AdamNV
asked on
Crypto Wall virus is causing me to lose a lot of sleep.
Has anyone identified a security product that actually prevents the Crypto Wall virus from infecting a computer/server/network. I've seen anti-virus products identify it and even remove it, but not before it's already encrypted thousands of files on the infected computer and any mapped network drives. I've had two customers fall victim to this evil virus, and I had to stay up all night both times restoring files from backups. Fortunately, I had good backups in both cases. Otherwise, the customers would have been screwed.
Besides having backups to restore from, is there any way to defend against this threat?
I've seen some best practices out there, but I'm just wondering if anyone knows of a security product or service that has demonstrated success against Crypto Wall.
Besides having backups to restore from, is there any way to defend against this threat?
I've seen some best practices out there, but I'm just wondering if anyone knows of a security product or service that has demonstrated success against Crypto Wall.
akb
BitDefender claim to protect against CryptoWall. From what I've read it is probably the best solution.
The #1 way to prevent it is EDUCATION. Train users on how to recognizes junk/spam/fraud email and not to click on links where they aren't sure of the destination.
Here's the thing - the crooks putting out stuff like this have access the same security products as everyone else. They are constantly coming up with ways to circumvent them, hence the need to constantly update those products. There is no guaranteed way to 100% keep a system protected other than unplugging the power cable.
At my office, we have Barracuda web filtering, email filtering, plus Symantec endpoint protection on all our PC's. We've had two users hit so far and it was because they click on something they should not have.
Here's the thing - the crooks putting out stuff like this have access the same security products as everyone else. They are constantly coming up with ways to circumvent them, hence the need to constantly update those products. There is no guaranteed way to 100% keep a system protected other than unplugging the power cable.
At my office, we have Barracuda web filtering, email filtering, plus Symantec endpoint protection on all our PC's. We've had two users hit so far and it was because they click on something they should not have.
No antivirus will catch all. It's just not possible.
I just went through what you described about 3 weeks ago (just finished cleaning up the mess). Antivirus and Endpoint Security aside, this usually happens to folks with Admin rights to their workstations. Make sure that nobody is an Administrator. I run my workstation as a regular user. You can save a lot of sleep just by doing this alone. The user cannot execute it without admin rights and the computer will ask for the Admin account and password before executing the code.
I just went through what you described about 3 weeks ago (just finished cleaning up the mess). Antivirus and Endpoint Security aside, this usually happens to folks with Admin rights to their workstations. Make sure that nobody is an Administrator. I run my workstation as a regular user. You can save a lot of sleep just by doing this alone. The user cannot execute it without admin rights and the computer will ask for the Admin account and password before executing the code.
Furthermore remove execure right from user writeable folders, that means from ANY folder the user is able to store create or modify files in. This way a trojan dropper from a webpage cannot execute the thing it had downloaded before.
Furthermore be sure you have working backups with long retention times, to prevent you discover it too late and all copies in the backups are already encrypted versions
.
This no execute policy is not 100% foolproof either, If the malware for example is injected into already running processes you are screwed too.
Also no scanner can detect all versions of all existing malware, and there are more encryption trojans out there than cryptowall. e.g. new versions of Teslacryt is the new hotness in Germany at the moment.
So if you install a product that is quite good in detecting cryptowall versions it might be not so good or even fail on other encryption malware.
Proper done, and frequently verified, BACKUPS are your best insurance.
You also might cut internet access to your employees and only allow pages and services they need for work (whitelisting). Enforced over a transparent proxy. This way droppers may not be able to download the payload and the encryption trojans cannot reach back home to the control servers.
Dont give to lax permissions on shared folders. Users who only need to read some files should in no case have write access to the shares. If updates on the shares are less frequent, let users perform this with other user accounts that have permissions, not with the every day work account.
Install a mapped share with trap files monitor them for changes so you have a warning system. You also will see the user ID the encryption is running under which will help to trace down the user and the pc that caused the infection.
Furthermore be sure you have working backups with long retention times, to prevent you discover it too late and all copies in the backups are already encrypted versions
.
This no execute policy is not 100% foolproof either, If the malware for example is injected into already running processes you are screwed too.
Also no scanner can detect all versions of all existing malware, and there are more encryption trojans out there than cryptowall. e.g. new versions of Teslacryt is the new hotness in Germany at the moment.
So if you install a product that is quite good in detecting cryptowall versions it might be not so good or even fail on other encryption malware.
Proper done, and frequently verified, BACKUPS are your best insurance.
You also might cut internet access to your employees and only allow pages and services they need for work (whitelisting). Enforced over a transparent proxy. This way droppers may not be able to download the payload and the encryption trojans cannot reach back home to the control servers.
Dont give to lax permissions on shared folders. Users who only need to read some files should in no case have write access to the shares. If updates on the shares are less frequent, let users perform this with other user accounts that have permissions, not with the every day work account.
Install a mapped share with trap files monitor them for changes so you have a warning system. You also will see the user ID the encryption is running under which will help to trace down the user and the pc that caused the infection.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Check out Crypto prevent from FoolishIT.
https://www.foolishit.com/cryptoprevent-malware-prevention/
https://www.foolishit.com/cryptoprevent-malware-prevention/
I agree cryptoprevent is good, assuming it has been updated. I referenced it in my article. Also note the reference to trend micro's anti ransomware suite/tool. Malwarebytes has one of the best tools on the market in my opinion. Inn the end I believe you have to run a multi layered approach to security AND have an excellent backup routine.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I always emphasize: this crypto viruses are no more a threat than other viruses. Other non-destructive viruses could also disclose/manipulate the information you are working with, making it even worse, because you don't even know about it - with crypto viruses, at least we know.
