Protecting against CryptoLocker inside your network

Forums › IT Pro and developers › Protecting against CryptoLocker inside your network

bjorn

192 posts

Master Geek

#193743 22-Mar-2016 18:57

I'm interested how everyone else has been protecting there networks from the CryptoLocker malware/virus.

In the last few months we've been hit 3 times taking out different departments and encrypting the files the user has access to.

We have an extensive backup system so we've been able to restore any encrypted files, however the clean up time is extensive and disruptive.

Each time the user has been searching something in Google, clicked on a search result and been infected.

We have endpoint virus scanning as well as web scanning through our proxy and of course all our email is scanned, however because the signatures of the viruses/malware change so fast the scanners are not detecting the threat and we're getting infected.

Any suggestions? I'm thinking some sort of Advanced Threat Protection?

1 | 2 | 3

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1517895 22-Mar-2016 19:03

What endpoint protection are you using?

achieveit

21 posts

Geek

#1517906 22-Mar-2016 19:06

Denying .zip/.exe via Email (Office 365/Exchange etc.)
Antispam rules - reputation based and blacklisting
GPO to prevent APPDATA locations being written to as well as Software RestrictionsWeb Filtering to prevent access to untrusted sites
Ensuring Backup systems are in place and updated, also checking to ensure you can actually recover from them

And last but not least - educating users! ~probably the most important!

freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1517909 22-Mar-2016 19:09

I'd say if your users are searching Google and opening files from the web then there's a good chance they would fall for the CFO scam. As above no technology will help if users don't cultivate a "Scam Meter".

jnimmo

1097 posts

Uber Geek

#1517920 22-Mar-2016 19:31

To quote someone:

Australia’s Defence Signals Directorate (DSD), the U.S. National Security Agency (NSA) and private experts came up with a list of 35 measures that stop almost all attacks. DSD found that by implementing four specific risk reduction measures agencies and companies saw risk fall by 85% and, in some cases, to zero.

The four measures are:

Application whitelisting
Minimizing access to administrator privileges
Very rapid application patching
Very rapid operating system patching

And really there isn't much more to say than that..

In my opinion web & email filtering and antivirus will do little to prevent infection from modern malware (although email filtering does seem to have helped, suspect web filtering less effective due to HTTPS)

Using Chrome or Firefox instead of IE, ensuring any unnecessary plugins are removed (i.e. Java), and rapid patching of any web facing software is essential too - previous roles I've used Ninite Pro to update Flash and Adobe Reader every day.

Dynamic

3866 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#1517941 22-Mar-2016 20:14

CryptoPrevent?

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

Referral links to services I use, really like, and may be rewarded if you sign up:
PocketSmith for budgeting and personal finance management. A great Kiwi company.

bjorn

192 posts

Master Geek

#1517962 22-Mar-2016 20:50

achieveit:

Denying .zip/.exe via Email (Office 365/Exchange etc.)
Antispam rules - reputation based and blacklisting
GPO to prevent APPDATA locations being written to as well as Software RestrictionsWeb Filtering to prevent access to untrusted sites
Ensuring Backup systems are in place and updated, also checking to ensure you can actually recover from them

And last but not least - educating users! ~probably the most important!

We already do all of the above.

freitasm:

I'd say if your users are searching Google and opening files from the web then there's a good chance they would fall for the CFO scam. As above no technology will help if users don't cultivate a "Scam Meter".

The end user isn't opening files from the internet; these are legitimate web searches that end in a user clicking on a compromised website and the malware executing in the background without the user having to do anything.

jnimmo:

To quote someone:

Australia’s Defence Signals Directorate (DSD), the U.S. National Security Agency (NSA) and private experts came up with a list of 35 measures that stop almost all attacks. DSD found that by implementing four specific risk reduction measures agencies and companies saw risk fall by 85% and, in some cases, to zero.

The four measures are:

Application whitelisting
Minimizing access to administrator privileges
Very rapid application patching
Very rapid operating system patching
And really there isn't much more to say than that..

In my opinion web & email filtering and antivirus will do little to prevent infection from modern malware (although email filtering does seem to have helped, suspect web filtering less effective due to HTTPS)

Using Chrome or Firefox instead of IE, ensuring any unnecessary plugins are removed (i.e. Java), and rapid patching of any web facing software is essential too - previous roles I've used Ninite Pro to update Flash and Adobe Reader every day.

