Crypto Wall virus is causing me to lose a lot of sleep.

AdamNV
AdamNV used Ask the Experts™
on
Has anyone identified a security product that actually prevents the Crypto Wall virus from infecting a computer/server/network.  I've seen anti-virus products identify it and even remove it, but not before it's already encrypted thousands of files on the infected computer and any mapped network drives.  I've had two customers fall victim to this evil virus, and I had to stay up all night both times restoring files from backups.  Fortunately, I had good backups in both cases.  Otherwise, the customers would have been screwed.

Besides having backups to restore from, is there any way to defend against this threat?  
I've seen some best practices out there, but I'm just wondering if anyone knows of a security product or service that has demonstrated success against Crypto Wall.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
BitDefender claim to protect against CryptoWall. From what I've read it is probably the best solution.
William FulksSystems Analyst & Webmaster

Commented:
The #1 way to prevent it is EDUCATION. Train users on how to recognizes junk/spam/fraud email and not to click on links where they aren't sure of the destination.

Here's the thing - the crooks putting out stuff like this have access the same security products as everyone else. They are constantly coming up with ways to circumvent them, hence the need to constantly update those products. There is no guaranteed way to 100% keep a system protected other than unplugging the power cable.

At my office, we have Barracuda web filtering, email filtering, plus Symantec endpoint protection on all our PC's. We've had two users hit so far and it was because they click on something they should not have.
Top Expert 2015

Commented:
No antivirus will catch all.  It's just not possible.  

I just went through what you described about 3 weeks ago (just finished cleaning up the mess).  Antivirus and Endpoint Security aside,  this usually happens to folks with Admin rights to their workstations. Make sure that nobody is an Administrator. I run my workstation as a regular user. You can save a lot of sleep just by doing this alone.  The user cannot execute it without admin rights and the computer will ask for the Admin account and password before executing the code.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Top Expert 2014

Commented:
Furthermore remove execure right from user writeable folders, that means from ANY folder the user is able to store create or modify files in. This way a trojan dropper from a webpage cannot execute the thing it had downloaded before.

Furthermore be sure you have working backups with long retention times, to prevent you discover it too late and all copies in the backups are already encrypted versions
.
This no execute policy is not 100% foolproof either, If the malware for example is injected into already running processes you are screwed too.

Also no scanner can detect all versions of all existing malware, and there are more encryption trojans out there than cryptowall. e.g.  new versions of Teslacryt is the new hotness in Germany at the moment.

So if you install a product that is quite good in detecting cryptowall versions it might be not so good or even fail on other encryption malware.

Proper done, and frequently verified, BACKUPS are your best insurance.

You also might cut internet access to your employees and only allow pages and services they need for work (whitelisting). Enforced over a transparent proxy. This way droppers may not be able to download the payload and the encryption trojans cannot reach back home to the control servers.

Dont give to lax permissions on shared folders. Users who only need to read some files should in no case have write access to the shares. If updates on the shares are less frequent, let users perform this with other user accounts that have permissions, not with the every day work account.

Install a mapped share with trap files monitor them for changes so you have a warning system. You also will see the user ID the encryption is running under which will help to trace down the user and the pc that caused the infection.
Non-admin accounts, endpoints with something like hitmanpro.alert,  proper policies, excellent backups.

There are some other things.  (See my articles ) also things like putting a fake file called myapp.exe in the root directory of endpoints.

http://www.experts-exchange.com/articles/20879/Ransomware-is-rampant-don't-be-caught-out.html

http://www.experts-exchange.com/articles/18086/Ransomware-Prevention-is-the-only-solution.html
I agree cryptoprevent is good,  assuming it has been updated. I referenced it in my article. Also note the reference to trend micro's anti ransomware suite/tool.  Malwarebytes has one of the best tools on the market in my opinion. Inn the end I believe you have to run a multi layered approach to security AND have an excellent backup routine.
btanExec Consultant
Distinguished Expert 2018
Commented:
you can have the host intrusion prevention s/w installed with the anti-malware and even anti exploit capability (such as MalwareBytes) and host FW, with application/device controls. But user is the last line of defence in other words, for your case, clearly those phished email or compromised website visited by user via browser did not caught the "ransomware". The latter evolves easily and defender like us to prevent it is not 100% foolproof.

I believe all will have realized it so the strategy is more to not only advocate keeping user to use non admin right account to do emailing, browsing and does the appl whitelisting like Applocker or Cryptoprevent, keeping of signature and patches up to date - these are all continuous efforts to upkeep security posture to reduce the attack surface the ransomware can ride on into the user machine..

