[UPDATE] How to prevent gpg.exe (crypto ransomware executable) from executing on users machines. Add this GPO to your necessary organizational units.
Over the last couple of years we have heard about organizations attacked by crypto ransomware. Earlier this year, we heard about a hospital that was attacked and paid the ransom. Yesterday, we have found this effort has been stepped up and popular websites are becoming carriers of the crypto ransomware via advertisements.
The original method of attack was via e-mail. If the person receiving the e-mail clicked on the link, ransomware would attack both the computer and any file servers that computer and user had access to. Attempting to stop these threats prior to reaching the end-users is becoming increasingly more difficult.
The attackers know that it only takes one user to click on that link and they can effectively render an entire fileserver useless, depending on the rights the employee has for on the server. For every file and folder that user has access to, ransomware can now encrypt that data.
The latest reports show that e-mail wasn’t good enough. They are now using popular websites advertising links to inject their malicious code. This is called malvertising. Since advertising is often in a place that sees high volumes of activity, this can quickly affect many users and computers in a short period of time.
There are a few ways to help reduce the risks to you and your organization. One, reduce the amount of ad clicks, much more difficult to prevent I realize, but reducing or eliminating clicking on advertisements would be highly recommended. Another method is to increase the frequency of your backups. Doing so would not prevent the attack from occurring but could reduce the severity of the attack. The last advice and more difficult to implement is reducing the rights users have to file servers. This isn’t an easy task by any means, but perhaps now is the best time to have a review.