Cryptowall 3 and cryptolocker Best practice ?

dbit

This Q is being put to me more and more recently and I was wondering what everyone else was advsing people around this topic ?

Where I work the cloud products i specialise in are not that mature at stopping and killing off cryptolocker ? So there are some areas that seem very obvious to me , i usually advise on some of the following :-

Crypto wall and latest crypto wall 3 will target these services and shut them down or at least try to in order to execute successfull ransome , similarly - these services could be set to be protected or no access through SRP's .


Service Name Description
wscsvc Security Center Service
WinDefend Windows Defender Service
wuauserv Windows Update Service
BITS Background Intelligent Transfer Service
ERSvc Error Reporting Service
WerSvc Windows Error Reporting Service

* Block any kind of executable attachments in mails, not just exe's, e.g. .js, .chm, .scr etc. Use tech that actually looks in Zip files too.
* Block all macros and ActiveX stuff, if you can get away with it, kill Flash too.
* Java applets should be whitelist only.
* Monitor any filers/network storage for the 'ransom' file names, e.g. HELP_DECRYPT.txt, HELP_YOUR_FILES.html, DECRYPT_INSTRUCTION.html etc.
* Put an Adblocker and EMET on all client machines.


Stopping executes from :- files running from AppData/LocalAppData folders
Same for the TEMP folders
Ensure that the System restore service is protected
Kill Autorun for users via GPO
Employ SRP's from GPO's to stop users with out domain admin rights from being allowed to install unwarranted apps . ( In cloud this makes sense as all desktop sessions should spin from one master image and this image is customised to suit individual BU's, in other words if app installs are required here then Virt admins are not keeping master image up to date)

Help desk being annoyed to install something in my eyes is a better idea than having 30 calls to helpdesk for financialy crippling ransomware attacks.

Kill RDP protocol for all users who do not require it .

The biggest win in defending against crypto for me has to be the SRP's route as here if the installers are 100% blocked from executing on user sessions then no file can execute to perform installs . IT sounds bad and a bit harsh, but if you want to face palm this type of attack its my only answer for now . I have seen vendors being defeated not just only my own employer as per the zero day aspect and pattern analysis is almost impossible as to how it is delievered in encrypted form and then unencrytped at user execute time ......



IF anyone has any ideas to peg on here we could build a nice little doc on it ?

Blowfish

Well the first and most obvious thing that will nullify ransomware's effectiveness is having a good backup policy and test it regularly.

Some simple ones most of which orgs should be doing anyway:

* Block any kind of executable attachments in mails, not just exe's, e.g. .js, .chm, .scr etc. Use tech that actually looks in Zip files too.
* Block all macros and ActiveX stuff, if you can get away with it, kill Flash too.
* Java applets should be whitelist only.
* Monitor any filers/network storage for the 'ransom' file names, e.g. HELP_DECRYPT.txt, HELP_YOUR_FILES.html, DECRYPT_INSTRUCTION.html etc.
* Put an Adblocker and EMET on all client machines.

dbit

Thanks Blowfish , Hmmm can i add them to the list above ? Sort of imalgimate all the good ideas to the top post ? with your permission ?

dbit

Blowfish wrote: »

Well the first and most obvious thing that will nullify ransomware's effectiveness is having a good backup policy and test it regularly. .

You see the problem with crypto is it is taking advantage of one simple fact SMB do not take this stuff seriously until stung , Backups are a rarity in most SMB's and this is a blatant attack on that fact. Most small enterprises call the local tech guys to come and "secure" or "fix" issues and the moment an onsite engineer brings up backups and cost they have already begun to think about the next game of thrones episode ..........


Crypto gangs know the people they want to target and know the lack of action being taken in practically every small to medium enterprise out there , oooops OUR critical DB files or Excel spread sheets have been encrypted - pay out every time .

Blowfish

dbit wrote: »

Thanks Blowfish , Hmmm can i add them to the list above ? Sort of imalgimate all the good ideas to the top post ? with your permission ?

Of course

dbit wrote: »

Crypto gangs know the people they want to target and know the lack of action being taken in practically every small to medium enterprise out there , oooops OUR critical DB files or Excel spread sheets have been encrypted - pay out every time .

Absolutely agree, though on the plus side, this will likely be improved on over time as newer startups are much more likely to use cloud storage by default where backups etc. are handled for them.

Joe Exotic

i would second all the above and add on

Security awareness training - particularly around email attachments
- Convince staff to report if they do click by mistake
Active directory folder permissions - if you don't need it you shouldn't have it

Patching policy - for the love of god patch your fcuking machines
Anti Virus - ok not going to prevent a lot but no excuse for not having it up to date

Incident response - Practice for these situations