bloody bloody cryptolocker bloody

Discussion in 'Business & Enterprise Computing' started by Joshhy, Sep 12, 2014.

  1. Joshhy

    Joshhy Member

    Joined:
    Feb 15, 2012
    Messages:
    49
    Hey all,

    TL;DR the point of this thread is to see if there's software out there that can monitor the usage of active connections and block them off when usage becomes excessive (ie: user contoso\joshsmith has edited 30 files in the space of 60 seconds kind of thing)?

    Background:

    One of my clients got hit with the little bastard last night, luckily they're a managed client and backups were managed also.

    Whilst I was restoring things last night, I thought about another way of defending against or more so minimizing the risk of having to restore the network shares entirely from read only backups.

    So, the point of this thread is to see if there's software out there that can monitor the usage of active connections and block them off when usage becomes excessive (ie: user contoso\joshsmith has edited 30 files in the space of 60 seconds kind of thing)?

    I'm semi surprised that A/V softwares haven't got that included (well at least not SMB ones).
     
  2. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    17,431
    Location:
    Canberra
    How many seats do you have? Because this won't be financially viable under 5,000.

    Did you have VSS turned on? Just restore from that.

    Additionally what was the point of entry? Email? Why don't you have a premium spam filter (Ironport, Brightmail) that stops delivery of these in the first place?

    There are many ways to defeat cryptolocker. Putting an application layer firewall overhead on a shitty protocol such as SMB isn't necessarily the best one.
     
  3. Daemon

    Daemon Member

    Joined:
    Jun 27, 2001
    Messages:
    5,406
    Location:
    qld.au
    A lot of the newer variants disable VSS and delete all shadow copies.

    Here's a bit of a writeup: https://blog.fortinet.com/post/cryptowall-another-ransomware-menace

    As per the topic, prevention is better than cure. Work on better prevention in the first place, the more attempts to put to block the behaviour the more they'll just work around them. There are dozens of variants of the cryptolocker ransomware now and each time they're evolving to be harder to detect and recover.

    Otherwise, make sure your backups are working well as you'll need them.
     
  4. bcann

    bcann Member

    Joined:
    Feb 26, 2006
    Messages:
    5,379
    Location:
    NSW
    Why not apply the crypto locker prevention kit via GP and block it that way as well as blocking files via exchange?

    Yes the initial phase in is a bit of a pita for the crypto locker prevention kit via GP, but it works well.
     
  5. gords

    gords Oh deer!

    Joined:
    Aug 3, 2001
    Messages:
    6,623
    Location:
    Sydney, Australia
    Here's a utility that does just that: http://www.eventsentry.com/blog/2013/12/cryptolocker-defense-for-sysadmins.html

     
  6. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    17,431
    Location:
    Canberra
    failing to see how it can do that on a domain w/ redirected profiles?

    Local, home users (and small business owners) are fucked - to be sure.

    But anyone with SBS or better setup with half a brain should be fine.
     
  7. OP
    OP
    Joshhy

    Joshhy Member

    Joined:
    Feb 15, 2012
    Messages:
    49
    Cheers guys for the input.

    No ShadowCopies as we use a StorageCraft image based backup solution which we far prefer, either way the restoration only took about 2 hours last night and they were all back up and running.

    We have that deployed via Labtech which is our RMM software, however this machine (the only one in the place of 45) had failed when deploying it.

    Cheers, :thumbup:
     
  8. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    17,431
    Location:
    Canberra
    No real penalty to have both. And VSS is user self-serviceable (not really applicable for Cryptolocker, but definitely handy in general business use).

    FWIW we use shadowprotect as well.
     
  9. OP
    OP
    Joshhy

    Joshhy Member

    Joined:
    Feb 15, 2012
    Messages:
    49
    Unsure what other backup solutions are like, but when Shadow Copies are enable I've seen VSS snapshots from ShadowProtect fail a lot, so we tend to disable it to save the headache. :rolleyes::thumbup:
     
  10. CZA

    CZA Member

    Joined:
    Apr 16, 2005
    Messages:
    1,344
    Location:
    Sydney, NSW
  11. Speaker4TheDead

    Speaker4TheDead Member

    Joined:
    Mar 13, 2003
    Messages:
    2,103
    Location:
    Sydney
    We had one of our client with the same issues yesterday... No biggy backups/snapshots/VSS = nothing lost... just a giant pain in the back side.
     
  12. OP
    OP
    Joshhy

    Joshhy Member

    Joined:
    Feb 15, 2012
    Messages:
    49
    I'm guessing you didn't read the thread before posting. :rolleyes:

    Exact same with these guys, worst still because they're a restaurant and the call came through at 7PM last night as I was about to walk into the cinema :(
     
  13. KriiV

    KriiV Member

    Joined:
    Feb 24, 2011
    Messages:
    1,374
    Location:
    Melbourne, Australia
  14. CZA

    CZA Member

    Joined:
    Apr 16, 2005
    Messages:
    1,344
    Location:
    Sydney, NSW
     
  15. ECHO

    ECHO Member

    Joined:
    Jun 17, 2002
    Messages:
    636
    Location:
    Canberra
    We had two CryptoWall's in the 1 day. Both came from user clicking on fake Australia Post email attachment.

    One machine wasn't on main network (so only lost local user files) and the other took out the main data drive (small company, 35GB~) and was easily restored to a previous backup from about 1.5 hours prior.
     
  16. Braedz

    Braedz Member

    Joined:
    Jun 30, 2010
    Messages:
    299
    Location:
    Adelaide
    We got hit today. Not fun.

    This little shit managed to get through Mcafee Anti SPAM and Trend AV
     
  17. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    17,431
    Location:
    Canberra
    If the McAfee AntiSPAM an appliance or a locally installed app?
     
  18. Braedz

    Braedz Member

    Joined:
    Jun 30, 2010
    Messages:
    299
    Location:
    Adelaide
    It is an appliance.
     
  19. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    12,742
    McAfees detection methods are really poor. They keep pushing Artemis and GFI, but in the real world, having them running at a high enough level to keep out very bad things, also results in far to many false positives. Combined with the knowledge that Definition based AV is by its nature, going to be behind the times, leads me to think that its an almost pointless product to run.
     
  20. Diode

    Diode Member

    Joined:
    Jun 17, 2011
    Messages:
    1,728
    Location:
    Melbourne
    Well a few of our users have fallen for the Aus Post email. Considering we've just gone through an internal IT security education thing with big posters and mandatory e-lessons about looking out for phishing links and emails, it must be a little embarrassing to be the ones to be caught out. Though phishing is obviously meant to deceive and trick and a couple that got tricked by Aus Post emails with the virus actually handle mail.

    So far the damage has been easy to recover from. Thankfully we have good coverage of our backups. My method is to simply delete all *.encrypted files and replace with the most recent backup. We have snapshots but only at a SAN level, also the problem with rolling back from a snap is someone might have saved some new work in our file shares since the files had been encrypted. So just removing the ones you need and restoring would have a smaller impact to users.
     

Share This Page