Defending against CryptoLocker with CryptoLocker Group Policy Software Restriction
Latest variants of CrytoLocker can bypass Microsoft Endpoint Protection and latest Definitions.. :- https://www.staysmartonline.gov.au/alert_service/message?id=1145582&name=Fake+speeding+ticket+emails+distributing+ransomware#.VHaOwlAcQ-V
Please use the following Group Policy to stop its ability to execute from %AppData%:-
Computer Configuration\Policies\Windows Settings\Security Settings\Software Restrictions Policies\Additional Rules
*.SCR *.TMP are known virus extensions
- %AppData%\*.exe Disallowed
- %AppData%\*\*.exe Disallowed
- %TEMP%\*.exe Disallowed
- %TEMP%\*.\*.exe Disallowed
- %TMP%\*.exe Disallowed
- %TMP%\*.\*.exe Disallowed
** I would suggest block all files *.* or just selected executable file extensions:- http://www.howtogeek.com/137270/50-file-extensions-that-are-potentially-dangerous-on-windows/
.bat, .cmd, .com, .lnk, .pif, .scr, .vb, .vbe, .vbs, .wsh,.htm
More Locations to protect:
- %UserProfile%\Local Settings\Temp\Rar*\*.exe
- %UserProfile%\Local Settings\Temp\7z*\*.exe
- %UserProfile%\Local Settings\Temp\wz*\*.exe
- %UserProfile%\Local Settings\Temp\*.zip\*.exe
Registry lock down
I would suggest restricting these keys for users, but more testing is required
Command to check: accesschk -w -s -q -u Interactive “C:\Windows”
If you do get hit:
- Shutdown the the affected workstation ASAP.
- Stop all File Shares
- Recover from the last known good backup. (We had VSS and NetApp) So only lost 4 hours of work
- Check Personal Storage Software like Dropbox, which got hit as well
- Upload the Virus File to https://www.virustotal.com/en/ or https://www.microsoft.com/security/portal/submission/submit.aspx (This way virus engines will create a definition and help others not to get infected)
I looked a bit closer how these virus actually get executed:
- First method is to update the ICON file which is a executable *.exe to a of a PDF icon. Users normaly can’t see file extensions and will double click it thinking its a PDF File
- “Unitrix” exploit by Avast Unicode character is U+202E: Right-to-Left Override
- Edcuate Users
- Turn on Data Execution Prevention – System Properties / Advanced / Performance Options / Data Execution Prevention / Turn on DEP for essential Windows programs and services only
- User Access Control Settings – Always notify
- Internet Options / Security Settings – Local Intranet Zone
- Application Whitelisting
This kind of malware authors are releasing updates very quickly and changing significant characteristics of the malware families involved, evading anti-malware signatures. We see on a daily basis a lot of ransomware around 50 new sub-variants per day. The people who write this malware constantly make changes to the malware and test it against a large group of AV engines with the latest definitions to make sure it is not detected. Compare this with a website like http://www.virustotal.com only they have their own private environment. So it just like a race between the malware author with the AV software.
The use of public/private key cryptography makes it infeasible to discover/calculate the decryption key.
The malware encrypts files locally and on any mapped network drives expands the potential for damage.
Encrypted files are registered here : -HKEY_CURRENT_USER\Software\CryptoLocker\Files
Here is a latest blog from Microsoft Malware Protection Center for this kind of ransom. You can get some information about the common infection vectors.
Some others blogs;
- Word OneNote Blog - http://blogs.technet.com/b/wordonenotesupport/archive/2013/09/09/quot-cannot-open-the-file-because-the-file-format-or-extension-is-invalid-quot-opening-office-files.aspx
- BGP Blog - http://blogs.technet.com/b/bgp/archive/2013/09/09/quot-cannot-open-the-file-because-the-file-format-or-extension-is-invalid-quot-opening-office-files.aspx
- Excel Blog - http://blogs.technet.com/b/the_microsoft_excel_support_team_blog/archive/2013/09/07/quot-cannot-open-the-file-because-the-file-format-or-extension-is-invalid-quot-opening-office-files.aspx
Emphasis the importance about educating the users, the attacker always try to infected the users by spam email and malicious website.
- On most of the infecting vectors, the attacker relies on social engineering to get you to run the program much the same way a con man gets your bank account details. Therefore the VERY FIRST line of defense to prevent this virus is DO NOT RUN ATTACHMENTS UNLESS YOU KNOW THEY ARE SAFE. You may also need to educate the users about the common attacking method the attacker use.
- Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
Please also evaluate the write permission the share folder. Remove the unnecessary write permission.
- Always keep your patch levels up-to-date. Especially the Java, Adobe and IE. This may help to get rid of the attacker to use known vulnerabilities to infected the users. Simply visiting a compromised Web site can cause infection if certain vulnerabilities of the browser or the add-in are not patched.
