Introduction
CryptoLocker is a known ransomware by many and by no means new, however this threat is around for the long haul. It is pertinent that we are knowledgeable of what it is, how it attacks and functions and how to avoid or prevent it.
The rise of ransomware is a genuine threat and individuals with malicious intent continue to incorporate all the old as well as additional new approaches to gain access and get users involved and clicking on the Trojans, leading to infection. It is very important to get this vulnerability gap plugged, especially as we’ve found that most of the mitigation strategies have not yet been included within most organisations.
Important Notice!
Many of my customers have unfortunately not managed to avoid Cryptolocker and have been infected with this Trojan and some have lost data. This has been a wake up call for many, realising that not all of the major vendors are able to adequately protect against this threat with just one form of mitigation, this is a tough one. On the flip side we do service many customers that have effectively avoided the onslaught and have not to date been infected or affected by this nasty wave of ransomware, so it can be done.
Mitigation strategies Explained
Below are some of the strategies that one can utilise to mitigate Cryptolocker. It’s been seen time and time again that multiple forms of mitigation used in combination is a better approach than utilising any singular strategy. If one approach fails another may have more success.
Use layers
This is something preached time and time again, however it is surprising how often this approach to security is ignored. Some organisations feel that a firewall and Antivirus combination will not only just suffice but will be more than enough to secure their environment until something as disruptive as Cryptolocker hits. Layers of protection are not a new strategy but emphasis needs to be placed on the importance of this, it should be part of your defence in depth already but if not this should definitely take priority.
Manage network traffic
Through proper management of network traffic you are able to better control what traffic is on your network. Flat networks are particularly vulnerable. It is important that networks are properly zoned and that users and devices can both only see and interact with areas of the network that they should be interacting with and only to the respective level of privilege required.
Use firewalls
Always make use of application layer firewalls. Presently the majority of firewalls have the capability to proxy as well as reverse proxy and all services thus whenever possible should be published through reverse proxies, as to avoid subject to object direct access. This not only limits the damage but also prevents direct access to files and environments if an attack were to occur.
Firewalls should also be utilised and enabled on the endpoint to ensure that traffic outbound from hosts and from non-corporate software is blocked.
Use IPS and HIPS
The use of IPS/IDS on the network is highly recommended, especially of the more advanced varieties. This will assist in prevention, as traffic flowing between applications and interfaces that produce unusual and anomaly-based traffic can be effectively detected in this way. HIPS on hosts should detect and prevent any traffic that is not the norm.
Use restricted interfaces
Remote access applications that are locked down by strong policy do help to mitigate this type of threat, as ransomware must be executed to infect the networked machines. If browsing is blocked through the restricted interface, application users tend to browse on their own machines and not through the corporate connection. Ultimately this behaviour does limit the exposure.
Patch your environment
This area is often mistakenly not deemed a priority by some and frequently ignored however patching your applications and your environment is very important moreover it does protect you. Some cryptoware exploits unpatched systems and through these vectors the infection can be exceedingly worse.
Proxy your traffic
Good proxies are able to block traffic that originates from applications that are not on the allowed or trusted list. Even internal traffic can be proxies at an application layer and inspected.
White list
It is highly recommended to use application whitelisting to create a whitelist of the corporate applications allowed to run on the machines and on the network. This strategy is a strong one and does work and more often than not it is very difficult to bypass. Certain whitelisting technologies hashes the allowed applications and only the list of allowed hashed applications will run on the machine. To date, I do not know of an easy way to bypass this mitigation strategy and the only clients that I have seen survive the latest onslaught of cryptoware are the ones incorporating whitelisting as a mitigation strategy.
Permissions
Make sure your permissions are appropriately set and that authentication is required for access, especially to critical systems. The use of two-factor authentication to gain access to systems that are sensitive is always recommended and cryptoware cannot easily bypass these controls.
Rule of least privilege
Always implement and keep reviewing the rule of least privilege. Often we find that customers have an allow-all policy that allows for all the users to gain access to networked files and resources. This can result in accidental deletion or crypto/malware denying you access to the files.
It is pertinent that the files are carefully grouped and that the correct level of access is applied whilst adopting the rule of least privilege. Users should always only have the least amount of privilege required to do their work.
Be vigilant and promote security awareness
One of the most important aspects of security, especially when dealing with cryptolocker type software is to inform your users, on a regular basis, to not click on any strange looking software or not to visit any potentially harmful websites.
You will be surprised to know that many users are not even aware of the potential threat and the ways in which they could be infected. For this reason it’s a good idea to, on a periodic basis, my recommendation is once a quarter, to host a cyber security awareness event. Even if it’s for half an hour, to cover the latest threat vectors. This will help users stay abreast of the latest attacks and threats.
Have a restorable backup
In this day and age some organisations still do not have a basic backup in place that can be properly restored to a point in time. Moreover data that is deleted should be restorable on servers and desktops through backup technologies like VSS (Volume Shadow Copy).
Some technical advice
It is possible to use GPO to setup blocking of executable and payload packages.
To stop the binaries from executing you can apply policy to GPO to block the following from running:
%appdata%\*.exe
%appdata%\*\*.exe
%localappdata%\*.exe
%localappdata%\*\*.exe
It is also possible to stop execution by creating a Software Restriction Policy (SRP).
More detail can be found here: https://www.fishnetsecurity.com/6labs/blog/cryptolocker-prevention-and-remediation-techniques
Conclusion
In this day and age the best protection is a layered approach and by adopting security in-depth. We can no longer rely on legacy mitigation strategies of a bygone age. Our security team have witnessed many customers that have only the basics installed and unfortunately become infected. This results in a challenging battle to keep Cryptoware and ransomware at bay.
The result is loss of revenue, denial of service and restoration from backup and in some cases some organisations actually pay the ransom, as the backup was inadequate and it was vital that the data be restored.
You will always find that the bad guys use tricks to get your users to execute their wares, there is nothing new here, and you need to keep the users informed. Informed users are your first layer of defence in your arsenal.
