Dealing with the Crypto Virus

ThePrimetimer

Hey Guys,
Wanted to start a thread about Crypto. I work for a medium MSP and we have ran into this guy a few times. All that we've done is either a Bare Metal Restore or format the drive and copy over backups.
What I wanted to know is how have you guys approached this virus for getting back a client's data? The most recent one we got was CryptoWall 4.0 and it seems like it is a PITA!
Seems that it is now encrypting the files and renaming them with random letters and numbers. Plus you are able to delete the files as Windows was presenting us with a message that the file/folder was corrupted. What we've done with this client is formatted the drive that was compromised, and using Dell's Appassure, mounted a recovery point back to prior infection, and copied the data back over. What is nice with Appassure, was that you are able to copy over the date along with a the NTFS permissions! That helps a great deal.
At any rate, it's been a fun couple days dealing with this and I'd just like to see if anybody out there has been dealing with this in their jobs.

Cheers!

john_miranda

It's a really annoying virus! So far at my work we have dealt with 3.0. The thing we do here is just restore from previous safe point as well. We have a strict policy that all work documents should remain on network drives so unfortunately for the end user we just wipe their computer and start them over.

Since it spreads as far as user access allows we had to implement more security on our network drives. We have a script and a honey pot for it now, so the last time it hit us it didn't even touch the network before we disabled that computer.

gespenstern

It's easy to deal with. 1-4 is free, 5-6 are pricey depending on solution chosen.

1. First off, a usage policy that prescribes to store personal data in home directories on a file server and common data in public directories on a file server. The file server is of course backed up regularly plus shadow copies if it's windows-based.
2. Second, configure SRP (Software Restriction Policies, built-in since Windows XP) to prohibit executables/scripts from running from anywhere in %userprofile%. Easy to configure via Group Policies. There's a good article on this on bleepingcomputer. For people who buy you a beer on a regular basis you can add an exception and allow them to run executables from "downloads" folder. Also, your major PITA would be three things: 1) Google Chrome 2) Gotomeeting 3) Webex. Vendors of these programs think that they are cocky and violate Microsoft recommendations and best practices (which prescribe to install software into %programfiles%) and put their sh!t right into a %userprofile%. But you can add exceptions, if needed. This will prevent almost any malware from executing even if some dumb person launches an attachment from unsolicited e-mail.
3. UAC! UAC! UAC! User Account Control (since Windows Vista) is your best friend. Easy to configure from Group Policies. Set its bar on at least level 2 (from the bottom). It won't prevent cryptolocker from running and encrypting stuff, but it will prevent it from deleting shadow copies on a local computer, so all the documents could be easily restored. Always restore them on external drive to avoid "shadow copies disappeared during restoration" situation as Windows destroys them on the fly if it thinks that it runs out of space.
4. If someone complained and/or you suspect bad things maybe happening -- launch compmgmt.msc on a file server go to open files and watch for users who have suspiciously too many read+write files opened and files are being renamed to name.ext.crypto or name.ext.vvv or whatever renaming scheme current version of cryptolocker uses. Kick such a user out of network immediately.
5. Filter your e-mail for spam and malware. Pretty hard to tune it by yourself, but there are a lot of cloud services and dedicated solutions such as proofpoint, etc. Also, I can configure it and support it for you if your business pays my rate.
6. Use IDS/breach detection products. Modern products allow you to watch for "bulk rewrite" indicators that get triggered when some dumba$$ uses SMB to read/write too many files at once. Set up an alert so every interested party gets a text message/e-mail/whatever when this indicator gets triggered and kick offender out of the network immediately.
7. Alternative, cryptolocker seems to encrypt only local files and files on mapped drives. Do not map drives, use UNC paths instead and create shortcuts on user's desktops with UNC paths. That way Cryptolocker encrypts only user's stuff, but you don't care (because of policy, see paragraph 1), you just reimage the PC and you are done.
8. Last but not least -- do security patching of 3rd party software on a regular basis. Adobe crap and Java on workstations should be patched in like 3 days after patch is released, same goes for MS Office. Of course I assume that basic things like OS are patched regularly...

OctalDump

gespenstern wrote: »

It's easy to deal with. 1-4 is free, 5-6 are pricey depending on solution chosen.

5. Filter your e-mail for spam and malware. Pretty hard to tune it by yourself, but there are a lot of cloud services and dedicated solutions such as proofpoint, etc.

For most organisations, it makes a lot of sense to use a provider for email. Securing email services to a similar level as you might get from Office 365 or Google Apps, is expensive. The added features that you can potentially give can often make for happier users, too. For smaller companies, the typical clients of MSPs, I doubt that once the numbers are done that it would make any sense to host email internally.

gespenstern

OctalDump wrote: »

For smaller companies, the typical clients of MSPs, I doubt that once the numbers are done that it would make any sense to host email internally.

