Crypto (Ransomware) prevention tactics!!

This article attempts to detail Crypto infections (Ransomware) and the prevention tactics that admins are implementing in their networks. Nobody is immune!   First I would like to give you a brief background on the currently state of Crypto code.

The Russian Government (Putin, KGB, Russian Mafia and Russian Organized Crime) is one of the leading culprits for current Crypto infections (state sponsored).

http://blog.knowbe4.com/bid/398140/Why-All-This-Russian-Cybercrime-in-Five-Minutes

All A/V companies are struggling with this, and the best that any A/V product can currently do, is to stop 90% of Crypto infections (avast! is one of these!) There are other A/V programs that Industry professionals have said “XYZ anti-virus doesn’t stop Crypto at all!” So, at best, that is still 1 out of 10 infections that are getting through! Anti-virus software alone is not enough. A multi-layered approach to security now becomes the requirement.

The problem with these new versions of Crypto, is that they are all Polymorphic code, where every sample is unique. Anti-virus vendors / testers can’t even analyze the code without being attacked.  Once the 2nd sample is requested to the same IP address, a trip wire unleashes an attack against their IP address. The latest version of CryptoWall 2.0 was signed using a “Bit9” signature and uses Flash as the infection vector.  These types of infections are the Achilles’ Heel for all anti-virus vendors. Nobody A/V is immune, that’s why we stress again that the layered approach to security is now the necessity!

 

What is Polymorphic?

http://www.advantage77.com/2012/05/28/antivirus-testing-vs-real-world-occurrences-how-can-you-test-what-you-cant-see/

 

New Ad-borne CryptoWall 2.0 ransomware is spreading through malvertising through Yahoo, AOL, etc.

This is the most recent vector, where legitimate advertisement companies were hacked so the ads contained a CryptoWall 2.0 infection vector.

http://blog.knowbe4.com/bid/399144/CyberheistNews-Vol-4-43-CryptoWall-Ransomware-Claims-Fresh-Victims

This vulnerability can be blocked by using an ad blocking protocol. For Internet Explorer, AdBlock Plus will stop ALL advertising, by clearing the checkbox “Allow some non-intrusive advertising” And we use AdBlock for the Chrome browser.

Check out this ADBlock Plus GPO template for Chrome:  http://www.chromium.org/administrators/policy-templates

there are also IE MSI’s that can be deployed via GPO for IE:

https://downloads.adblockplus.org/adblockplusie-1.1-x64.msi

https://downloads.adblockplus.org/adblockplusie-1.1-x86.msi

Source: https://adblockplus.org/forum/viewtopic.php?f=16&t=17465&p=88691&hilit=msi#p88691

 

How to recover files from Crypto (Ransomware) infection

http://community.spiceworks.com/how_to/show/85802-how-to-recover-files-from-cryptowall-ransomeware-infection

 

CryptoLocker Prevention Kit for Domains (updated)

The SMBKitchen Crew and Third Tier staff have put together a group materials that were published as part of our SMBKitchen Project and only available to subscribers. However because this virus is spreading so rapidly and is so serious, they made these materials available to everyone.

The kit includes an article on cleaning up after infection, but more importantly, provides materials and instruction for deploying preventative block using software restriction policies. The articles provide instruction for installing them via GPO on domain computers and terminal servers, and non-domain joined machines too. They have also provided GPO settings that you can important into your environment.

http://www.thirdtier.net/downloads/CryptolockerPreventionKit.zip

Note: This kit is being updated on a frequent basis, so if you’ve downloaded it before, you should check the blog about the updates at http://www.thirdtier.net/2013/10/cryptolocker-prevention-kit-updates  and download the kit again to have the latest information on CryptoLocker and what you can do to prevent it in your networks.

