Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
ForumsIT Pro and developersProtecting against CryptoLocker inside your network


192 posts

Master Geek
+1 received by user: 1


Topic # 193743 22-Mar-2016 18:57
Send private message

I'm interested how everyone else has been protecting there networks from the CryptoLocker malware/virus. 

 

In the last few months we've been hit 3 times taking out different departments and encrypting the files the user has access to.

 

We have an extensive backup system so we've been able to restore any encrypted files, however the clean up time is extensive and disruptive. 

 

Each time the user has been searching something in Google, clicked on a search result and been infected.

 

We have endpoint virus scanning as well as web scanning through our proxy and of course all our email is scanned, however because the signatures of the viruses/malware change so fast the scanners are not detecting the threat and we're getting infected.

 

Any suggestions? I'm thinking some sort of Advanced Threat Protection?

 

 

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2 | 3
BDFL - Memuneh
61202 posts

Uber Geek
+1 received by user: 11981

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 1517895 22-Mar-2016 19:03
Send private message

What endpoint protection are you using?




Backblaze cloud backup (personal and business) | Geekzone broadband switch | Amazon (Geekzone aff) | MightyApe (Geekzone aff)

 

My technology disclosure  | Business Transformation | Enterprise Content Management | Customer Relationship Management

 

 

21 posts

Geek


  Reply # 1517906 22-Mar-2016 19:06
Send private message

Denying .zip/.exe via Email (Office 365/Exchange etc.)
Antispam rules - reputation based and blacklisting
GPO to prevent APPDATA locations being written to as well as Software RestrictionsWeb Filtering to prevent access to untrusted sites
Ensuring Backup systems are in place and updated, also checking to ensure you can actually recover from them

 

And last but not least - educating users! ~probably the most important!

BDFL - Memuneh
61202 posts

Uber Geek
+1 received by user: 11981

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 1517909 22-Mar-2016 19:09
Send private message

I'd say if your users are searching Google and opening files from the web then there's a good chance they would fall for the CFO scam. As above no technology will help if users don't cultivate a "Scam Meter".




Backblaze cloud backup (personal and business) | Geekzone broadband switch | Amazon (Geekzone aff) | MightyApe (Geekzone aff)

 

My technology disclosure  | Business Transformation | Enterprise Content Management | Customer Relationship Management

 

 

What does this tag do
966 posts

Ultimate Geek
+1 received by user: 200

Subscriber

  Reply # 1517920 22-Mar-2016 19:31
One person supports this post
Send private message

To quote someone:

 

Australia’s Defence Signals Directorate (DSD), the U.S. National Security Agency (NSA) and private experts came up with a list of 35 measures that stop almost all attacks. DSD found that by implementing four specific risk reduction measures agencies and companies saw risk fall by 85% and, in some cases, to zero.

 

The four measures are:

 

  • Application whitelisting
  • Minimizing access to administrator privileges
  • Very rapid application patching
  • Very rapid operating system patching

And really there isn't much more to say than that..

 

In my opinion web & email filtering and antivirus will do little to prevent infection from modern malware (although email filtering does seem to have helped, suspect web filtering less effective due to HTTPS)

 

Using Chrome or Firefox instead of IE, ensuring any unnecessary plugins are removed (i.e. Java), and rapid patching of any web facing software is essential too - previous roles I've used Ninite Pro to update Flash and Adobe Reader every day.

 

 

 

 

2437 posts

Uber Geek
+1 received by user: 718

Trusted
Lifetime subscriber

  Reply # 1517941 22-Mar-2016 20:14
One person supports this post
Send private message

CryptoPrevent?




"4 wheels move the body.  2 wheels move the soul."

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams



192 posts

Master Geek
+1 received by user: 1


  Reply # 1517962 22-Mar-2016 20:50
Send private message

achieveit:

 

Denying .zip/.exe via Email (Office 365/Exchange etc.)
Antispam rules - reputation based and blacklisting
GPO to prevent APPDATA locations being written to as well as Software RestrictionsWeb Filtering to prevent access to untrusted sites
Ensuring Backup systems are in place and updated, also checking to ensure you can actually recover from them

 

And last but not least - educating users! ~probably the most important!

 

 

 

 

We already do all of the above.

 

 

 

freitasm:

 

I'd say if your users are searching Google and opening files from the web then there's a good chance they would fall for the CFO scam. As above no technology will help if users don't cultivate a "Scam Meter".

 

 

 

 

The end user isn't opening files from the internet; these are legitimate web searches that end in a user clicking on a compromised website and the malware executing in the background without the user having to do anything.

 

 

 

jnimmo:

 

To quote someone:

 

Australia’s Defence Signals Directorate (DSD), the U.S. National Security Agency (NSA) and private experts came up with a list of 35 measures that stop almost all attacks. DSD found that by implementing four specific risk reduction measures agencies and companies saw risk fall by 85% and, in some cases, to zero.