Preventive is not solely on Cryptowall but the ransomware family (you can see this EE article for more info) family as a whole which can be used to weaponised by exploit kit. The "mother" is Cryptolocker. BleedingComputer has been most updated on catching up with ransomware and in Cryptowall case, this link serves well and also included the variant of Cryptowall (v4 latest). There is advices on prevention and it is not much difference from what we have discussed here. But we can check out EventSentry to established baseline for directory and activities that can aid early warning signals too...
EventSentry’s File Checksum Monitoring feature to monitor the bait files and trigger events when one or more of these files are changed or deleted (=renamed). When they are, we will trigger a script which will stop the server service on the file server in order to avoid more damage being done
As a whole, I see the preventive is about diligence and isolation (even to extend using different machine or using VM to surf web keeping host clean..) to keep ourselves less exposed. It is not about "if this happen to us" but "when it does happen, what can we do about it".

You can catch also the general advisory by authority to public
Distinguished Expert 2018

Commented:
I always emphasize: this crypto viruses are no more a threat than other viruses. Other non-destructive viruses could also disclose/manipulate the information you are working with, making it even worse, because you don't even know about it - with crypto viruses, at least we know.
So the IT has finally reached a point where it has to admit that the safeguards anti virus and least privilege are not enough. We need to use policies that control what code is running. And that policies exist, the two features "software restriction policies" and "applocker" are built into windows (depends on what edition you use, applocker is for enterprise editions and win7 ultimate edition). Google those, read what it's about.
btanExec Consultant
Distinguished Expert 2018

Commented:
also one pt on this evolved ransomware is that it is no longer just about encrypting your precious files or asset information and paying the ransom to get back data. It (like recent Chimera variant) has also evolved to push factor as it coerce victim that private personal information siphoned from the infected machine will published to public (such pastebin etc). It make the urge to pay timely even more dearly to user to succumb to its threat.

This means the protection scheme of just detecting is not going to salvage if not timely meet the payment but how to even response to prevent such leakage or privacy invasion can be another consideration to further lock down our asset and restrict information egress and ingress...likely even data loss prevention kicks into the mind of the defender...just some cents of thoughts..
Check out this article on Chimera:

http://www.pcworld.com/article/3006292/security/ransomwares-latest-threats-what-to-do-about-cryptowall-chimera-and-their-ilk.html

Although not comprehensive - it does say one thing differently than other ransomware suggestions - encrypt your files.  Normally this would not help since ransomware will encrypt encrypted files, but with malware that threatens to publish your data, if it is already encrypted, you can be a little more assured of your safety.
btanExec Consultant
Distinguished Expert 2018

Commented:
Yap that is also why dont just depends on disk encryption like bitlocker only, file and folder encryption level helps. But note that these encryption will not be effective if on the fly decryption is enabled with user already login or decrypted in memory as it is in 'open' stated. The only way those pesky malware cannot grab in plain are those data at rest so is your encrypted backup. Have strong passphrase to enforce those encryption as brute force offline by the attacker is easily doable in fast fashion...

Author

Commented:
I want to thank everyone for their thoughtful comments and recommendations.  It's all a bit overwhelming, but definitely some good ideas to consider implementing.  It would be premature to accept any one of these contributions as the "accepted solution", as only time will tell.  I appreciate everyone taking the time to offer their thoughts on the subject.  With ransomeware, It seems like it's advantage bad guys right now, but I'm confident that will change as we continue to evolve and implement solutions to prevent/counter these threats.
btanExec Consultant
Distinguished Expert 2018

Commented:
Eventually I seek that you should consider closing the question since you asked on product per se which most has offer some. Probably you can reconcile if there is any specific area to find out further pertaining to your questions.
Distinguished Expert 2018

Commented:
"With ransomeware, It seems like it's advantage bad guys right now" - I strongly disagree. The technology to fight it and fight it thoroughly has been available starting with windows xp already (software restriction policies, namely). It is just that many admins are deeply in love with their anti virus products and hope to be able to use those instead and fail.
Look at software restriction policies and applocker, that's the way to go.
btanExec Consultant
Distinguished Expert 2018

Commented:
That advantage which adversary has is always stereotype as cyber chase where defender is the behind the leading pack of adversary.

 That is not totally true.. if our layer of defence has done diligence to close up the low hanging fruits we mentioned so far in the preventive controls. This include user cyber vigilance and playing "ball" to maintain cyber hygience savvy to malicious sites etc. Note that ransomware need to be deliver through some means before it get denotated. Exploit kit already put them into part of the arsenal after they exploit the target successfully.

So it really leaves only the zero days which unknown unknown kicks in and will be targeted instead of mass end user infection - likely the case for you and even anyone. For this, we may be disadvantage if we take the passive strategy and there can be more proactive is active defence too..using honeypot etc...i shall not digress..

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial