at Acumen, our president, Rob Wagnon, says the best methods for prevention are to:

  • Implement a backup system

  • Install an AV software

  • Enforce a group policy

  • Utilize patches & updates

  • Secure RDP ports

In addition to these recommendations, you should also block executables from your AppData folder by creating a Group Policy.

 In the next section, we’ll show you how to lock down your servers and workstations using Group Policy settings to minimize the risk of future attacks.

How to Create Group Policies for Vista / Win 7 / Win 8 / Win 10

  1. First, open up Group Policy and scroll down to Domain –> Computers –> SBSComputers
  2. Next, right click on SBSComputers and select ‘Create a GPO in this domain and link…’
  3. After that, title this policy Prevent CryptoLocker Vista and higher and click OK
  4. Then, right click on this policy and select Edit
  5. Navigate to Computer Configuration –> Policies –> Windows Settings –> Security Settings –> Software Restriction Policies
  6. Right click on Software Restriction Policies and click on ‘New Software Restriction Policies’
  7. Right click on Additional Rules and click on ‘New Path rule’ and then enter the following information and then click OK
    1. Path = %localAppData%*.exe
    2. Security Level = Disallowed
    3. Description: Don’t allow executables from AppData
  8. Repeat Step 7 for AppData subfolders
    1. Path = %localAppData%**.exe
    2. Security Level = Disallowed
    3. Description: Don’t allow executables from AppData subfolders
  9. Close this policy configuration window
  10. Finally, from the Prevent CryptoLocker Vista and higher policy locate WMI filtering near the bottom of the middle frame and select ‘Windows SBS Client – Windows Vista’

How to Create Group Policies for XP

  1. First, open up Group Policy and scroll down to Domain –> Computers –> SBSComputers
  2. Next, right click on SBSComputers and select ‘Create a GPO in this domain and link…’
  3. Then, title this policy Prevent CryptoLocker XP and click OK
  4. After that,  click on this policy and select Edit
  5. Next, navigate to Computer Configuration –> Policies –> Windows Settings –> Security Settings –> Software Restriction Policies
  6. Then, right click on Software Restriction Policies and click on ‘New Software Restriction Policies’
  7. Right click on Additional Rules and click on ‘New Path rule’ and then enter the following information and then click OK
    1. Path = %AppData%*.exe
    2. Security Level = Disallowed
    3. Description: Don’t allow executables from AppData
  8. Repeat Step 7 for AppData subfolders
    1. Path = %AppData%**.exe
    2. Security Level = Disallowed
    3. Description: Don’t allow executables from AppData subfolders
  9. Close this policy configuration window
  10. Finally, from the Prevent CryptoLocker XP policy locate WMI filtering near the bottom of the middle frame and select ‘Windows SBS Client – Windows XP’

How to Add Exceptions

Occasionally, you might come across a program that puts .exe files in the AppData folder. In order to install the program, you’ll need to create an exception to your group policy.

  1. First, from the server, open up Group Policy Management console
  2. Next, scroll down local –> MyBusiness –> Computers –> SBSComputers

Modify the XP rule

  1. Then, right click on the Prevent CryptoLocker XPrule, and click Edit
  2. Scroll down Computer Configuration –> Policies –> Windows Settings –> Security Settings –> Software Restriction Policies
  3. Next, right click on Additional Rules, then click New Path rule… and create a new rule for the exception.
  4. The path rule should be written in this format:

%AppData%_________.exe

Next…

  1. In the blanks, insert the name of the program you’re installing.
  2. Then, in the description, type Allow ______ to run. In the blank, insert the name of the program you’re installing.
  3. After that, click OK

Modify the Vista and higher rule

  1. Right click on the Prevent CryptoLocker Vista and higherrule, and click Edit
  2. Drill down Computer Configuration –> Policies –> Windows Settings –> Security Settings –> Software Restriction Policies
  3. Finally, right click on Additional Rules, then click New Path rule… and create a new rule for the exception.

You’ll need to wait about 90 minutes for Group Policy changes to be broadcasted to all workstations. But if you’re in a hurry, you can speed up the process by going through the server:

  1. First, from the server, open up an elevated command prompt and run: gpupdate /force
  2. Then from your workstation, open up an elevated command prompt and run: gpupdate /force

To find out how Acumen can help protect your Business from ransomware, contact us today. 

CryptoLocker can access your files in more ways than one. Click here to learn more about how this malicious virus can access your private business files.

Meet our Team Get a Quote Read Reviews

CONTACT US

  • Call: 314-343-1800
  • Contact

    Use red “Contact Us” button (right)

  • Chat

    Use red “We are online” button (bottom)

BUSINESS HOURS

Monday – Friday: 8am – 5pm
Saturday – Sunday: Closed
24 Hour Support Service Available

Customers Receiving Support:

Disclaimer: Acumen Consulting is an independent service provider of technical service for business networks. We have reseller partner agreements with all of the companies and brands for which we are offering service on acumenitsupport.com. All partner trademarks, registers trademarks, company names, product names, and brand names, are the property of their respective owners. We provide ONLY reseller services for the products listed.

CryptoLocker ransomware costs Businesses Millions Google Marks HTTP as “Not Secure”
Call Now