 

The four measures are:

 

  • Application whitelisting
  • Minimizing access to administrator privileges
  • Very rapid application patching
  • Very rapid operating system patching

And really there isn't much more to say than that..

 

In my opinion web & email filtering and antivirus will do little to prevent infection from modern malware (although email filtering does seem to have helped, suspect web filtering less effective due to HTTPS)

 

Using Chrome or Firefox instead of IE, ensuring any unnecessary plugins are removed (i.e. Java), and rapid patching of any web facing software is essential too - previous roles I've used Ninite Pro to update Flash and Adobe Reader every day.

 

 

 

 

 

 

While good advise; we do all of the above.

 

With the exception of we have to run IE as many of our internal applications require it, however it is that latest version and fully patched.

 

 

 

Dynamic: CryptoPrevent?

 

 

 

Is this a corporate tool or is more of a home user thing?

2437 posts

Uber Geek
+1 received by user: 718

Trusted
Lifetime subscriber

  Reply # 1517974 22-Mar-2016 21:23
Send private message

We've rolled crypto prevent out to SMB clients, bundling it with AV. Default config needed some tightening though.




"4 wheels move the body.  2 wheels move the soul."

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

395 posts

Ultimate Geek
+1 received by user: 185


  Reply # 1517986 22-Mar-2016 21:52
Send private message

We've had luck with trend micro worry free business security. 

What does this tag do
966 posts

Ultimate Geek
+1 received by user: 200

Subscriber

  Reply # 1518033 22-Mar-2016 23:31
Send private message

bjorn:

 

While good advise; we do all of the above.

 

With the exception of we have to run IE as many of our internal applications require it, however it is that latest version and fully patched.

 

 

What about Flash & Java, more specifically Java web start?

 

Perhaps look at blocking all internet access through IE (only allow internal applications which need it), other browsers for general browsing.

 

Also wonder if AppLocker may not be locked down enough if Cryptolocker is still getting past that?

2181 posts

Uber Geek
+1 received by user: 659

Subscriber

  Reply # 1518063 23-Mar-2016 00:42
Send private message

achieveit:

 

Denying .zip/.exe via Email (Office 365/Exchange etc.)
Antispam rules - reputation based and blacklisting
GPO to prevent APPDATA locations being written to as well as Software RestrictionsWeb Filtering to prevent access to untrusted sites
Ensuring Backup systems are in place and updated, also checking to ensure you can actually recover from them

 

And last but not least - educating users! ~probably the most important!

 

 

 

 

This. Although good luck denying zip files in some places. If you can't then hopefully you have a mail gateway that can extract the zip and look for unwanted file extensions. 

 

I would add that you need offline backups too. 

 

One of the more scary aspects of cryptolocker is it is being updated/adapting all the time. Apparently some of the later versions can delete shadow copy data for example. 

 

MalwareBytes has an anti crypto tool in beta which with any luck they will make a enterprise edition. 

 

https://blog.malwarebytes.org/news/2016/01/introducing-the-malwarebytes-anti-ransomware-beta/

 

Initial beta testers have said they are quite a few false positives at this stage.

 

 

 

 

956 posts

Ultimate Geek
+1 received by user: 194


  Reply # 1518071 23-Mar-2016 01:40
Send private message

Decent Anti-virus: ESET Endpoint

 

 

 

 What browser are the users using? Google Chrome?

4963 posts

Uber Geek
+1 received by user: 1319

Trusted
Microsoft

  Reply # 1518075 23-Mar-2016 04:15
Send private message

Have you discovered which vuln this is using to get to your PCs

Seems it's either a browser vuln or maybe more likely a vulnerable plugin

2437 posts

Uber Geek
+1 received by user: 718

Trusted
Lifetime subscriber

  Reply # 1518134 23-Mar-2016 08:40
Send private message

nathan: Have you discovered which vuln this is using to get to your PCs

Seems it's either a browser vuln or maybe more likely a vulnerable plugin

 

Legitimate question, Nathan, but because these crims are making pretty decent money they are reinvesting significantly in keeping ahead of the AV companies and exploiting new vulnerabilities pretty quickly.




"4 wheels move the body.  2 wheels move the soul."

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams



192 posts

Master Geek
+1 received by user: 1


  Reply # 1518159 23-Mar-2016 09:12
Send private message

nathan: Have you discovered which vuln this is using to get to your PCs

Seems it's either a browser vuln or maybe more likely a vulnerable plugin

 

 

 

After further trawling through logs it's looking like a flash vuln. More specifically compromised flash advertising.

1570 posts

Uber Geek
+1 received by user: 152

Trusted

  Reply # 1518160 23-Mar-2016 09:13
Send private message

They're now using excel VBA as well...




CPU: Intel 3770k| RAM: F3-2400C10D-16GTX G.Skill Trident X |MB:  Gigabyte Z77X-UD5H-WB | GFX: GV-N660OC-2GD gv-n660oc-2gd GeForce GTX 660 | Monitor: Qnix 27" 2560x1440

 

 

 1 | 2 | 3
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.