Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


bjorn

192 posts

Master Geek


#193743 22-Mar-2016 18:57
Send private message

I'm interested how everyone else has been protecting there networks from the CryptoLocker malware/virus. 

 

In the last few months we've been hit 3 times taking out different departments and encrypting the files the user has access to.

 

We have an extensive backup system so we've been able to restore any encrypted files, however the clean up time is extensive and disruptive. 

 

Each time the user has been searching something in Google, clicked on a search result and been infected.

 

We have endpoint virus scanning as well as web scanning through our proxy and of course all our email is scanned, however because the signatures of the viruses/malware change so fast the scanners are not detecting the threat and we're getting infected.

 

Any suggestions? I'm thinking some sort of Advanced Threat Protection?

 

 


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2 | 3
freitasm
BDFL - Memuneh
79250 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #1517895 22-Mar-2016 19:03
Send private message

What endpoint protection are you using?





Please support Geekzone by subscribing, or using one of our referral links: Samsung | AliExpress | Wise | Sharesies | Hatch | GoodSyncBackblaze backup




achieveit
21 posts

Geek


  #1517906 22-Mar-2016 19:06
Send private message

Denying .zip/.exe via Email (Office 365/Exchange etc.)
Antispam rules - reputation based and blacklisting
GPO to prevent APPDATA locations being written to as well as Software RestrictionsWeb Filtering to prevent access to untrusted sites
Ensuring Backup systems are in place and updated, also checking to ensure you can actually recover from them

 

And last but not least - educating users! ~probably the most important!


freitasm
BDFL - Memuneh
79250 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #1517909 22-Mar-2016 19:09
Send private message

I'd say if your users are searching Google and opening files from the web then there's a good chance they would fall for the CFO scam. As above no technology will help if users don't cultivate a "Scam Meter".





Please support Geekzone by subscribing, or using one of our referral links: Samsung | AliExpress | Wise | Sharesies | Hatch | GoodSyncBackblaze backup




jnimmo
1097 posts

Uber Geek


  #1517920 22-Mar-2016 19:31
Send private message

To quote someone:

 

Australia’s Defence Signals Directorate (DSD), the U.S. National Security Agency (NSA) and private experts came up with a list of 35 measures that stop almost all attacks. DSD found that by implementing four specific risk reduction measures agencies and companies saw risk fall by 85% and, in some cases, to zero.

 

The four measures are:

 

  • Application whitelisting
  • Minimizing access to administrator privileges
  • Very rapid application patching
  • Very rapid operating system patching

And really there isn't much more to say than that..

 

In my opinion web & email filtering and antivirus will do little to prevent infection from modern malware (although email filtering does seem to have helped, suspect web filtering less effective due to HTTPS)

 

Using Chrome or Firefox instead of IE, ensuring any unnecessary plugins are removed (i.e. Java), and rapid patching of any web facing software is essential too - previous roles I've used Ninite Pro to update Flash and Adobe Reader every day.

 

 

 

 


Dynamic
3866 posts

Uber Geek

ID Verified
Trusted
Lifetime subscriber

  #1517941 22-Mar-2016 20:14
Send private message

CryptoPrevent?




“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

 

Referral links to services I use, really like, and may be rewarded if you sign up:
PocketSmith for budgeting and personal finance management.  A great Kiwi company.


bjorn

192 posts

Master Geek


  #1517962 22-Mar-2016 20:50
Send private message

achieveit:

 

Denying .zip/.exe via Email (Office 365/Exchange etc.)
Antispam rules - reputation based and blacklisting
GPO to prevent APPDATA locations being written to as well as Software RestrictionsWeb Filtering to prevent access to untrusted sites
Ensuring Backup systems are in place and updated, also checking to ensure you can actually recover from them

 

And last but not least - educating users! ~probably the most important!

 

 

 

 

We already do all of the above.

 

 

 

freitasm:

 

I'd say if your users are searching Google and opening files from the web then there's a good chance they would fall for the CFO scam. As above no technology will help if users don't cultivate a "Scam Meter".

 

 

 

 

The end user isn't opening files from the internet; these are legitimate web searches that end in a user clicking on a compromised website and the malware executing in the background without the user having to do anything.

 

 

 

jnimmo:

 

To quote someone:

 

Australia’s Defence Signals Directorate (DSD), the U.S. National Security Agency (NSA) and private experts came up with a list of 35 measures that stop almost all attacks. DSD found that by implementing four specific risk reduction measures agencies and companies saw risk fall by 85% and, in some cases, to zero.

 

The four measures are:

 

  • Application whitelisting
  • Minimizing access to administrator privileges
  • Very rapid application patching
  • Very rapid operating system patching

And really there isn't much more to say than that..

 

In my opinion web & email filtering and antivirus will do little to prevent infection from modern malware (although email filtering does seem to have helped, suspect web filtering less effective due to HTTPS)

 

Using Chrome or Firefox instead of IE, ensuring any unnecessary plugins are removed (i.e. Java), and rapid patching of any web facing software is essential too - previous roles I've used Ninite Pro to update Flash and Adobe Reader every day.

 

 

 

 

 

 

While good advise; we do all of the above.

 

With the exception of we have to run IE as many of our internal applications require it, however it is that latest version and fully patched.

 

 

 

Dynamic: CryptoPrevent?

 

 

 

Is this a corporate tool or is more of a home user thing?


Dynamic
3866 posts

Uber Geek

ID Verified
Trusted
Lifetime subscriber

  #1517974 22-Mar-2016 21:23
Send private message

We've rolled crypto prevent out to SMB clients, bundling it with AV. Default config needed some tightening though.




