Latest posts by Tim Buntrock (see all)
- Create a self-signed certificate with PowerShell - Thu, Aug 9 2018
- Prevent copying of an Active Directory attribute when duplicating a user account - Thu, Mar 29 2018
- Find and delete unlinked (orphaned) GPOs with PowerShell - Thu, Mar 15 2018
Ransomware is malware that restricts access to a computer and forces the user to pay a ransom to remove the restriction. One variant of ransomware called CrypVault uses the free GnuPG tool (gpg.exe) to encrypt your files. Normally, this tool and an associated library file will be copied to the user’s %temp% folder.
The malware next executes GnuPG, which starts the encryption process. It will generate an RSA-1024 public and private key pair used in the encryption of the files to which the user has access. It looks for specific files like Microsoft Office files, *.zip, *.pdf, *.mdb, *.jpg, and other known file types that will be saved to file shares.
The encrypted files will be renamed to *.vault, and files containing instructions to pay to decrypt the files will be placed on the Desktop and the file shares. To prevent encryption, you can block the .exe files of GnuPG by using a Group Policy Object (GPO).
First, you have to create a GPO. Browse to User Configuration/Policies/Windows Settings/Software Restriction Policies. After that, right-click Software Restriction Policies, and click on New Software Restriction Policies.
You should now see this path: User Configuration/Policies/Windows Settings/Software Restriction Policies/Additional Rules. In Additional Rules, you have to create a new Path Rule and new Hash Rules for the known gpg.exe versions.
You can get the GnuPG installation packages on the Gpg4win download page and use them to add new Hash rules.
If you don´t have the time for this, you can download my GPO, including the paths and all hashes of gpg.exe up to version 2.3.0. To import this GPO, create a new GPO, right-click it, and then select Import Settings. Now you just have to follow the wizard.
To get the exe files out of the installation packages, you can install them and grab the exe files from the installation folder or just extract them with a zip tool like 7zip.
The created policy should look like the screenshot below:
After the policy becomes active, gpg.exe can no longer be executed, and the corresponding system should be protected against the CrypVault ransomware.
I recommend adding all gpg.exe hashes to the policy, because if you just exclude gpg.exe and gpg2.exe, renamed versions of the programs can still be executed. Please test before you implement this setting, and also verify that GnuPG is not needed by your users.
If some of your users really need GnuPG, you could restrict the execution of those files in %temp%. In addition to gpg.exe and gpg2.exe, I also block svhost.exe, because in some versions of CrypVault, the gpg.exe will be renamed to svhost.exe. If you exclude the mentioned exe files, your policy should look like the screenshot below.
If you are able to block all exe files in the %temp% folder so that no user run exe files in this folder, you could also use *.exe instead of the mentioned method. In some scenarios, the white listing of some exe files may also be an option.