Protecting against CryptoLocker inside your network

Forums › IT Pro and developers › Protecting against CryptoLocker inside your network

bjorn

192 posts

Master Geek
+1 received by user: 1

Topic # 193743 22-Mar-2016 18:57

I'm interested how everyone else has been protecting there networks from the CryptoLocker malware/virus.

In the last few months we've been hit 3 times taking out different departments and encrypting the files the user has access to.

We have an extensive backup system so we've been able to restore any encrypted files, however the clean up time is extensive and disruptive.

Each time the user has been searching something in Google, clicked on a search result and been infected.

We have endpoint virus scanning as well as web scanning through our proxy and of course all our email is scanned, however because the signatures of the viruses/malware change so fast the scanners are not detecting the threat and we're getting infected.

Any suggestions? I'm thinking some sort of Advanced Threat Protection?

1 | 2 | 3

BDFL - Memuneh
60609 posts

Uber Geek
+1 received by user: 11542

Administrator

Trusted

Geekzone

Lifetime subscriber

Reply # 1517895 22-Mar-2016 19:03

What endpoint protection are you using?

You can support content creators (and Geekzone) by using the Brave browser.

achieveit

21 posts

Geek

Reply # 1517906 22-Mar-2016 19:06

Denying .zip/.exe via Email (Office 365/Exchange etc.)
Antispam rules - reputation based and blacklisting
GPO to prevent APPDATA locations being written to as well as Software RestrictionsWeb Filtering to prevent access to untrusted sites
Ensuring Backup systems are in place and updated, also checking to ensure you can actually recover from them

And last but not least - educating users! ~probably the most important!

freitasm

BDFL - Memuneh
60609 posts

Uber Geek
+1 received by user: 11542

Administrator

Trusted

Geekzone

Lifetime subscriber

Reply # 1517909 22-Mar-2016 19:09

I'd say if your users are searching Google and opening files from the web then there's a good chance they would fall for the CFO scam. As above no technology will help if users don't cultivate a "Scam Meter".

You can support content creators (and Geekzone) by using the Brave browser.

jnimmo

What does this tag do
948 posts

Ultimate Geek
+1 received by user: 192

Subscriber

Reply # 1517920 22-Mar-2016 19:31

One person supports this post

To quote someone:

Australia’s Defence Signals Directorate (DSD), the U.S. National Security Agency (NSA) and private experts came up with a list of 35 measures that stop almost all attacks. DSD found that by implementing four specific risk reduction measures agencies and companies saw risk fall by 85% and, in some cases, to zero.

The four measures are:

Application whitelisting
Minimizing access to administrator privileges
Very rapid application patching
Very rapid operating system patching

And really there isn't much more to say than that..

In my opinion web & email filtering and antivirus will do little to prevent infection from modern malware (although email filtering does seem to have helped, suspect web filtering less effective due to HTTPS)

Using Chrome or Firefox instead of IE, ensuring any unnecessary plugins are removed (i.e. Java), and rapid patching of any web facing software is essential too - previous roles I've used Ninite Pro to update Flash and Adobe Reader every day.

Dynamic

2382 posts

Uber Geek
+1 received by user: 694

Trusted

Lifetime subscriber

Reply # 1517941 22-Mar-2016 20:14

One person supports this post

CryptoPrevent?

"4 wheels move the body. 2 wheels move the soul."

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

bjorn

192 posts

Master Geek
+1 received by user: 1

Reply # 1517962 22-Mar-2016 20:50

achieveit:

Denying .zip/.exe via Email (Office 365/Exchange etc.)
Antispam rules - reputation based and blacklisting
GPO to prevent APPDATA locations being written to as well as Software RestrictionsWeb Filtering to prevent access to untrusted sites
Ensuring Backup systems are in place and updated, also checking to ensure you can actually recover from them

And last but not least - educating users! ~probably the most important!

We already do all of the above.

freitasm:

I'd say if your users are searching Google and opening files from the web then there's a good chance they would fall for the CFO scam. As above no technology will help if users don't cultivate a "Scam Meter".

The end user isn't opening files from the internet; these are legitimate web searches that end in a user clicking on a compromised website and the malware executing in the background without the user having to do anything.

jnimmo:

To quote someone:

Australia’s Defence Signals Directorate (DSD), the U.S. National Security Agency (NSA) and private experts came up with a list of 35 measures that stop almost all attacks. DSD found that by implementing four specific risk reduction measures agencies and companies saw risk fall by 85% and, in some cases, to zero.

The four measures are:

Application whitelisting
Minimizing access to administrator privileges
Very rapid application patching
Very rapid operating system patching
And really there isn't much more to say than that..

