bloody bloody cryptolocker bloody

Hey all,

TL;DR the point of this thread is to see if there's software out there that can monitor the usage of active connections and block them off when usage becomes excessive (ie: user contoso\joshsmith has edited 30 files in the space of 60 seconds kind of thing)?

Background:

One of my clients got hit with the little bastard last night, luckily they're a managed client and backups were managed also.

Whilst I was restoring things last night, I thought about another way of defending against or more so minimizing the risk of having to restore the network shares entirely from read only backups.

So, the point of this thread is to see if there's software out there that can monitor the usage of active connections and block them off when usage becomes excessive (ie: user contoso\joshsmith has edited 30 files in the space of 60 seconds kind of thing)?

I'm semi surprised that A/V softwares haven't got that included (well at least not SMB ones).

 

How many seats do you have? Because this won't be financially viable under 5,000.

Did you have VSS turned on? Just restore from that.

Additionally what was the point of entry? Email? Why don't you have a premium spam filter (Ironport, Brightmail) that stops delivery of these in the first place?

There are many ways to defeat cryptolocker. Putting an application layer firewall overhead on a shitty protocol such as SMB isn't necessarily the best one.

 

A lot of the newer variants disable VSS and delete all shadow copies.

Here's a bit of a writeup: https://blog.fortinet.com/post/cryptowall-another-ransomware-menace

As per the topic, prevention is better than cure. Work on better prevention in the first place, the more attempts to put to block the behaviour the more they'll just work around them. There are dozens of variants of the cryptolocker ransomware now and each time they're evolving to be harder to detect and recover.

Otherwise, make sure your backups are working well as you'll need them.

 

Why not apply the crypto locker prevention kit via GP and block it that way as well as blocking files via exchange?

Yes the initial phase in is a bit of a pita for the crypto locker prevention kit via GP, but it works well.

 

Here's a utility that does just that: http://www.eventsentry.com/blog/2013/12/cryptolocker-defense-for-sysadmins.html

 

failing to see how it can do that on a domain w/ redirected profiles?

Local, home users (and small business owners) are fucked - to be sure.

But anyone with SBS or better setup with half a brain should be fine.

 

Cheers guys for the input.

No ShadowCopies as we use a StorageCraft image based backup solution which we far prefer, either way the restoration only took about 2 hours last night and they were all back up and running.

We have that deployed via Labtech which is our RMM software, however this machine (the only one in the place of 45) had failed when deploying it.

Cheers,

 

No real penalty to have both. And VSS is user self-serviceable (not really applicable for Cryptolocker, but definitely handy in general business use).

FWIW we use shadowprotect as well.

 

Unsure what other backup solutions are like, but when Shadow Copies are enable I've seen VSS snapshots from ShadowProtect fail a lot, so we tend to disable it to save the headache.

 

Have you seen this?
https://www.decryptcryptolocker.com/

 

We had one of our client with the same issues yesterday... No biggy backups/snapshots/VSS = nothing lost... just a giant pain in the back side.

 

I'm guessing you didn't read the thread before posting.

Exact same with these guys, worst still because they're a restaurant and the call came through at 7PM last night as I was about to walk into the cinema

 

He's looking at prevention.

 

We had two CryptoWall's in the 1 day. Both came from user clicking on fake Australia Post email attachment.

One machine wasn't on main network (so only lost local user files) and the other took out the main data drive (small company, 35GB~) and was easily restored to a previous backup from about 1.5 hours prior.

 

We got hit today. Not fun.

This little shit managed to get through Mcafee Anti SPAM and Trend AV

 

If the McAfee AntiSPAM an appliance or a locally installed app?

 

It is an appliance.

 

McAfees detection methods are really poor. They keep pushing Artemis and GFI, but in the real world, having them running at a high enough level to keep out very bad things, also results in far to many false positives. Combined with the knowledge that Definition based AV is by its nature, going to be behind the times, leads me to think that its an almost pointless product to run.

 

Well a few of our users have fallen for the Aus Post email. Considering we've just gone through an internal IT security education thing with big posters and mandatory e-lessons about looking out for phishing links and emails, it must be a little embarrassing to be the ones to be caught out. Though phishing is obviously meant to deceive and trick and a couple that got tricked by Aus Post emails with the virus actually handle mail.

So far the damage has been easy to recover from. Thankfully we have good coverage of our backups. My method is to simply delete all *.encrypted files and replace with the most recent backup. We have snapshots but only at a SAN level, also the problem with rolling back from a snap is someone might have saved some new work in our file shares since the files had been encrypted. So just removing the ones you need and restoring would have a smaller impact to users.