Man of Honour
I couldn't do my job if I couldn't open attached emails but if I do several on here would call me stupid.
Workplace hit by cryptolocker virus
- Thread starter Banzai_Joe
- Start date
I couldn't do my job if I couldn't open attached emails but if I do several on here would call me stupid.
Associate
For those of you querying how an encryption malware could spread across the entire network of the OP's organisation, the latest and greatest variants such as SamSam and Maktub are now levering the old fashioned "worm" techniques to traverse horizontally through a network; they no longer require users to click on an attachment. Without seeing a full forensic breakdown of what happened with the OP's IT system I can't be definite but I'd definitely lean towards the email attachment clicked on by the finance bod to be simply a trojan dropper such as angler or neutrino used to gain a foothold onto the network - the cryptolocker was then probably downloaded once the trojan contacted it's CnC network. Sadly these types of "blended" threats are only going to become more prevalent.
As far as prevention is concerned, there is no such thing as 100% security, and the old adage that you can't patch users will always hold true. Having said that, given that I deal with this sort of thing as a living I'll throw my tuppence in on what I've seen work to prevent the impact of these outbreaks:
There's other stuff relating to privileged accounts that I'll document if anyone's interested but hopefully some will find the above list useful. Bear in mind that a lot of companies will sell you a lot of very expensive "magic bullets" to deal with this sort of thing but they will all fail if the basics listed above are not observed.
Regards,
John
As far as prevention is concerned, there is no such thing as 100% security, and the old adage that you can't patch users will always hold true. Having said that, given that I deal with this sort of thing as a living I'll throw my tuppence in on what I've seen work to prevent the impact of these outbreaks:
- Patch, Patch, Patch: If you've not got a robust and frequent patching schedule in place you're toast (and you've probably already been compromised). This schedule needs to include things like Flash, Java, Adobe etc as they are more popular than Microsoft these days for exploits.
- Check your patching: seems a simple idea but I've seen a lot of organisations assume that their patches have been deployed successfully when actually the device hasn't been rebooted. Consider using a vulnerability scanner such as Nessus to check that they actually have been applied.
- White-list Apps: Most recent variants of ransomware don't need Admin rights to run, they work quite happily in the user space and simply leverage standard windows API calls to access files. Defining a white-list of executables that can run on a system (and denying anything else) is really the only way to stop these things from executing, but it's an almighty PITA to do which is why it normally gets filed under "too hard".
- Use DNS sinkholing: This is a nice simple effective way of preventing quite a lot of trojans and malware from talking to their CnC systems (and hence from doing anything even if they do get onto your network). A useful guide and script for Windows DNS systems is available at https://cyber-defense.sans.org/blog/2010/08/31/windows-dns-server-blackhole-blacklist
- Educate your users: Nearly always the most neglected thing I see. The method outlined by others in this thread whereby "test" phishing emails are sent out to users is really effective, and regular user awareness events (try and make them fun and interesting otherwise no-one will pay any attention!).
- Backups: For your own sake, make sure that you've got decent backups and they are off-site. Unlike the OP's network, make sure that the on-site ones are held on a segregated system that isn't accessible from the production network.
There's other stuff relating to privileged accounts that I'll document if anyone's interested but hopefully some will find the above list useful. Bear in mind that a lot of companies will sell you a lot of very expensive "magic bullets" to deal with this sort of thing but they will all fail if the basics listed above are not observed.
Regards,
John
Last edited:
Soldato
- Joined
- 30 Sep 2005
- Posts
- 16,553
This is why, if you can, have your end clients stripped bare to just the OS (or use zero clients) and use AppV (inc connection groups) together with a white list
I'm running a project over this coming summer to replace clients with zero clients
When you have thousands of clients, it's easier to patch/upgrade the platform than the entire fleet of client machines
Not 100%
I'm running a project over this coming summer to replace clients with zero clients
When you have thousands of clients, it's easier to patch/upgrade the platform than the entire fleet of client machines
Not 100%
Last edited:
Suspended
Just FYI, wiping is not enough. We have seen examples of encrypting malware writing itself to HDD firmware.
We were lucky with this one, it got stuck whilst encrypting an unimportant machine and didn't reach anything vital.
