Paginas

19 July 2016

Prevent Cryptolocker Ransomware



UPDATED!
Increasingly this subject have an extreme importance, especially in business and where the data is more sensitive.
 
For those who are unaware, this type of ransomware (after the user access any site and/or click on an executable file that is usually sent by email) encrypts all data that the user has access, including mapped drives. After this encryption the user is prompted to pay a certain amount (usually 500 euros/dollars) to have access to the decryption key. There is no solution! Only prevention.
 
In this Post I will show you nine ways of prevention!


1. Attention

Close attention to all incoming emails. Check the source of the emails and the subject. For example, if I have no orders from the post office and receive a notification email from them, do not open that email. The same for untrusted sites or HTTPS errors.
 
Always check the site name. For example, I will not enter in the Millenium bank with https://www.milenium.pt address because it's missing one character "L". This is one of the phishing cases and could lead you to click or download something dangerous.
So the first rule is ATTENTION! This type of Ransomware depends always from the User Actions.
 
Recent attacks are using old encryption methods, but this time they are using windows vulnerabilities to spread. In the last attack of the called Petya, they changed the form of encryption, that is, they do not encrypt files, but the entire disk and the MBR. They can only act if the equipment does a restart.

 
 
2. Install Windows Updates and Antivirus UPDATED!
 
Always update the system. The latest attacks can be prevented with a Windows Updates released by Microsoft.

These are the Antivirus hashes known for Petya:
  • a809a63bc5e31670ff117d838522dec433f74bee
  • bec678164cedea578a7aff4589018fa41551c27f
  • d5bf3f100e7dbcc434d7c58ebf64052329a60fc2
  • aba7aa41057c8a6b184ba5776c20f7e8fc97c657
  • 0ff07caedad54c9b65e5873ac2d81b3126754aac
  • 51eafbb626103765d3aedfd098b94d0e77de1196
  • 078de2dc59ce59f503c63bd61f1ef8353dc7cf5f
  • 7ca37b86f4acc702f108449c391dd2485b5ca18c
  • 2bc182f04b935c7e358ed9c9e6df09ae6af47168
  • 1b83c00143a1bb2bf16b46c01f36d53fb66f82b5
  • 82920a2ad0138a2a8efc744ae5849c6dde6b435d
  • myguy.xls EE29B9C01318A1E23836B949942DB14D4811246FDAE2F41DF9F0DCD922C63BC6
  • BCA9D6.exe 17DACEDB6F0379A65160D73C0AE3AA1F03465AE75CB6AE754C7DCB3017AF1FBD


3. Block Untrusted  and WebSites UPDATED!

If you have a Firewall (I suppose you do) and you can manage it, you can block some of the known Public IP Addresses that are used to communicate with the Ransomware anonymous guys.


4. Trusted DNS

This is a major and simple configuration to avoid this Ransomware. If you change the Public DNS from your ISP to OpenDNS for example, you can reduce significantly your risk of infections.
 
  • DNS1: 208.67.222.222
  • DNS2: 208.67.220.220
The DNS from the ISP providers do not check the destination/source requests.

 


 

 

 
5. Using File Screening Management
 
Use the FileServer Screening feature to block some extensions like ECC (common extension for encrypted files). This is not always the case, since the Ransomware is changing this extensions all the time. But you can always add more extensions. This is very useful only for File Servers.

 

The extensions known so far are:
*.k,*.encoderpass,*.key,*.ecc,*.ezz,*.exx,*.zzz,*.xyz,*.aaa,*.abc,*.ccc,*.vvv,*.xxx,*.ttt,*.micro,
*.encrypted,*.locked,*.crypto,_crypt,*.crinf,*.r5a,*.xrtn,*.XTBL,*.crypt,*.R16M01D05,*.pzdc,
*.good,*.LOL!,*.OMG!,*.RDM,*.RRK,*.encryptedRSA,*.crjoker,*.EnCiPhErEd,*.LeChiffre,
*.0x0,*.bleep,*.1999,*.vault,*.HA3,*.toxcrypt,*.magic,*.SUPERCRYPT,*.CTBL,*.CTB2,*.locky

You can use this Script to automate the File Server Configuration:
https://gallery.technet.microsoft.com/scriptcenter/Protect-your-File-Server-f3722fce

