Syed Jahanzaib – Personal Blog to Share Knowledge !

December 7, 2016

Fighting with Ransomware !

Filed under: Microsoft Related, Symentec Related — Tags: , , , , , , — Syed Jahanzaib / Pinochio~:) @ 11:22 AM

ransomware

What is Ransomware 

Quite a HOT topic Now a days. Every email server administrator must be well familiarized with this malware and they try even harder to protect their users from this malware attack called locky (and many other similar variants) which encrypts users word/excel/etc documents and asks for money to restore them).

Our company users got hitted by this most smart malware repeatedly / several times resulting in great loss. Luckily most users data got recovered from Tape backup. This malware which usually comes by email , posted itself to be some valid / legitimate payment query & no matter how many times we provide users with education/warning about this matter, user stills open it considering it as valid email resulting in lost (encrypt/inaccessible) of all word/excel files.

We are using IBM Lotus Domino Email System along with Symantec Mail Security for Domino. With lots of R&D I am still unable to block this ransomware which comes in .JS files hidden inside .ZIP container. If I block .JS file inside the ZIP container, it will block legitimate PDF files as well. How frustrating ! The symantec should post some simple update to fix this issue. This issue is well discussed over here.

https://www.symantec.com/connect/ideas/exceptions-file-name-rule-smsmse

Workaround ! [Use Domain Group Policy to alter File Association Open with for .JS extension]

DISCLAIMER: THIS IS NOT A SOLUTION ! BUT JUST A `WORKAROUND` YOU CAN REFER TO.

THE PROPER SOLUTION WOULD BE TO USE SOME INTELLIGENT / UPDATED ANTISPAM/FILTRATION SYSTEM FOR YOUR EMAIL SYSTEM.

Since we cannot change our Symantec enterprise protection suite as it is covered under 3 years renewal (till 2018) . therefore aftering conducting lot of R&D I finally made a workaround for our DOMAIN USERS which is working Good so far.

I changed the .JS file extension OPEN WITH policy pointed to NOTEPAD.
[via Group_Policy ]

This way even if the user try to opens the .JS file, it will be open by notepad.
(instead of Windows Scripting Host)

I made changes to our domain controller in Windows 2008 R2

  • Login to Domain Controller PC
  • Open Group Policy (or by issuing following command)
    %SystemRoot%\system32\mmc.exe %SystemRoot%\system32\gpmc.msc
  • Edit the Default Domain Policy (or any custom you may have)
  • Goto User Configuration > Preferences > Control Panel Settings > Folder Options
  • Now Right click on Folder Options > New > Open With
  • Now use the below defined method as a reference to Update/Create the file extension

As shown in below image …

group policy.png

  • Action: Update
  • Files Extension: js
  • Assoticated Progra: %windir%\system32\notepad.exe
  • Set As Default : Select Tick on it

 

At client either issue gpupdate /force or restart the client pc or wait for the policy update.

Now try to open any .JS file and it will be opened in NOTEPAD (instead by windows scripting host program) and thus it will do no harm to user computer 😀 😀 😀

Please test this method and let us know your feedback on it 🙂

Note: you can use the same method to block / alter the file extension using Local Group POlicy

Alhamdolillah !

Regard’s
Syed Jahanzaib