I can't believe the amount of companies out there that don't have SPF record based spam filtering, it would stop a lot of these kinds of things dead in their tracks before it even hits mail servers.
I've just asked our MD to increase our offsite backup quantities, currently monthly so we'd be royally screwed by crypto.
We regularly receive zero day infected attachments. Mainly .docx , xlsx, pdf. The Word and Excel documents generally contain VBA code that will download trojans.
I tend to upload them to http://malwr.com/ as even if no AV's are currently detecting, you can see screenshots of what the file looks like in a sandboxed environment.
Here's a file received a few week's back:
https://malwr.com/analysis/ODJhZjU0NTc2YjI5NGUyYjlkYzE0NzYyZjI3ZTczYTE/
We regularly receive zero day infected attachments. Mainly .docx , xlsx, pdf. The Word and Excel documents generally contain VBA code that will download trojans.
I tend to upload them to http://malwr.com/ as even if no AV's are currently detecting, you can see screenshots of what the file looks like in a sandboxed environment.
Here's a file received a few week's back:
https://malwr.com/analysis/ODJhZjU0NTc2YjI5NGUyYjlkYzE0NzYyZjI3ZTczYTE/
Soldato
Larger Enterprises are moving away from signature based detection technologies on the Endpoint to Advanced Threat Protection solutions deployed on the network at the egress points and inserted as MTAs into the email delivery chain. Solutions like these will look into HTTP/SMTP/FTP/SMB/etc traffic and extract files that come in and reverse engineer them in minutes to give you a full break down of the capabilities of anything malicious coming into the LAN. They can also pick up c2 traffic/DGA dns heading out in the case of machines being infected offsite and bought into the office.
Most ransomware is coming in the the network either as part of a drive-by-download or more commonly as .PDF .DOC and .XLS files - non of the 'stop files executing from download location' techniques work against these because of course they don't execute themselves, WORD.EXE runs them. Blocking execution of macros can help but many Finance departments will rail against that.
Disclaimer: I work for an anti-APT vendor
Most ransomware is coming in the the network either as part of a drive-by-download or more commonly as .PDF .DOC and .XLS files - non of the 'stop files executing from download location' techniques work against these because of course they don't execute themselves, WORD.EXE runs them. Blocking execution of macros can help but many Finance departments will rail against that.
Disclaimer: I work for an anti-APT vendor
Sounds like a bit of a ballache though depending on what the staff need to do with these attachments. If the business practice is that these come in via email then I would guess it isn't that straightforward to isolate i.e. getting the attachments and supporting info from the email into that environment whilst maintaining security/access for users etc (i.e. all the stuff that is normally covered by commonplace workplace setups with AD, mail server etc which they would need on their main production domain). You've then got a big training exercise for new staff both in terms of end users and the people supporting the system.
I'm not saying it isn't workable or easily designed by someone with the right knowledge, but it doesn't look that straightforward to the layman. If not done well, it could be one of those situations where the cost of implementation, maintenance and lost productivity is more expensive than the effective risk/cost of security lapses.
Do you have a copy of the PDF?
In your case, why did opening a PDF lead to infection?
Soldato
We Quarantine emails with zip/exe/macro embedded office files at the smart host and prompt macros in Office documents. Self service is enabled for a few who can be trusted not to be dumb.
Whilst hammering home to end users how important it is not to open random attachments that's not expected or seem "off", if in doubt ask.
All internet access is via a authenticating proxy with content inspection so nothing gets in/out without being scanned.
So far so good but always on the lookout for more ways to stop it at the door. User awareness is by far the most effective mind.
For the users its not to bad, the hardest bit is getting programs to work with the authenticating proxy. (MS being the worst for not supporting them of all people!)
Whilst hammering home to end users how important it is not to open random attachments that's not expected or seem "off", if in doubt ask.
All internet access is via a authenticating proxy with content inspection so nothing gets in/out without being scanned.
So far so good but always on the lookout for more ways to stop it at the door. User awareness is by far the most effective mind.
For the users its not to bad, the hardest bit is getting programs to work with the authenticating proxy. (MS being the worst for not supporting them of all people!)
My home file server and HTPC was infected by malware yesterday. All files encrypted with the hacker asking for $1000 in bitcoin.
