Emerging next generation threats are everywhere in this
digital age. In the late 90’s we were
protecting our systems against unwanted access to our systems, and that’s still
the case today. It’s a never ending
battle that has Security Professional battling “the BAD guys” and the “the BAD guys”
are always 3 steps ahead. While the
complexity continues to rise at all levels in technology so does the knowledge of
these systems. The landscape changes few
minutes thus security professional can never catch up.
Enter the world of Ransomware. The let’s make all your data unusable and if
you want to use it again, PAY ME! With
good backups this world it an inconvenience and disruptive. Without good backups, welcome to a
nightmare. There are numerous horror
stories and likely some “Out of Business” signs as a result of Ransomware
incidents like CryptoWall infections. If
you have not been impacted by an infection like this, you most likely know
someone who has.
What is CryptoWall?
CryptoWall is a Trojan virus (Ransomware) that performs
encryption on files and requires a ransom to decrypt the files it has
encrypted. The virus was introduced in
April of last year and continues to be updated.
CryptoWall 3.0 is the latest version at the time of this article. It targets all versions of Windows. CryptoWall generally comes in via emails with
attachments or links, the attachments are usually ZIP files that contain PDF
files which are actually executables.
These files will commonly be presented as invoices, bills, complaints,
PO’s, or some other type of business related communication.
How do I become
infected with CryptoWall?
The typical ways to become infected would be through an
email message or through an infected website.
The email message would contain a link or an attachment which would
require clicking the link or opening the attachment. A malicious website will execute against
outdated browser addins (Adobe Flash, Java, etc) to infect the system.
How can I protect
There are a number of preventive measures that can be
employed. Again there is no way to
prevent an infection; short of disconnecting from the internet grid permanently,
but you can reduce the risk by training end users, implementing safe internet
surfing practices, leveraging your gateway firewall security appliance
(SonicWALL, FortiNET, etc), keeping antivirus updated on all devices, deploying
a malware scanner and keep it updated on all devices, using DNS filtering
services (OpenDNS, Dyn, etc) and deploying software restriction policies on all
end user desktops including Terminal Servers and Citrix Servers.
What are the impacts
of these methods of protection?
As mitigations are deployed to reduce the risk there is
almost always an impact to end users.
These impacts can be reduced performance, additional steps to do a task,
or the inability to perform a task. When
deploying a mitigation it’s important to communicate with end users so they are
aware of the potential impacts and what steps they should take when they are
Examples of Impacts
Implementing Stricter Anti-Virus Protection
Problem: User(s) is not able to
launch a program or a program is slow.
Solution: Add exclusions to the
antivirus program to allow and/or not scan that program
Deploying stricter Firewall Security Rules (Content
Filtering, Application Controls, Gateway AntiVirus, etc)
Problem: User(s) are not able to
access a business website or public cloud application
Solution: Add a whitelist or
exception to the firewall
Deploying Software Restrictions Policy Group Policy
Problem: User is not able to launch
an application and is alerted “Your system administration has blocked this
program. For more information, contact your system administrator”
Solution: If this is a valid
application the systems administrator will add the program to allow it to run
Implementing DNS Threat Protection and Controls
Problem: User is not able to access
business website or cloud based application “Site has been blocked” or “Page
cannot be displayed in browser”
Solution: Add the site to the
whitelist on the DNS Controls Software, Site, or System
Information on CryptoWall