Best way to mitigate a cryptolocker virus on a file server?

N2IT

Just curious if anyone had real world experience or recommended articles. Thanks

emerald_octane

MBAM
7char

N2IT

Just blow it away and reload the files. That's all you can do. Nuke and repave

veritas_libertas

I've seen a few articles on setting GPO changes to reduce the chance the installs will run after they land on a server. That's all...

chopsticks

If you have a regular backup plan in place before the virus attack, you can always restore the files after the virus has been cleaned up.

N2IT

Thanks guys. Our admin is getting killed I don't think he has dealt with anything like this before. Thanks for the heads up. I'll gently mention some of these ideas too him. Again thanks!

5ekurity

Don't forget to isolate the system if it hasn't been done already...

Hypntick

If you're interested in a GPO that will help to protect against this, let me know and i'll send it on to you. It's done wonders for the clients we support.

veritas_libertas

You may also want to consider application white listing. Contact me on LinkedIn if you are interested.

YFZblu

FYI - Cryptolocker will scan the network after infection, looking for vulnerable file shares to spread to. That machine needs to be taken off the network and rebuilt completely.

Hurrah for backups.

Edit: I just noticed this is already on a file share. It sounds to me like you may have had a workstation in the environment get popped after a drive-by download or successful phishing attempt. As someone who has handled cryptolocker in a production environment, you will want to identify the original source of infection - and keep an eye on all file shares in the environment.

N2IT

YFZ thanks for the follow up. Yeah it was an zip file and someone opened it up.

YFZblu

Nice - Yeah, it's kind of hard for Users to hide their mistakes when the workstation encrypts their drive and demands bitcoins.

In addition to nuking that workstation, you'll want to determine who else received that email.

RomBUS

Clean/re-image infected computer

Restore network files from backup, specifically any and every directory that has "Domain Users" have Write access.
File types especially .doc, .xls, .pdf file extensions

PurpleIT

Is it the file server itself that is infected?

Best case is it is a workstation that is actually infected which you can just nuke from orbit (it's the only way to be sure) then you don't have to do much to the server itself other than restore your data. Cryptolocker is actually very polite in that it gives you a list of all the files it has encrypted. This makes it much easier to do a selective restore and minimize the number of old files that need to come from backup.

For those that have GPO settings that will help with this I would be interested in seeing what you have.

Lostpacket

Cryptolocker Prevention Kit (updated) - Spiceworks
and
How To Avoid CryptoLocker Ransomware — Krebs on Security

Yep, isolate the system and restore from backup.

I'd run a full scan on each workstation as well. More than likely you have a user that clicked on a something.pdf.exe in an email.

NetworkingStudent

To the best of my knowledge, the virus is pretty easy to remove.

Not sure why others are suggesting a wipe and reload.

Best thing you can do for this virus is to have GREAT backups.

I suggest system image backups.

Worried About Cryptolocker? Put Your Fears Aside with ShadowProtect Backups

Worried About Cryptolocker? Put Your Fears Aside with ShadowProtect Backups - StorageCraft

ShadowProtect makes it simple to take point-in-time incremental backups as often as every fifteen minutes, so you’ll have the option of restoring to an image taken just before your equipment was compromised by this malicious attack and only ever risk losing around fifteen minutes of newly created data (depending on how often you schedule incrementals). By taking control of your data with intelligent, regularly scheduled backups, you’ve got a way to get systems back to normal—even if something like Cryptolocker encrypts critical files or attacks systems in other malevolent ways.

Interesting video from Open DSN and how they block malware like Crypto locker:

Containing Cryptolocker -- How Predictive Analytics Combat Dynamic Threats - YouTube

Also, you can build a solid security program:

Security Weekly Podcasts

These efforts could help mitigate future attacks.

YFZblu

NetworkingStudent wrote: »

To the best of my knowledge, the virus is pretty easy to remove. Not sure why others are suggesting a wipe and reload.

Here's the deal - overall, today's commodity malware is quite sophisticated. Ultimately, unless one is able to understand the full capabilities of the malware on the system, then one cannot fully guarantee that the system is clean after remediation. And I'm not just talking about knowing how Cryptolocker generally behaves; unless you as a technician are capable of reversing every aspect of the software, then you won't be sure. Different variants are released far too quickly to assume some analyst's malware blog is exactly the variant you're looking at. Additionally, if you're dealing with a kernel-mode rookit, the computer is lying to you. A/V says your system is clean? It's lying. Netstat shows no connections unaccounted for? It's lying. Task Manager looks good? It's lying.

In the enterprise, where workstation uptime is valued, true malware analysis and a comprehensive investigation is a specialized skillset which is done out of band. In the meantime, techs should simply give the user another workstation so they can get back to business without the risk of being owned for an extended period of time.