 

How to add additional measures to prevent Crypto infections

The current version of CryptoWall 2.0 is using a vulnerability in Flash. Here are multiple measures to help prevent these infection vectors:

1)       Virtualize Flash using the avast! sandbox
2)       Do not install Flash or Java at all, then use Chrome and it’s built in Flash / Java emulators (not every app is compatible with Chrome emulators)
3)       Implement an ad blocking protocol
4)       Implement an anti-spam protocol
5)       Keep your backups current, as Shadow Copy doesn’t always work
6)       Train your users about Advanced Persistent Threat (I personally receive over 50 different email phishing attempts daily)

7)       Implement a gateway using anti-malware filters, or install Malwarebytes real-time Anti-spyware scanning. (avast! and Malwarebytes play well together)

I personally receive over 50 different email phishing attempts daily. And a recent report from the folks at Enterprise Management during from April 2014,  shows that 56% of employees still receive NO security awareness training.  According to employee responses in the survey report:
– 30% leave mobile devices unattended in their vehicle
– 33% use the same password for both work and personal devices
– 35% have clicked on a link in an email from an unknown sender
– 58% have sensitive information on their mobile devices
– 59% store work information in the Cloud

From the Virus Doctor, Ken Dwight, on Crypto prevention measures

• Subscribe to a cloud-based, automatic backup service.  External hard drives, thumb drives, and mapped network drives will all be encrypted by any of these ransomware programs; only a cloud-based backup service is beyond their reach.
• Use a commercial (paid) Internet Security Suite, keep the definitions up to date, and perform a full scan daily.
• Add secondary protection against encrypting ransomware, such as CryptoPrevent.
• Apply all Windows Updates automatically, as soon as they are released.
• Be suspicious of any links in e-mails, even those to apparently legitimate sites.
• Be especially leery of opening any attachment, especially from alleged shippers (UPS, FedEx, DHL, USPS, Banks, etc.)

• Keep Adobe Flash, Air, Reader, and Shockwave updated at all times; ditto for Java, QuickTime, RealPlayer, SilverLight and other ancillary programs.

(NOTE: the avast! Software Updater will help to simplify this process)

avast_updater

How to step up the default Security settings for avast! Endpoint Protection versions

Also, here are the changes we make to the default settings of avast! Endpoint Protection versions (Plus, Suite, and Suite Plus)

Under “File System” Shield settings, choose Sensitivity:

Set the “Heuristics sensitivity” to high, and enable “Scan for potentially unwanted programs”

Under “Mail” Shield settings, choose Sensitivity:

Set the “Heuristics sensitivity” to high, and enable “Scan for potentially unwanted programs”

Under “Web” Shield settings, choose Sensitivity:

Set the “Heuristics sensitivity” to high, and enable “Scan for potentially unwanted programs”

Cloud services should be enabled for the best protection:

For those users of the “Plus” versions using the Microsoft Outlook mail client, here are the most aggressive settings for the avast! anti-spam filter:

http://www.advantage77.com/2012/12/06/how-to-properly-use-the-avast-antispam-filter-for-outlook/

 

How to virtualize Flash Player in avast! Endpoint Protection versions

http://www.advantage77.com/2014/02/22/how-to-virtualize-flash-player-in-avast-endpoint-protection-version/

 

CryptoWall FireWalled – Spiceworks

http://community.spiceworks.com/topic/606109-cryptowall-firewalled?page=1#entry-3944808

CryptoWall attempted to call home over various ports such as FTP (21), SSH (22), SMTP (25), and POP3 (110).

176.10.100.226 – Port 22
198.74.60.26 – Port 110
62.210.82.44 – Port 21
148.251.40.50 – Port 110
146.0.42.110 – Port 25
56.0.79.5 – Port 21
62.210.82.44 – Port 21
81.173.240.81 – Port 110
109.239.48.152 – Port 22
217.79.181.50 – Port 21

 

Sincerely,
J.R.  Guthrie
President
Advantage Micro Corporation
520-290-0595
jr@advantage77.com

avast_sig_logo

“At this point in time, the Internet should be regarded as an Enemy Weapons System!”

Leave a Reply