Emerging next-generation threats are everywhere in this digital age. In the late 90’s we were protecting our systems against unwanted access to our systems, and that’s still the case today. It’s a never-ending battle that has Security professionals battling “the BAD guys” and the “the BAD guys” who are always 3 steps ahead. While the complexity continues to rise at all levels in technology so does the knowledge of these systems. The landscape changes every few minutes thus security professionals can never catch up.
Enter the world of Ransomware. Ransomware makes your data unusable and if you want to use it again, PAY ME! With good backups this world it an inconvenience and disruptive. Without good backups, welcome to a nightmare. There are numerous horror stories and likely some “Out of Business” signs as a result of Ransomware incidents like CryptoWall infections. If you have not been impacted by an infection like this, you most likely know someone who has.
What is CryptoWall?
CryptoWall is a Trojan virus (Ransomware) that performs encryption on files and requires a ransom to decrypt the files it has encrypted. The virus was introduced in April of last year and continues to be updated. CryptoWall 3.0 is the latest version at the time of this article. It targets all versions of Windows. CryptoWall generally comes in via emails with attachments or links, the attachments are usually ZIP files that contain PDF files which are actually executables. These files will commonly be presented as invoices, bills, complaints, PO’s, or some other type of business related communication.
How do I become infected with CryptoWall?
The typical ways to become infected would be through an email message or through an infected website. The email message would contain a link or an attachment which would require clicking the link or opening the attachment. A malicious website will execute against outdated browser addins (Adobe Flash, Java, etc) to infect the system.
How can I protect against CryptoWall?
There are a number of preventive measures that can be employed. Again there is no way to prevent an infection; short of disconnecting from the internet grid permanently, but you can reduce the risk by training end users, implementing safe internet surfing practices, leveraging your gateway firewall security appliance (SonicWALL, FortiNET, etc), keeping antivirus updated on all devices, deploying a malware scanner and keep it updated on all devices, using DNS filtering services (OpenDNS, Dyn, etc) and deploying software restriction policies on all end user desktops including Terminal Servers and Citrix Servers.
What are the impacts of these methods of protection?
As mitigations are deployed to reduce the risk there is almost always an impact to end users. These impacts can be reduced performance, additional steps to do a task, or the inability to perform a task. When deploying a mitigation it’s important to communicate with end users so they are aware of the potential impacts and what steps they should take when they are impacted.
Examples of Impacts and Remediation
Implementing Stricter Anti-Virus Protection
Problem: User(s) is not able to launch a program or a program is slow.
Solution: Add exclusions to the antivirus program to allow and/or not scan that program
Deploying stricter Firewall Security Rules (Content Filtering, Application Controls, Gateway AntiVirus, etc)
Problem: User(s) are not able to access a business website or public cloud application
Solution: Add a whitelist or exception to the firewall
Deploying Software Restrictions Policy Group Policy
Problem: User is not able to launch an application and is alerted “Your system administration has blocked this program. For more information, contact your system administrator”
Solution: If this is a valid application the systems administrator will add the program to allow it to run
Implementing DNS Threat Protection and Controls
Problem: User is not able to access business website or cloud based application “Site has been blocked” or “Page cannot be displayed in browser”
Solution: Add the site to the whitelist on the DNS Controls Software, Site, or System
Additional Information on CryptoWall