So the IT has finally reached a point where it has to admit that the safeguards anti virus and least privilege are not enough. We need to use policies that control what code is running. And that policies exist, the two features "software restriction policies" and "applocker" are built into windows (depends on what edition you use, applocker is for enterprise editions and win7 ultimate edition). Google those, read what it's about.
So the IT has finally reached a point where it has to admit that the safeguards anti virus and least privilege are not enough. We need to use policies that control what code is running. And that policies exist, the two features "software restriction policies" and "applocker" are built into windows (depends on what edition you use, applocker is for enterprise editions and win7 ultimate edition). Google those, read what it's about.
also one pt on this evolved ransomware is that it is no longer just about encrypting your precious files or asset information and paying the ransom to get back data. It (like recent Chimera variant) has also evolved to push factor as it coerce victim that private personal information siphoned from the infected machine will published to public (such pastebin etc). It make the urge to pay timely even more dearly to user to succumb to its threat.
This means the protection scheme of just detecting is not going to salvage if not timely meet the payment but how to even response to prevent such leakage or privacy invasion can be another consideration to further lock down our asset and restrict information egress and ingress...likely even data loss prevention kicks into the mind of the defender...just some cents of thoughts..
This means the protection scheme of just detecting is not going to salvage if not timely meet the payment but how to even response to prevent such leakage or privacy invasion can be another consideration to further lock down our asset and restrict information egress and ingress...likely even data loss prevention kicks into the mind of the defender...just some cents of thoughts..
Check out this article on Chimera:
http://www.pcworld.com/article/3006292/security/ransomwares-latest-threats-what-to-do-about-cryptowall-chimera-and-their-ilk.html
Although not comprehensive - it does say one thing differently than other ransomware suggestions - encrypt your files. Normally this would not help since ransomware will encrypt encrypted files, but with malware that threatens to publish your data, if it is already encrypted, you can be a little more assured of your safety.
http://www.pcworld.com/article/3006292/security/ransomwares-latest-threats-what-to-do-about-cryptowall-chimera-and-their-ilk.html
Although not comprehensive - it does say one thing differently than other ransomware suggestions - encrypt your files. Normally this would not help since ransomware will encrypt encrypted files, but with malware that threatens to publish your data, if it is already encrypted, you can be a little more assured of your safety.
Yap that is also why dont just depends on disk encryption like bitlocker only, file and folder encryption level helps. But note that these encryption will not be effective if on the fly decryption is enabled with user already login or decrypted in memory as it is in 'open' stated. The only way those pesky malware cannot grab in plain are those data at rest so is your encrypted backup. Have strong passphrase to enforce those encryption as brute force offline by the attacker is easily doable in fast fashion...
ASKER
I want to thank everyone for their thoughtful comments and recommendations. It's all a bit overwhelming, but definitely some good ideas to consider implementing. It would be premature to accept any one of these contributions as the "accepted solution", as only time will tell. I appreciate everyone taking the time to offer their thoughts on the subject. With ransomeware, It seems like it's advantage bad guys right now, but I'm confident that will change as we continue to evolve and implement solutions to prevent/counter these threats.
Eventually I seek that you should consider closing the question since you asked on product per se which most has offer some. Probably you can reconcile if there is any specific area to find out further pertaining to your questions.
"With ransomeware, It seems like it's advantage bad guys right now" - I strongly disagree. The technology to fight it and fight it thoroughly has been available starting with windows xp already (software restriction policies, namely). It is just that many admins are deeply in love with their anti virus products and hope to be able to use those instead and fail.
Look at software restriction policies and applocker, that's the way to go.
Look at software restriction policies and applocker, that's the way to go.
That advantage which adversary has is always stereotype as cyber chase where defender is the behind the leading pack of adversary.
That is not totally true.. if our layer of defence has done diligence to close up the low hanging fruits we mentioned so far in the preventive controls. This include user cyber vigilance and playing "ball" to maintain cyber hygience savvy to malicious sites etc. Note that ransomware need to be deliver through some means before it get denotated. Exploit kit already put them into part of the arsenal after they exploit the target successfully.
So it really leaves only the zero days which unknown unknown kicks in and will be targeted instead of mass end user infection - likely the case for you and even anyone. For this, we may be disadvantage if we take the passive strategy and there can be more proactive is active defence too..using honeypot etc...i shall not digress..
That is not totally true.. if our layer of defence has done diligence to close up the low hanging fruits we mentioned so far in the preventive controls. This include user cyber vigilance and playing "ball" to maintain cyber hygience savvy to malicious sites etc. Note that ransomware need to be deliver through some means before it get denotated. Exploit kit already put them into part of the arsenal after they exploit the target successfully.
So it really leaves only the zero days which unknown unknown kicks in and will be targeted instead of mass end user infection - likely the case for you and even anyone. For this, we may be disadvantage if we take the passive strategy and there can be more proactive is active defence too..using honeypot etc...i shall not digress..