Well, say, 5-6 years ago majority of smaller clients went to Google apps for business, which at the time was free, or reduced price. Then when they removed free and started charging hefty sums of money per year, some businesses with my help did some calculations according to which it wasn't always the case and I helped them to migrate their stuff back. There are simpler mail servers out there such as Kerio that don't cost much and do pretty much everything a small business needs and are cheaper than Google when everything is taken into account. They are also pretty easy to manage.

Some went hardcore way fully on opensource with postfix + dovecote on centos or debian, clamav for antivirus scanning on mail gateway and spamassassin + regexp rules + dul bans + dnsbl polls for anti-spam. It works and if properly configured it's no worse than google and you have 100% control over it.

I haven't managed o365 much but saw some calculations according to which it is somewhat cheaper with equal functionality compared to buying and managing each generation of MS products. However, for majority of smaller businesses it's not the case as they tend to skip at least one generation. Many of them skipped Vista, for example from XP to seven. Then now they skip eight and will upgrade their seven to ten. Same goes for office and "back office" such as SQL, Exchange, etc. It's not clear, however, can it be that way any longer as MS seems to be convincing industry that there will be no more versions of products with eternal licenses and 6-10 years of support per product... We'll see.

But it's just me, I haven't dealt with smaller businesses for a while now and don't remember all the numbers used in those calculations. Maybe it's different now, I don't know.

ThePrimetimer

I was thinking along the same lines of the GPO.
My boss recently found BitDefender and we may try to use that. I watched one video of a guy using it on about 5 or 6 different cryto files and it seems to do a decent job.
Thanks for the input.

OctalDump

gespenstern wrote: »

But it's just me, I haven't dealt with smaller businesses for a while now and don't remember all the numbers used in those calculations. Maybe it's different now, I don't know.

So, spam filtering + virus filter + firewall + monitoring + backup + capacity + redundancy + support for mobility + other features + ongoing licensing + hardware + support. I think Google Apps runs about $50/user/year, Office 365 is similar. If you have, say 50 users, that's $2500/year. $2500 would buy about 3 days' of MSP services where I am. Easily the support costs to keep a mail service running (firewall tuning, updates, backups, spam tuning, random support calls for configuring client x) can approach that over a year. The capital costs, even when spread over 5 years, can approach that.

If you use the "free" alternatives (linux + dovecot + spamassassin etc), the set up and support costs tend to be higher. The more bespoke it becomes, the more tied the client is to that person/company for support. It is often a false economy.

The problem with running mail in house, is that your SMTP will get hammered by hack scripts and bots. One weak link, and it's being used as a spam relay, and then it gets blacklisted. Even worse if you are trying to support mobile clients. Either use a selfsigned certificate and deploy on every device, or add ~$100 for a public CA signed certificate. And then more firewall work. And then your internet goes out, and users don't get emails. Or hardware failure. It is rarely as reliable and effort free as a cloud service.

Kerio, specifically, has licensing costs not much cheaper than cloud services, and because it emulates MS Exchange, you have to be careful with patches and updates. In some instances updating a client before there is a corresponding update to Kerio can break it. More support costs.

The issue of control comes up, but weighed against the practical security in hosting in house, it rarely makes real sense.

I suspect many MSP's would rather sell you a service like Kerio, knowing that they'll get continuing business for licensing and updates, and much more for support. And it's easy to use smoke and mirrors to hide the real costs.

gespenstern

OctalDump wrote: »

I think Google Apps runs about $50/user/year, Office 365 is similar. If you have, say 50 users, that's $2500/year. $2500 would buy about 3 days' of MSP services where I am.

You are saying that like $2500 per year covers all costs. No, you still need an MSP to watch over your google apps, add/remove users, configure e-mail clients and stuff like that. Initially I also thought that it will be a saver but for at least some clients it wasn't, as administrative effort for managing google apps is still considerable. Managing, say, Kerio is pretty much the same as it is pretty easy to manage and you don't have to have mad linux shell skills like in postfix+dovecot scenario. Yeah, in this case you also have to care about hardware, but modern hardware is pretty robust and cheap and rarely needs any serious attention.

OctalDump wrote: »

If you use the "free" alternatives (linux + dovecot + spamassassin etc), the set up and support costs tend to be higher. The more bespoke it becomes, the more tied the client is to that person/company for support. It is often a false economy.

