CrypVault is ransomware that infects computers via email attachments. In this post, I explain how you can block CrypVault through Group Policy.

Tim Buntrock

Tim Buntrock is one of three enterprise administrators for the Active Directory service of a "global player" in the contact center business. He is a certified engineer for MCTS, MCITP, MCSA and MCPS.

Ransomware is malware that restricts access to a computer and forces the user to pay a ransom to remove the restriction. One variant of ransomware called CrypVault uses the free GnuPG tool (gpg.exe) to encrypt your files. Normally, this tool and an associated library file will be copied to the user’s %temp% folder.

The malware next executes GnuPG, which starts the encryption process. It will generate an RSA-1024 public and private key pair used in the encryption of the files to which the user has access. It looks for specific files like Microsoft Office files, *.zip, *.pdf, *.mdb, *.jpg, and other known file types that will be saved to file shares.

The encrypted files will be renamed to *.vault, and files containing instructions to pay to decrypt the files will be placed on the Desktop and the file shares. To prevent encryption, you can block the .exe files of GnuPG by using a Group Policy Object (GPO).

First, you have to create a GPO. Browse to User Configuration/Policies/Windows Settings/Software Restriction Policies. After that, right-click Software Restriction Policies, and click on New Software Restriction Policies.

New Software Restriction Policies

New Software Restriction Policies

You should now see this path: User Configuration/Policies/Windows Settings/Software Restriction Policies/Additional Rules. In Additional Rules, you have to create a new Path Rule and new Hash Rules for the known gpg.exe versions.

New Hash Rule and New Path Rule

New Hash Rule and New Path Rule

You can get the GnuPG installation packages on the Gpg4win download page  and use them to add new Hash rules.

If you don´t have the time for this, you can download my GPO, including the paths and all hashes of gpg.exe up to version 2.3.0. To import this GPO, create a new GPO, right-click it, and then select Import Settings. Now you just have to follow the wizard.

To get the exe files out of the installation packages, you can install them and grab the exe files from the installation folder or just extract them with a zip tool like 7zip.

Extracting the EXE files

Extracting the EXE files

The created policy should look like the screenshot below:

Group Policy to block CrypVault

Group Policy to block CrypVault

After the policy becomes active, gpg.exe can no longer be executed, and the corresponding system should be protected against the CrypVault ransomware.

GnuPG is blocked

GnuPG is blocked

I recommend adding all gpg.exe hashes to the policy, because if you just exclude gpg.exe and gpg2.exe, renamed versions of the programs can still be executed. Please test before you implement this setting, and also verify that GnuPG is not needed by your users.

If some of your users really need GnuPG, you could restrict the execution of those files in %temp%. In addition to gpg.exe and gpg2.exe, I also block svhost.exe, because in some versions of CrypVault, the gpg.exe will be renamed to svhost.exe. If you exclude the mentioned exe files, your policy should look like the screenshot below.

Blocking gpg.exe and svhost.exe

Blocking gpg.exe and svhost.exe

If you are able to block all exe files in the %temp% folder so that no user run exe files in this folder, you could also use *.exe instead of the mentioned method. In some scenarios, the white listing of some exe files may also be an option.

Win the monthly 4sysops member prize for IT pros

Share
1+

Related Posts

3 Comments
  1. Ted 1 year ago

    Wow. That's what we really need. Thank you very much.

    1+

  2. Don 1 year ago

    Is there a reason that this is a user GPO vs. a Machine side GPO? Is there anything that precludes you from making this a machine side GPO?

    1+

  3. Afsar Khan 1 year ago

    Interesting .........................

    1+

Leave a reply

Your email address will not be published. Required fields are marked *

*

CONTACT US

Please ask IT administration questions in the forum. Any other messages are welcome.

Sending
© 4sysops 2006 - 2017

Log in with your credentials

or    

Forgot your details?

Create Account