GPO to help protect against Crypto attacks
The main concern with this threat is that it launches and runs from within the users AppData folder in their profile. The primary way to prevent getting infected with Crytpo type malware is to block applications from executing under the AppData folder. The complication is that most software titles, when installing or uninstalling, extract their executables into the AppData folder.
Once the GPO is applied, you will need to tweak the settings for your environment, allowing the paths of the software you use to prevent errors/issues. The steps for this are on page two.
You will want to create a new GPO and link it at the root of your domain. I would highly recommend only applying this to a limited group of users initially to work out any issues that could arise, then apply it to all users.
Settings within the GPO
You will create all of your settings under the following location in the GPO:
Configuration > Windows Settings > Security Settings > Software Restriction Policies > Additional Rules
Right click to create a new path rule and enter in %userprofile%\AppData and set it to Disallowed.
This will block any executables (.exe, .msi…) from being launched from within that directory and its subdirectories such as AppData\Local and AppData\Roaming.
Exceptions within the GPO
You can right click and add any exceptions that are needed to allow the systems to run normally. However, you will want to be as explicit as possible. We highly recommend against excluding an entire directory. Instead, you can exclude specific executables or group of similarly named executables with a wildcard.
Disallowed = Blocked
Unrestricted = Allowed for all users
In this example we are excluding any folder or executable that starts with the word custom. This would typically be done if there is a software title the extracts the installation files into the %userprofile%\AppData\local\temp folder and all of the executables start with the string ‘custom’.
Configuring this policy will often times take some custom configuration because each environment has its own set of software that users need to be able to install and/or launch.