- Filter the spam email on the email server. you can use some anti-spam software. Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
- We also need to back up our important documents regularly.
Offical Symantec MSS Alert
Symantec MSS Threat Landscape Update – Cryptowall 2.0
On October 15th, 2014, researchers from the Bleeping Computer forum released a blog article about a new variant of Cryptowall, a.k.a Cryptodefense. This malware is your traditional “ransomware” with some added features.
This new variant provides a unique bitcoin payment address to every infected user. Previously, all infected users paid into the same payment address, which meant that one infected user could redirect funds paid by another infected user.
Another new feature is the ability to securely delete the original files after they are encrypted. In the previous version, deleted files could be recovered using file recovery tools. Cryptowall 2.0 wipes the original files, making recovery impossible unless you pay the ransom or restore from backup.
All of Cryptowall’s ransom servers are located on the anonymous TOR network. Before, users had to install TOR on their systems in order to pay the ransom. This was a confusing process for the user, so the attackers moved to a web-to-TOR gateway which allows users to access TOR servers without having to install software. The old version of Cryptowall used a third party provider for this service, but once this was discovered it was blacklisted. The new version of TOR now uses its own web-to-TOR gateways, avoiding any blacklisting.
Cryptowall currently uses four web-to-TOR gateways as outlined by Bleeping Computer. They are the following:
This new variant is being distributed through phishing emails using the RIG Exploit kit.
SYMANTEC MSS SOC DETECTION CAPABILITIES:
For customers with our IDS/IPS Security Management services, vendor-based signatures will be automatically deployed, as per the vendor’s recommendation. If you would like further information regarding signature states on your devices, or would like to request the activation of a specific signature, we can be reached by requesting help via phone, e-mail, chat, or by visiting the MSS portal at https://mss.symantec.com.
For customers with monitor-only IDS/IPS devices, Symantec MSS stands ready to provide security monitoring once your IDS/IPS vendor releases signatures and those signatures are enabled on your monitored devices.
MSS SOC Analytics Detection
- URL Analytics (WSM Signatures)
[MSS URL Detection] Possible Trojan.Cryptodefense(Cryptowall) C&C Traffic
System Infected: Trojan.Cryptodefense Activity
Web Attack: Exploit Toolkit website 47
Web Attack: Malicious Executable Download 2
Web Attack: MSIE CVE-2013-2551 3
Web Attack: Rig Exploit Kit Website 5
Web Attack: Rig Exploit Kit Website 9
Web Attack: Rig Exploit Kit Website 4
Web Attack: Rig Exploit Kit Website 21
- Snort/Emerging Threats (ET)
SID – 2809047 – ETPRO TROJAN Possible Cryptowall Infection in Windows Roaming Profile (DECRYPT_INSTRUCTION.URL ascii)
SID – 2018452 – ET TROJAN CryptoWall Check-in
SID – 2016809 – ET TROJAN Likely CryptoWall .onion Proxy DNS Lookup
SID – 2018610 – ET TROJAN Likely CryptoWall .onion Proxy Domain in SNI
SID – 2018397 – ET TROJAN Cryptodefense DNS Domain Lookup
SID – 31450 – MALWARE-CNC Win.Trojan.CryptoWall Outbound Connection Attempt
SID – 31449 – MALWARE-CNC Win.Trojan.CryptoWall Downloader Attempt
SID – 32225 – MALWARE-CNC Win.Trojan.CryptoWall Variant Outbound Connection Attempt
SID – 31223 – MALWARE-CNC Win.Trojan.CryptoWall Variant Outbound Connection Attempt
SID – 31447 – BLACKLIST DNS Request for Known Malware Domain mediaocean[.]home[.]pl – Win.Trojan.CryptoWall
SID – 31448 – BLACKLIST DNS Request for Known Malware Domain nofbiatdominicana[.]com – Win.Trojan.CryptoWall
SID – 31369 – EXPLOIT-KIT Rig Exploit Kit Outbound Microsoft Silverlight Request
SID – 31455 – EXPLOIT-KIT Rig Exploit Kit Outbound DGA Request
HTTP: CryptoWall Communication Attempt
This list represents a snapshot of current detection. As threats evolve, detection for those threats can and will evolve as well.
- Rig Exploit Kit Used in Recent Website Compromise
- Updated CryptoWall 2.0 ransomware released that makes it harder to recover files
- Recovering Ransomlocked Files Using Built-In Windows Tools
- CryptoWall and DECRYPT_INSTRUCTION Ransomware Information Guide and FAQ
Thank you for choosing Symantec as your Managed Security Services Provider. Should you have any questions or feedback, please contact your Services Manager, or the Analysis Team can be reached by requesting help via phone, e-mail, chat, or by visiting the MSS portal athttps://mss.symantec.com.
Global Client Services Team
Symantec Managed Security Services
MSS Portal: https://mss.symantec.com
MSS Blog: http://www.symantec.com/connect/symantec-blogs/cyber-security-group