In my opinion web & email filtering and antivirus will do little to prevent infection from modern malware (although email filtering does seem to have helped, suspect web filtering less effective due to HTTPS)

Using Chrome or Firefox instead of IE, ensuring any unnecessary plugins are removed (i.e. Java), and rapid patching of any web facing software is essential too - previous roles I've used Ninite Pro to update Flash and Adobe Reader every day.

While good advise; we do all of the above.

With the exception of we have to run IE as many of our internal applications require it, however it is that latest version and fully patched.

Dynamic: CryptoPrevent?

Is this a corporate tool or is more of a home user thing?

Dynamic

2382 posts

Uber Geek
+1 received by user: 694

Trusted

Lifetime subscriber

Reply # 1517974 22-Mar-2016 21:23

We've rolled crypto prevent out to SMB clients, bundling it with AV. Default config needed some tightening though.

"4 wheels move the body. 2 wheels move the soul."

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

tehgerbil

387 posts

Ultimate Geek
+1 received by user: 183

Reply # 1517986 22-Mar-2016 21:52

We've had luck with trend micro worry free business security.

jnimmo

What does this tag do
948 posts

Ultimate Geek
+1 received by user: 192

Subscriber

Reply # 1518033 22-Mar-2016 23:31

bjorn:

While good advise; we do all of the above.

With the exception of we have to run IE as many of our internal applications require it, however it is that latest version and fully patched.

What about Flash & Java, more specifically Java web start?

Perhaps look at blocking all internet access through IE (only allow internal applications which need it), other browsers for general browsing.

Also wonder if AppLocker may not be locked down enough if Cryptolocker is still getting past that?

lxsw20

2162 posts

Uber Geek
+1 received by user: 653

Subscriber

Reply # 1518063 23-Mar-2016 00:42

achieveit:

Denying .zip/.exe via Email (Office 365/Exchange etc.)
Antispam rules - reputation based and blacklisting
GPO to prevent APPDATA locations being written to as well as Software RestrictionsWeb Filtering to prevent access to untrusted sites
Ensuring Backup systems are in place and updated, also checking to ensure you can actually recover from them

And last but not least - educating users! ~probably the most important!

This. Although good luck denying zip files in some places. If you can't then hopefully you have a mail gateway that can extract the zip and look for unwanted file extensions.

I would add that you need offline backups too.

One of the more scary aspects of cryptolocker is it is being updated/adapting all the time. Apparently some of the later versions can delete shadow copy data for example.

MalwareBytes has an anti crypto tool in beta which with any luck they will make a enterprise edition.

https://blog.malwarebytes.org/news/2016/01/introducing-the-malwarebytes-anti-ransomware-beta/

Initial beta testers have said they are quite a few false positives at this stage.

lNomNoml

900 posts

Ultimate Geek
+1 received by user: 180

Reply # 1518071 23-Mar-2016 01:40

Decent Anti-virus: ESET Endpoint

What browser are the users using? Google Chrome?

nathan

4955 posts

Uber Geek
+1 received by user: 1318

Trusted

Microsoft

Reply # 1518075 23-Mar-2016 04:15

Have you discovered which vuln this is using to get to your PCs

Seems it's either a browser vuln or maybe more likely a vulnerable plugin

Dynamic

2382 posts

Uber Geek
+1 received by user: 694

Trusted

Lifetime subscriber

Reply # 1518134 23-Mar-2016 08:40

nathan: Have you discovered which vuln this is using to get to your PCs

Seems it's either a browser vuln or maybe more likely a vulnerable plugin

Legitimate question, Nathan, but because these crims are making pretty decent money they are reinvesting significantly in keeping ahead of the AV companies and exploiting new vulnerabilities pretty quickly.

"4 wheels move the body. 2 wheels move the soul."

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

bjorn

192 posts

Master Geek
+1 received by user: 1

Reply # 1518159 23-Mar-2016 09:12

nathan: Have you discovered which vuln this is using to get to your PCs

Seems it's either a browser vuln or maybe more likely a vulnerable plugin

After further trawling through logs it's looking like a flash vuln. More specifically compromised flash advertising.

mentalinc

1527 posts

Uber Geek
+1 received by user: 143

Trusted

Reply # 1518160 23-Mar-2016 09:13

They're now using excel VBA as well...

CPU: Intel 3770k| RAM: F3-2400C10D-16GTX G.Skill Trident X |MB: Gigabyte Z77X-UD5H-WB | GFX: GV-N660OC-2GD gv-n660oc-2gd GeForce GTX 660 | Monitor: Qnix 27" 2560x1440

1 | 2 | 3