While good advise; we do all of the above.

With the exception of we have to run IE as many of our internal applications require it, however it is that latest version and fully patched.

Dynamic: CryptoPrevent?

Is this a corporate tool or is more of a home user thing?

Dynamic

3866 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#1517974 22-Mar-2016 21:23

We've rolled crypto prevent out to SMB clients, bundling it with AV. Default config needed some tightening though.

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

Referral links to services I use, really like, and may be rewarded if you sign up:
PocketSmith for budgeting and personal finance management. A great Kiwi company.

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

tehgerbil

1102 posts

Uber Geek

ID Verified

Subscriber

#1517986 22-Mar-2016 21:52

We've had luck with trend micro worry free business security.

jnimmo

1097 posts

Uber Geek

#1518033 22-Mar-2016 23:31

bjorn:

While good advise; we do all of the above.

With the exception of we have to run IE as many of our internal applications require it, however it is that latest version and fully patched.

What about Flash & Java, more specifically Java web start?

Perhaps look at blocking all internet access through IE (only allow internal applications which need it), other browsers for general browsing.

Also wonder if AppLocker may not be locked down enough if Cryptolocker is still getting past that?

lxsw20

3552 posts

Uber Geek

Subscriber

#1518063 23-Mar-2016 00:42

achieveit:

Denying .zip/.exe via Email (Office 365/Exchange etc.)
Antispam rules - reputation based and blacklisting
GPO to prevent APPDATA locations being written to as well as Software RestrictionsWeb Filtering to prevent access to untrusted sites
Ensuring Backup systems are in place and updated, also checking to ensure you can actually recover from them

And last but not least - educating users! ~probably the most important!

This. Although good luck denying zip files in some places. If you can't then hopefully you have a mail gateway that can extract the zip and look for unwanted file extensions.

I would add that you need offline backups too.

One of the more scary aspects of cryptolocker is it is being updated/adapting all the time. Apparently some of the later versions can delete shadow copy data for example.

MalwareBytes has an anti crypto tool in beta which with any luck they will make a enterprise edition.

https://blog.malwarebytes.org/news/2016/01/introducing-the-malwarebytes-anti-ransomware-beta/

Initial beta testers have said they are quite a few false positives at this stage.

lNomNoml

1807 posts

Uber Geek

ID Verified

#1518071 23-Mar-2016 01:40

Decent Anti-virus: ESET Endpoint

What browser are the users using? Google Chrome?

nathan

5695 posts

Uber Geek
Inactive user

#1518075 23-Mar-2016 04:15

Have you discovered which vuln this is using to get to your PCs

Seems it's either a browser vuln or maybe more likely a vulnerable plugin

Dynamic

3866 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#1518134 23-Mar-2016 08:40

nathan: Have you discovered which vuln this is using to get to your PCs

Seems it's either a browser vuln or maybe more likely a vulnerable plugin

Legitimate question, Nathan, but because these crims are making pretty decent money they are reinvesting significantly in keeping ahead of the AV companies and exploiting new vulnerabilities pretty quickly.

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

Referral links to services I use, really like, and may be rewarded if you sign up:
PocketSmith for budgeting and personal finance management. A great Kiwi company.

bjorn

192 posts

Master Geek

#1518159 23-Mar-2016 09:12

nathan: Have you discovered which vuln this is using to get to your PCs

Seems it's either a browser vuln or maybe more likely a vulnerable plugin

After further trawling through logs it's looking like a flash vuln. More specifically compromised flash advertising.

mentalinc

3226 posts

Uber Geek

Trusted

#1518160 23-Mar-2016 09:13

They're now using excel VBA as well...

CPU: AMD 5900x | RAM: GSKILL Trident Z Neo RGB F4-3600C16D-32GTZNC-32-GB | MB: Asus X570-E | GFX: EVGA FTW3 Ultra RTX 3080Ti| Monitor: LG 27GL850-B 2560x1440

Quic: https://account.quic.nz/refer/473833 R473833EQKIBX

1 | 2 | 3