I agree, for general type of sysadmins who are taught to point and click it could be a challenge. I agree that given these circumstances it is more expensive. But consider this scenario: let's say that there is an MSP who developed its own packaged solution for this let's say in a form of an image that runs on virtually any hardware, with established troubleshooting procedures and teaches its tech personnel on how to do that and basically sells this solution to small/medium businesses successfully. It could be profitable, it actually was when I was in the game.

OctalDump wrote: »

The problem with running mail in house, is that your SMTP will get hammered by hack scripts and bots. One weak link, and it's being used as a spam relay, and then it gets blacklisted. Even worse if you are trying to support mobile clients. Either use a selfsigned certificate and deploy on every device, or add ~$100 for a public CA signed certificate. And then more firewall work. And then your internet goes out, and users don't get emails. Or hardware failure. It is rarely as reliable and effort free as a cloud service.

Nah, you are breaking into an open door here. Open relays is a thing of ancient days, it's pretty hard to make such a configuration mistake. True that sometimes people end up with their IP in DNS-BL lists, that's happens usually not because of open relays, but because of malware sending spam from users' workstations. Again, it's pretty easy to deal with, clean the malware, fill the forms and in a day or two you are out of those lists. Non-wildcard certs are free these days, I can give you links if needed. They aren't without limitations (like limited to 1 year, which is okay), but still it's free. Firewalls are so nineties, these days I had close to zero incidents on misconfigured firewalls and hackers actually don't waste time trying to break through them. Yeah, some ports will be open (usually 25 for SMTP, 3389 for RDP for remote clients and a VPN for remote clients who want to print/share files), but you don't worry, aforementioned Kerio mail server had 0 RCE class vulnerabilities in its software last time I checked. But if you pay for your license (you can choose not to pay) you upgrade it which is again really easy. As for RDP security, there was only one RCE issue back in 2011 if I'm not mistaken, other than that it's safe. If you are paranoid you publish it on unusual port and you totally use NLA and that's it.

OctalDump wrote: »

Kerio, specifically, has licensing costs not much cheaper than cloud services, and because it emulates MS Exchange, you have to be careful with patches and updates. In some instances updating a client before there is a corresponding update to Kerio can break it. More support costs.

Agreed, sometimes that happens (not like it doesn't happen to Outlook working with Exchange), that's why you don't patch right away unless there is an exploit code in the public... common sense... not that much of a hassle.

On the other hand you have full control over your stuff. Unlike with Google you can read full logs if you want to find out something and investigate a security incident. Unlike with Google you can lock down your server so no-one can log in to users' mailboxes unless via VPN or locally without 2FA hassle which is hated by users. Unlike with Google you can handle a situation when your partner's emails end up flagged as spam or not even reaching mailboxes because of being suspicious. Unlike with Google who kills attachments with anything looking even remotely as executable. And so on.

OctalDump wrote: »

The issue of control comes up, but weighed against the practical security in hosting in house, it rarely makes real sense.

I suspect many MSP's would rather sell you a service like Kerio, knowing that they'll get continuing business for licensing and updates, and much more for support. And it's easy to use smoke and mirrors to hide the real costs.

Yeah, that's also what happens because life of MSP isn't that easy and they don't want to just give away almost all the money to google and partners.

That's why you assume by default that everybody is pursuing his own interest and not yours (surprise!) and do your own calculations. Or you decide that even if you can calculate and win several thousands a year it's not worth the energy and time wasted on these calculations and blindly trust MSPs, they usually don't get over the top, unlike some government contractors, lol

StevenP2013

I dealt with this yesterday. An end user received an email that says it contains and order and invoice. They opened a zip file and then clicked on a file named invoice_scan_nmjgr.js. All of their docs, vids, and pics were encrypted and now ended in .vvv. I ran malware bytes, which deleted the virus, superantispyware removed a registry entry. I searched the hard drive for all instances of how_recover.*. It found 8,000 files, I deleted them all. Then the end user had to remove the .vvv extension from each file, then go to properties, previous versions, and restore to a previous version. All from opening a zip file and clicking on a file named invoice_scan_nmjgr.js. We do educated end users all the time on this sort of thing. We also quarantine suspicious looking email, but give them the option to release from quarantine.

gespenstern

StevenP2013 wrote: »

Then the end user had to remove the .vvv extension from each file, then go to properties, previous versions, and restore to a previous version.

A grueling exercise! They totally deserved it but there's a much simpler way -- just delete all .vvv files, than right click on a folder that contains them and choose to restore everything in this folder. Would have saved hours of manual labor.

Danielm7

gespenstern wrote: »

A grueling exercise! They totally deserved it but there's a much simpler way -- just delete all .vvv files, than right click on a folder that contains them and choose to restore everything in this folder. Would have saved hours of manual labor.