“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

 

Referral links to services I use, really like, and may be rewarded if you sign up:
PocketSmith for budgeting and personal finance management.  A great Kiwi company.


 
 
 

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.
tehgerbil
1102 posts

Uber Geek

ID Verified
Subscriber

  #1517986 22-Mar-2016 21:52
Send private message

We've had luck with trend micro worry free business security. 


jnimmo
1097 posts

Uber Geek


  #1518033 22-Mar-2016 23:31
Send private message

bjorn:

 

While good advise; we do all of the above.

 

With the exception of we have to run IE as many of our internal applications require it, however it is that latest version and fully patched.

 

 

What about Flash & Java, more specifically Java web start?

 

Perhaps look at blocking all internet access through IE (only allow internal applications which need it), other browsers for general browsing.

 

Also wonder if AppLocker may not be locked down enough if Cryptolocker is still getting past that?


lxsw20
3552 posts

Uber Geek

Subscriber

  #1518063 23-Mar-2016 00:42
Send private message

achieveit:

 

Denying .zip/.exe via Email (Office 365/Exchange etc.)
Antispam rules - reputation based and blacklisting
GPO to prevent APPDATA locations being written to as well as Software RestrictionsWeb Filtering to prevent access to untrusted sites
Ensuring Backup systems are in place and updated, also checking to ensure you can actually recover from them

 

And last but not least - educating users! ~probably the most important!

 

 

 

 

This. Although good luck denying zip files in some places. If you can't then hopefully you have a mail gateway that can extract the zip and look for unwanted file extensions. 

 

I would add that you need offline backups too. 

 

One of the more scary aspects of cryptolocker is it is being updated/adapting all the time. Apparently some of the later versions can delete shadow copy data for example. 

 

MalwareBytes has an anti crypto tool in beta which with any luck they will make a enterprise edition. 

 

https://blog.malwarebytes.org/news/2016/01/introducing-the-malwarebytes-anti-ransomware-beta/

 

Initial beta testers have said they are quite a few false positives at this stage.

 

 

 

 


lNomNoml
1807 posts

Uber Geek

ID Verified

  #1518071 23-Mar-2016 01:40
Send private message

Decent Anti-virus: ESET Endpoint

 

 

 

 What browser are the users using? Google Chrome?


nathan
5695 posts

Uber Geek
Inactive user


  #1518075 23-Mar-2016 04:15
Send private message

Have you discovered which vuln this is using to get to your PCs

Seems it's either a browser vuln or maybe more likely a vulnerable plugin

Dynamic
3866 posts

Uber Geek

ID Verified
Trusted
Lifetime subscriber

  #1518134 23-Mar-2016 08:40
Send private message

nathan: Have you discovered which vuln this is using to get to your PCs

Seems it's either a browser vuln or maybe more likely a vulnerable plugin

 

Legitimate question, Nathan, but because these crims are making pretty decent money they are reinvesting significantly in keeping ahead of the AV companies and exploiting new vulnerabilities pretty quickly.





“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

 

Referral links to services I use, really like, and may be rewarded if you sign up:
PocketSmith for budgeting and personal finance management.  A great Kiwi company.


bjorn

192 posts

Master Geek


  #1518159 23-Mar-2016 09:12
Send private message

nathan: Have you discovered which vuln this is using to get to your PCs

Seems it's either a browser vuln or maybe more likely a vulnerable plugin

 

 

 

After further trawling through logs it's looking like a flash vuln. More specifically compromised flash advertising.


mentalinc
3226 posts

Uber Geek

Trusted

  #1518160 23-Mar-2016 09:13
Send private message

They're now using excel VBA as well...





CPU: AMD 5900x | RAM: GSKILL Trident Z Neo RGB F4-3600C16D-32GTZNC-32-GB | MB:  Asus X570-E | GFX: EVGA FTW3 Ultra RTX 3080Ti| Monitor: LG 27GL850-B 2560x1440

 

Quic: https://account.quic.nz/refer/473833 R473833EQKIBX 


 1 | 2 | 3
View this topic in a long page with up to 500 replies per page Create new topic





News and reviews »

Air New Zealand Starts AI adoption with OpenAI
Posted 24-Jul-2025 16:00


eero Pro 7 Review
Posted 23-Jul-2025 12:07


BeeStation Plus Review
Posted 21-Jul-2025 14:21


eero Unveils New Wi-Fi 7 Products in New Zealand
Posted 21-Jul-2025 00:01


WiZ Introduces HDMI Sync Box and other Light Devices
Posted 20-Jul-2025 17:32


RedShield Enhances DDoS and Bot Attack Protection
Posted 20-Jul-2025 17:26


Seagate Ships 30TB Drives
Posted 17-Jul-2025 11:24


Oclean AirPump A10 Water Flosser Review
Posted 13-Jul-2025 11:05


Samsung Galaxy Z Fold7: Raising the Bar for Smartphones
Posted 10-Jul-2025 02:01


Samsung Galaxy Z Flip7 Brings New Edge-To-Edge FlexWindow
Posted 10-Jul-2025 02:01


Epson Launches New AM-C550Z WorkForce Enterprise printer
Posted 9-Jul-2025 18:22


Samsung Releases Smart Monitor M9
Posted 9-Jul-2025 17:46


Nearly Half of Older Kiwis Still Write their Passwords on Paper
Posted 9-Jul-2025 08:42


D-Link 4G+ Cat6 Wi-Fi 6 DWR-933M Mobile Hotspot Review
Posted 1-Jul-2025 11:34


Oppo A5 Series Launches With New Levels of Durability
Posted 30-Jun-2025 10:15









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.