You can also configure sending email when this extension is found:



and run scripts that block access to drives for example. One of my favorites is to block access to Mapped drives: (you can see the full script on the link above)

  • "C:\subinacl /verbose=1 /share \\127.0.0.1\" + "$SharePart" + "$" + " /deny=" + "$BadUser"

And to give access:

  • "get-smbshare | unblock-smbshareaccess -accountname $BadUser -force


6. Configure GPOs (Group Policy Objects)

This is very helpful because you can deny the Ransomware to write or execute files from some known Windows locations. Here's how to do it:
  • Open up Local Security Policy or the Group Policy Object editor and create a new GPO.
  • Name the new GPO "Prevent Cryptolocker" or something similar for you to remember easily.
  • Choose Computer Configuration and then navigate through Policies
    • Windows Settings - Security Settings - Software Restriction Policies
  • Right-click Software Restriction Policies and choose New Software Restriction Policy from the context menu.
  • Now, create the actual rules that will catch the software on which you want to enforce a restriction. Right-click Additional Rules in the left-hand pane. Choose New Path Rule.
  • Use the following table to fill out the remainder of this GPO.
 
Disallowed Prevent Cryptolocker executable from running in AppData* 
%AppData%\*.exe
 
Disallowed Prevent virus payloads from executing in subfolders of AppData 
%AppData%\*\*.exe
 
Disallowed Prevent un-WinRAR executables in email attachments from running in user space 
%LocalAppData%\Temp\Rar*\*.exe
 
Disallowed Prevent un-7Ziped executables in email attachments from running in user space  
%LocalAppData%\Temp\7z*\*.exe
 
Disallowed Prevent un-WinZIP executables in email attachments from running in user space 
%LocalAppData%\Temp\wz*\*.exe
 
Disallowed Prevent unarchived executables in email attachments from running in user space
%LocalAppData%\Temp\*.zip\*.exe
 
Disallowed Prevent un-WinRAR executables in email attachments from running in user space 
%UserProfile%\Local Settings\Temp\Rar*\*.exe
 
Disallowed Prevent un-7Ziped executables in email attachments from running in user space 
%UserProfile%\Local Settings\Temp\7z*\*.exe
 
Disallowed Prevent un-WinZIPed executables in email attachments from running in user space 
%UserProfile%\Local Settings\Temp\wz*\*.exe
 
Disallowed Prevent unarchived executables in email attachments from running in user space
%UserProfile%\Local Settings\Temp\*.zip\*.exe
 

It will look like this:



UPDATED!

To prevent the new version of Petya you can also create a new GPO that put a read-only file called perfc.dat in c:\windows\
This works because the petya to run/install has to be unzipped. This decompression creates a file called perfc.dat. If this file already exists in the system and in read mode the unpacking will fail.






7. Macros

Don't enable macros from files that you don't know the source. If you turn on, you can run malicious code on your computer, including Malware.
This works for Office products and Acrobat.





8. Extensions

Disable this option (in Group Policy for instance), so that the extensions are visible. You don't want users to click on some files (from emails) like report.pdf and you realize that the file with extension is like report.pdf.exe with PDF icon. This is one of the most effective ways to run malicious code





9. CryptoPrevent

You can install some software to prevent this Ransomware. Basically it will configure some of the previous points that I showed to you.

There has been some news regarding Ransomware. People whose data or devices were affected by Crysis family ransomware, (detected by ESET as Win32/Filecoder.Crysis) can now redeem your information at no cost. The tool has been updated with newly released decryption keys. With this update, the ESET tool can help victims of six unique variants of this particular ransomware family. Each is identifiable by the use of a particular extension: .xtbl, .crysis, .crypt, .lock, .crypted, and .dharma.
The link is here:
https://download.eset.com/com/eset/tools/decryptors/crysis/latest/esetcrysisdecryptor.exe


And... don't forget the first point.... I mean, pay attention!


What to do if Infected?
  • Avoid paying, as they give rise to these attacks to continue;
  • Find the source of the infection;
  • Turn off the Workstation\Server or take it off the network;
  • Reformat the infected machine;
  • Restore files from Backup;
  • Restore entire affected VM if applicable.

No comments:

Post a Comment