That's what I was thinking. Maybe they were trying to punish the user for clicking malware! haha

renacido

gespenstern wrote: »

It's easy to deal with. 1-4 is free, 5-6 are pricey depending on solution chosen.

1. First off, a usage policy that prescribes to store personal data in home directories on a file server and common data in public directories on a file server. The file server is of course backed up regularly plus shadow copies if it's windows-based.
2. Second, configure SRP (Software Restriction Policies, built-in since Windows XP) to prohibit executables/scripts from running from anywhere in %userprofile%. Easy to configure via Group Policies. There's a good article on this on bleepingcomputer. For people who buy you a beer on a regular basis you can add an exception and allow them to run executables from "downloads" folder. Also, your major PITA would be three things: 1) Google Chrome 2) Gotomeeting 3) Webex. Vendors of these programs think that they are cocky and violate Microsoft recommendations and best practices (which prescribe to install software into %programfiles%) and put their sh!t right into a %userprofile%. But you can add exceptions, if needed. This will prevent almost any malware from executing even if some dumb person launches an attachment from unsolicited e-mail.
3. UAC! UAC! UAC! User Account Control (since Windows Vista) is your best friend. Easy to configure from Group Policies. Set its bar on at least level 2 (from the bottom). It won't prevent cryptolocker from running and encrypting stuff, but it will prevent it from deleting shadow copies on a local computer, so all the documents could be easily restored. Always restore them on external drive to avoid "shadow copies disappeared during restoration" situation as Windows destroys them on the fly if it thinks that it runs out of space.
4. If someone complained and/or you suspect bad things maybe happening -- launch compmgmt.msc on a file server go to open files and watch for users who have suspiciously too many read+write files opened and files are being renamed to name.ext.crypto or name.ext.vvv or whatever renaming scheme current version of cryptolocker uses. Kick such a user out of network immediately.
5. Filter your e-mail for spam and malware. Pretty hard to tune it by yourself, but there are a lot of cloud services and dedicated solutions such as proofpoint, etc. Also, I can configure it and support it for you if your business pays my rate.
6. Use IDS/breach detection products. Modern products allow you to watch for "bulk rewrite" indicators that get triggered when some dumba$$ uses SMB to read/write too many files at once. Set up an alert so every interested party gets a text message/e-mail/whatever when this indicator gets triggered and kick offender out of the network immediately.
7. Alternative, cryptolocker seems to encrypt only local files and files on mapped drives. Do not map drives, use UNC paths instead and create shortcuts on user's desktops with UNC paths. That way Cryptolocker encrypts only user's stuff, but you don't care (because of policy, see paragraph 1), you just reimage the PC and you are done.
8. Last but not least -- do security patching of 3rd party software on a regular basis. Adobe crap and Java on workstations should be patched in like 3 days after patch is released, same goes for MS Office. Of course I assume that basic things like OS are patched regularly...

Excellent summary. In many large organizations, 1 & 2 are the most difficult to implement because many places don't have folder redirect in place and don't have a CIO or IT director willing to put his foot down and tolerate the bitching from the users about not being able to install their Chrome extensions. #3 yes this helps a lot but a lot of places don't even have shadow copies turned on to begin with. #4 is good but a real FIM solution would be better. #5 this and good web content filtering to block sites loaded up with browser exploits, and kill Autoplay and portable file executions from removable devices #6 HIPS plus MAC/DAC so users don't have write permissions to the entire effing SAN when they just need a few folders 7 & 8 yes totally but most environments are way behind on patching, some only do Windows updates, most users are mapped a drive that contains a folder to 2 that they really need, instead of mapping directly to only what they need. And no authentication for SMB/CIFS shares either. Makes my head hurt.

I'd add application whitelisting to your list of countermeasures too. But that's probably the hardest of them all to pull off in the real world.

Again, great summary on how to counter crypto viruses.

Mike-Mike

StevenP2013 wrote: »

I dealt with this yesterday. An end user received an email that says it contains and order and invoice. They opened a zip file and then clicked on a file named invoice_scan_nmjgr.js. All of their docs, vids, and pics were encrypted and now ended in .vvv. I ran malware bytes, which deleted the virus, superantispyware removed a registry entry. I searched the hard drive for all instances of how_recover.*. It found 8,000 files, I deleted them all. Then the end user had to remove the .vvv extension from each file, then go to properties, previous versions, and restore to a previous version. All from opening a zip file and clicking on a file named invoice_scan_nmjgr.js. We do educated end users all the time on this sort of thing. We also quarantine suspicious looking email, but give them the option to release from quarantine.

i love Malwarebytes, got the corp edition with the anti-exploit too