The infected computer was a Windows 10 VM on the default RDP port, I know, never got around to changing it. ALL my shares were mapped to drive letters on this VM\myaccount.
Everything is synced to Google Drive. Luckily I logged in from work during lunch to check a file I had uploaded to Google Drive from work had started to sync to my sever at home. Noticed Google Drive was uploading 1000s of files !!!This is probably the only time I'm happy my upload speed is slow
I only lost a couple of early photo albums which I have backed up offline and some application packages which can be re-downloaded and recreated. Documents, photos and home videos didn't have time to start uploading.
Nothing on the HTPC was backed up tough, TV recordings, shows and movies. Not a big deal as we mainly stream nowadays.
On the VM there was a new folder, C:\users\scan with a .exe. There was no new user profile. My password is fairly complex and no combination of the username and password is used for any online sites. Is there way in through RDP without knowing the username and password or was the hacker was able to generate the password without me noticing?
I'll need to look at offline incremental backups, any suggestions? Google Drive's revision history doesn't give me older version of the modified (encrypted) files.
The infected computer was a Windows 10 VM on the default RDP port, I know, never got around to changing it. ALL my shares were mapped to drive letters on this VM\myaccount.
Everything is synced to Google Drive. Luckily I logged in from work during lunch to check a file I had uploaded to Google Drive from work had started to sync to my sever at home. Noticed Google Drive was uploading 1000s of files !!!This is probably the only time I'm happy my upload speed is slow
I only lost a couple of early photo albums which I have backed up offline and some application packages which can be re-downloaded and recreated. Documents, photos and home videos didn't have time to start uploading.
Nothing on the HTPC was backed up tough, TV recordings, shows and movies. Not a big deal as we mainly stream nowadays.
On the VM there was a new folder, C:\users\scan with a .exe. There was no new user profile. My password is fairly complex and no combination of the username and password is used for any online sites. Is there way in through RDP without knowing the username and password or was the hacker was able to generate the password without me noticing?
I'll need to look at offline incremental backups, any suggestions? Google Drive's revision history doesn't give me older version of the modified (encrypted) files.
Last edited:
Spanning or Backupify offer a cloud based backup solution for Google. So even if your Drive had synced you can still retrieve past versions. Worth looking in to if you're serious about using Drive for storing things you really don't want to lose.
Thanks, was hoping a solution like the above existed. Given both a trial now.
Soldato
- Joined
- 24 Sep 2015
- Posts
- 3,674
Have a look at Targeted Threat Protection from Mimecast and in particular the attachment protect piece.
It's an utterly excellent system. Depending on what policy you set it can open all attachments in a sandbox environment and observe what, if any affects there are. Does it attempt to download a payload for example. It goes one step further though as it'll move the time in the sandbox forwards to see what happens in the future as some of these ransomware things sit dormant for a while before kicking off.
We've been using Mimecast for about 5 years and TTP for about 6 months. We're getting a fair few attachments blocked by TTP.
Impersonation protect is also excellent - we used to get quite a lot of emails from domains very similar to ours regarding payment of false invoices. Since we started using TTP I'm not aware of a single one that has got through.
The URL protect isn't great, it's effective enough but I'm not a big fan of it.
It's an utterly excellent system. Depending on what policy you set it can open all attachments in a sandbox environment and observe what, if any affects there are. Does it attempt to download a payload for example. It goes one step further though as it'll move the time in the sandbox forwards to see what happens in the future as some of these ransomware things sit dormant for a while before kicking off.
We've been using Mimecast for about 5 years and TTP for about 6 months. We're getting a fair few attachments blocked by TTP.
Impersonation protect is also excellent - we used to get quite a lot of emails from domains very similar to ours regarding payment of false invoices. Since we started using TTP I'm not aware of a single one that has got through.
The URL protect isn't great, it's effective enough but I'm not a big fan of it.
Soldato
- Joined
- 24 Sep 2015
- Posts
- 3,674
Hoping? You mean you haven't tested your DR/BCD plan?
RDP has had several vulnerabilities over the years, and there are probably other bits of machinery they could have exploited.
It's certainly possible that someone got in without having to crack the password.
Exposing anything to the internet carries risk.