A year ago we ran an article talking about CryptoLocker type threats – how to prevent and how to deal with if they occurred.
Unfortunately these types of threats (ransomware) are still an ongoing problem, so we thought it could be helpful to rerun our article:
We have seen these threats use a variety of methods to sneak past protection on the perimeter and the desktop. Due to the ever mutating nature of CryptoLocker type malware, no single vendor has been able to detect and block every variant of this threat. However, there are a few steps you can take to help mitigate against the risk of being infected with CryptoLocker and its variants.
- Backup: Always backup your data (at least once a day, and preferably with several versions/iterations of files stored) and store that offsite (either on physical media, or via one of the on-line automated backup services available). Then if your data is corrupted/encrypted, you can simply get it back from backup.
- Stay up-to-date: Ensure the definitions files for all AV products are up-to-date across all machines. If you are using Sophos then the ‘Protection’ link in the Enterprise Console dashboard will show any computers that are out of date.
- Enable protection: Ensure technologies designed to detect zero-day threats are enabled in your policies. In Sophos they are called HIPs and ‘Live Protection’. On your workstations check files on read, write or modify operation. Ensure AV is installed and on-access scanning is enabled on the servers. If you don’t have on-access protection enabled on your file servers by default, then either turn that on (performance permitting), or use scheduled scanning on them.
- Prevention: Since a popular ingress point appears to be a Java script or similar script file sent via email, ensure that you are stopping all scripting and executable files at the gateway even when they are stored inside an archive. You should stop encrypted attachments from getting sent straight to end users.
- Educate: Do inform your users about these types of threats. They should be on the lookout for unsolicited emails that contain attachments or links to websites online.
- Patch: Several versions of Internet Explorer are still susceptible to malware automatically downloaded via links or when visiting a website (drive-by-attacks). Ensure your OS and browsers remain up-to-date. If you use Sophos then enable Patch Assessment to check for missing critical patches nightly or weekly.
Even with the best preventative methods in place, sometimes a threat can get through whether it be an accidental opening of a file by a user, a new variant that is not detected by the AV or a combination of both. So if you are unlucky enough to be affected by CryptoLocker or other ransomware then here are some tips to help your get out of a bad situation with the least amount of damage.
- Isolate & neutralise: The most important step is to isolate the computer(s) that you suspect have been affected by the malware. These are machines that are silently encrypting files on the network shares and locally in the user’s documents. That means immediately disconnecting them from the network(s) (physical and Wi-Fi) until you are sure the threat has been neutralised on those machines. You can use ‘Source of Infection’ tools to help you detect and isolate those machines. If in doubt, power it off.
- Detect & stop: Figure out how the threat got in. If it was an email, then block similar future emails using the mechanisms available in your edge SMTP filtering device. Check who the recipients of those emails were. Chances are that one or more machines belonging to those users are the ones encrypting files across the network shares. If possible, delete all copies of the email from your mail server after you have taken a sample of the infected email. Since CryptoLocker can only encrypt files in locations it can write to, you can temporarily set all of your network shares to ‘read-only’ to stop encryption of your data.
- Tell your vendor(s): Once you have obtained a sample of the email or the actual malware payload, do submit it to your AV vendor for analysis. Sophos users can submit samples by following the instructions here. These are then dealt with immediately by Sophos.
We also advise that you review this KnowledgeBase article by Sophos that offers best practices and information on CryptoLocker and its variants