Defending Your Data against Cryptoviral Extortion – CryptoLocker


If you’re running Windows XP through Windows 8, chances are you’ve heard of CryptoLocker by now. If not, for some background, check out this from 6LABS post.

Now that you know what it is, it’s time to defend your network against it. There are several defense techniques, and I will try to touch on as many as I can. First and foremost, from an Incident Response point of view, if your network is finding indicators of CryptoLocker, best practice is as follows:

Standard Forensic Evidence Preservation Techniques

  • Create forensic image of infected systems – both file system and volatile memory (if needed).
  • Preserve all Firewall/IPS/AD logs.
  • Capture ingress/egress network traffic in .pcap

cryptolocker2

 

Identification of Cryptolocker

Location of CryptoLocker binaries:

  • %AppData%\<random>.exe
  • %LocalAppData%\<random>.exe

If the malware has executed, one or more of the following registry keys will be present:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “CryptoLocker”
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “CryptoLocker_<version>”
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce “*CryptoLocker”
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “<Random>”

Containing CryptoLocker

Stop the binaries from executing by applying GPO to block the following:

  • %appdata%\*.exe
  • %appdata%\*\*.exe
  • %localappdata%\*.exe
  • %localappdata%\*\*.exe

It is also possible to stop execution by creating a Software Restriction Policy (SRP).

For more information on Software Restriction Policies, please visit here. Below are SRP rules to assist in blocking CryptoLocker. You may have to tweak some of these rules for your environment.

———–

Block CryptoLocker executable in %AppData%

Path: %AppData%\*.exe
Security Level: Disallowed
Description: Don’t allow executable to run from %AppData%.

Block CryptoLocker executable in %LocalAppData%.

Path if using Windows XP: %UserProfile%\Local Settings\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\*.exe
Security Level: Disallowed
Description: Don’t allow executable to run from %AppData%.

Block executable run from archive attachments opened with WinRAR:

Path if using Windows XP: %UserProfile%\Local Settings\Temp\Rar*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\Rar*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinRAR.

Block executable run from archive attachments opened with 7zip:

Path if using Windows XP: %UserProfile%\Local Settings\Temp\7z*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\7z*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with 7zip.

Block executable run from archive attachments opened with WinZip:
Path if using Windows XP: %UserProfile%\Local Settings\Temp\wz*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\wz*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinZip.

Block executable run from archive attachments opened using Windows built-in Zip support:

Path if using Windows XP: %UserProfile%\Local Settings\Temp\*.zip\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\*.zip\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened using Windows built-in Zip support.

———–

Identifying if your system has already begun encrypting files:

The following PowerShell script will list all files that are currently encrypted on the local system. To execute this, run PowerShell as administrator and paste the following code:

(Get-Item HKCU:\Software\CryptoLocker\Files).GetValueNames().Replace(“?”,”\”) | Out-File CryptoLockerFiles.txt -Encoding unicode

 

Options once CryptoLocker has infected and encrypted a system:

When a system is infected with CryptoLocker, it is best to disconnect it from the network as soon as possible. At this point, you need to decide if you plan on paying the ransom or not. We suggest cutting your loses and restoring from a backup.

Should you decide to pay the ransom, we’ve seen a large amount of success with the decryption process. Follow the directions on the malware pop up to pay either via BitCoin or prepaid cards. If you are going to pay the ransom, you should NOT remove the infection from the %AppData% folder. If you delete these files, it is significantly more difficult to decrypt your data.

Once you pay the ransom, the application will begin decrypting your files. A screen will be displayed with a message stating that the malware is verifying payment. This can take up to a few hours. Once verification is completed, the decryption process will begin. This is a very slow process, and it might take several hours to a day to complete decryption.

If you make the decision to remove the infection without paying, it is strongly recommended to restore the system from a trusted, known good media. You can disable CryptoLocker by removing the binaries and deleting the registry keys referenced above. Please keep in mind, removing the files rather than restoring from known good media could result in re-infection. In addition, CryptoLocker is often found coupled with other malware, such as Zeus, which could also steal your data. 

Recovering your data without paying the ransom

Actually decrypting your data isn’t really possible at the moment (CryptoLocker uses very strong RSA-2048 bit encryption), but if you have Shadow Volume Copies enabled on the system, it might be possible to attempt to recover the files from shadow copies. This has worked with older variants of CryptoLocker. It is rumored that new variants are looking for those files and deleting them. Some users have used an application called Shadow Explorer to restore files from backup. 

Conclusion

It seems this type of malware is here for the long haul, and it won’t be long before even more variants are released into the wild. End users and businesses alike need to be sure to backup data frequently. Ensure proper network monitoring is in place and use a layered approach to defending your network. These actions will help stop the infection before it begins.

Source: fishnetsecurity.com

Advertisements