Did you know the banking trojan Zeus has been observed installing Cryptolocker on systems in the wild? It's quite feasible one of your users gets infected by a Zeus variant, which successfully evades antivirus, and then downloads a detectable version of Cryptolocker. Once Cryptolocker is detected and the technician 'cleans' the system by way of using documentation specifically tailored to Cryptolocker, the Zeus infection remains on the system, silently stealing information. The User is still compromised.

I've said it before - people need to stop "cleaning" malware infections. Nuke and pave, always.

Cert Poor

Pretty sure CryptoLocker's old enough now that all antivirus have signatures for it. So the question is how could a client get infected with it in the first place?

Re: ZeuS: Abuse.ch has a great ZeuS tracker. I have the IPs blocked at home even so there's no way it could really phone home to a C&C server. I assume enterprises have more toys and expertise than I do so don't see how they could get infected unless lazy.

YFZblu

Cert Poor wrote: »

Pretty sure CryptoLocker's old enough now that all antivirus have signatures for it. So the question is how could a client get infected with it in the first place?

Quite literally, malware authors make a living by evading anti-virus. They utilize blackhat services to test their stuff against major vendors antivirus after making changes. From there, they release the software updates to customers. Successful malware is not static software. This is cat-and-mouse.

Cert Poor wrote: »

Re: ZeuS: Abuse.ch has a great ZeuS tracker. I have the IPs blocked at home even so there's no way it could really phone home to a C&C server. I assume enterprises have more toys and expertise than I do so don't see how they could get infected unless lazy.

But how are these lists of ZeuS C&C servers generated? The watchers don't always update these lists in real-time, they are comprised AFTER badness has been seen on a given domain. So yes, it is entirely feasible for an organization to get owned and exfiltrate data before the watchers are able to see it themselves and update the lists.

Cert Poor

I guess all it takes is one small crack for the whole ship to sink. Thanks.

PurpleIT

Cert Poor wrote: »

Pretty sure CryptoLocker's old enough now that all antivirus have signatures for it. So the question is how could a client get infected with it in the first place?

In addition to what YFZblu has said, sometime AV simply doesn't work. Maybe the app crashed, maybe the variant that hit your system is just different enough to slip through, maybe the user is an idiot... it can be anything.

There is no such thing as absolute security nor is there an unhackable system or an AV program that will catch everything.

e: ZeuS: Abuse.ch has a great ZeuS tracker. I have the IPs blocked at home even so there's no way it could really phone home to a C&C server. I assume enterprises have more toys and expertise than I do so don't see how they could get infected unless lazy.

Statically blocked IPs by definition rely on old information. It is important to remember that people are not sitting around MANUALLY creating C&C servers - in many cases the malware does that itself and creates them MUCH faster than mere mortals can keep up with.

IMO, statically blocking IPs is OK step for roughly the first 48-72 hours after news of some zero day exploit comes out. After that your AV & IPS should be up to date and if it isn't then your list of IPs is probably outdated anyway.

It's a cold, ugly world out there.

SweenMachine

Man.. so much info! Love it

-scott

SweenMachine

YFZblu wrote: »

Here's the deal - overall, today's commodity malware is quite sophisticated. Ultimately, unless one is able to understand the full capabilities of the malware on the system, then one cannot fully guarantee that the system is clean after remediation. And I'm not just talking about knowing how Cryptolocker generally behaves; unless you as a technician are capable of reversing every aspect of the software, then you won't be sure. Different variants are released far too quickly to assume some analyst's malware blog is exactly the variant you're looking at. Additionally, if you're dealing with a kernel-mode rookit, the computer is lying to you. A/V says your system is clean? It's lying. Netstat shows no connections unaccounted for? It's lying. Task Manager looks good? It's lying.

In the enterprise, where workstation uptime is valued, true malware analysis and a comprehensive investigation is a specialized skillset which is done out of band. In the meantime, techs should simply give the user another workstation so they can get back to business without the risk of being owned for an extended period of time.

Did you know the banking trojan Zeus has been observed installing Cryptolocker on systems in the wild? It's quite feasible one of your users gets infected by a Zeus variant, which successfully evades antivirus, and then downloads a detectable version of Cryptolocker. Once Cryptolocker is detected and the technician 'cleans' the system by way of using documentation specifically tailored to Cryptolocker, the Zeus infection remains on the system, silently stealing information. The User is still compromised.

I've said it before - people need to stop "cleaning" malware infections. Nuke and pave, always.

Looking for a new job? I'd hire this dude in a second! haha

-scott

SephStorm

Got "infected" with cryptolocker today, (see my blog) nice stuff. Can confirm AV is constantly behind.

wes allen

Yep, pretty much AV sucks and is easy to bypass. We always suggest re-imaging any machine that get infected. If you don't have a good way to watch network traffic for C&C, you will miss seeing most Malware. Crytolocker is just one that makes itself known by design - the majority do everything they can to hide - not just from AV, but from deep packet inspection as well.