New Crypto Locker Warning
New Crypto Locker Warning
This document was originally created as part of the SMBKitchen Project. Our goal is to help small business IT
continue to move forward. Please consider joining us! www.thirdtier.net Additional updates to this document
will be posted in our knowledgebase, blog and facebook page.
1
Currently it is difficult to prevent this with mere antivirus and post infection; it cannot be cleaned up with the
normal tools such as malwarebytes or your normal antivirus tools.
Be proactive
Included in this document is a proactive setting to help protect your clients from infection. It uses group
policy and software restriction policy (in a domain) and using local policy on a non domain computer.
Be aware that antivirus may not protect your clients, nor the use of non administrator on the personal
computer. If your client is impacted your only remedy may be a backup. If you have no backup, you may
need to use a Shadow File copy explorer tool to dig out copies of files.
Here's a copy of a blurb that Amy Babinchak's clients got from a LOB vendor as a warning/prevention
guidance:
This document was originally created as part of the SMBKitchen Project. Our goal is to help small business IT
continue to move forward. Please consider joining us! www.thirdtier.net Additional updates to this document
will be posted in our knowledgebase, blog and facebook page.
2
"We have been notified that two of our existing customers have been infected by a specific breed of
Ransomware known as CryptoLocker that has been making the rounds this month.
The malware uses social media or email as attack vectors, and users will see a message purported to
be from FedEx, UPS, etc.. with a tracking notice. The enticement for a user (especially a business who
ships things using these carriers) is that it is legit and they open it. Boom. They are now infected.
This malware will look at the local and network drives and shares, and will ENCRYPT files matching a
set of extensions for common business applications. This includes office applications (Excel, Word,
WordPerfect) and databases like access and Foxpro.
Therefore (LOB app name) is directly affected and (LOB app2 name) is indirectly affected.
For (bizapp name) the damage is fatal to the indexes. The software ceases to function and no
recovery short of a file restore is possible. The underlying images stored in tiff are unaffected.
For (bizapp2 name) the internal data files are safe, however word based documents, RTF files, Excel
spreadsheets will all get corrupted. The virus operates on file extensions, so typical WordPerfect
non-extension files are probably safe but WordPerfect forms with the .wpd extension will be
corrupted/encrypted.
Corrective actions involve: (1) Removal of the malware from all infected computers, and (2)
restoration from a prior backup of all the files listed in the extension group listed here: *.odt, *.ods,
*.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt,
*.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd,
*.pdd, *.eps, *.ai, *.indd, *.cdr, ????????.jpg, ????????.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf,
*.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl,
*.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c
Here are two useful links that describe the malware in detail and provide IT departments with
technical background for removal:
Emsis CryptoLocker Blog
http://blog.emsisoft.com/#sthash.yfNGRXbO.dpuf
and Bleeping Computer CryptoLocker
This document was originally created as part of the SMBKitchen Project. Our goal is to help small business IT
continue to move forward. Please consider joining us! www.thirdtier.net Additional updates to this document
will be posted in our knowledgebase, blog and facebook page.
3
http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information and
http://www.bleepingcomputer.com/forums/t/506924/cryptolocker-hijack-program/page26#entry3165383
It is also worth noting that this malware is sophisticated enough to understand and bypass current
anti-virus and anti-malware software. So even if the user is using strong protection, that will not be
enough."
Preventative Workstation protection: This virus launches from a specific location on the workstation, thus
its recommended to add a group policy setting to block it from Windows Vista/7/8 and from XP. Use
software restriction policies as follows:
Windows 7:
You can use Software Restriction Policies to block executables from running when they are located in the
%AppData% folder, or any other folder.
File paths of the infection are:
C:\Users\User\AppData\Roaming\{213D7F33-4942-1C20-3D56=8-1A0B31CDFFF3}.exe (Vista/7/8)
This document was originally created as part of the SMBKitchen Project. Our goal is to help small business IT
continue to move forward. Please consider joining us! www.thirdtier.net Additional updates to this document
will be posted in our knowledgebase, blog and facebook page.
4
For SBS 2008 and SBS 2011 there are preset up GPOs and WMI filters. You want to build a new GPO in order
to track the specific deployment. Expand the domain name until you see the policies. Go underneath the
MyBusiness OU, then Computers, then SBSComputers and right mouse click and click on Create a GPO in this
domain and link it here
First
will aset
up XP policies:
Figurewe
3 Create
GPO
Call your new policy, CryptoLocker XP or something as descriptive and click okay.
This document was originally created as part of the SMBKitchen Project. Our goal is to help small business IT
continue to move forward. Please consider joining us! www.thirdtier.net Additional updates to this document
will be posted in our knowledgebase, blog and facebook page.
5
In the group policy object you just created, right mouse click and click on edit
This document was originally created as part of the SMBKitchen Project. Our goal is to help small business IT
continue to move forward. Please consider joining us! www.thirdtier.net Additional updates to this document
will be posted in our knowledgebase, blog and facebook page.
6
The wizard will open up a new section of Group policy where you will see Additional rules as shown below
and noted http://technet.microsoft.com/en-us/library/cc781337(v=WS.10).aspx
This document was originally created as part of the SMBKitchen Project. Our goal is to help small business IT
continue to move forward. Please consider joining us! www.thirdtier.net Additional updates to this document
will be posted in our knowledgebase, blog and facebook page.
7
Right mouse click on Additional rules and click on New Path Rule
This document was originally created as part of the SMBKitchen Project. Our goal is to help small business IT
continue to move forward. Please consider joining us! www.thirdtier.net Additional updates to this document
will be posted in our knowledgebase, blog and facebook page.
8
Click Okay.
Now do a second one for the subfolders:
Path: %AppData%\*\*.exe
Security Level: Disallowed
Description: Don't allow executables from AppData
It should now look like this:
This document was originally created as part of the SMBKitchen Project. Our goal is to help small business IT
continue to move forward. Please consider joining us! www.thirdtier.net Additional updates to this document
will be posted in our knowledgebase, blog and facebook page.
9
Lets continue on and do the same for the additional locations to block executable running from zipped
attachments (which is how most infections occur)
Block executables run from archive attachments opened using Windows built-in Zip support:
Path: %Temp%\*.zip\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened using Windows built-in Zip
support.
Now close this policy and set the WMI filter. In the Small business server networks you have preset WMI
filters. If you have migrated from a SBS network you should have these as well.
This document was originally created as part of the SMBKitchen Project. Our goal is to help small business IT
continue to move forward. Please consider joining us! www.thirdtier.net Additional updates to this document
will be posted in our knowledgebase, blog and facebook page.
11
Figure 12 - Choose XP
This document was originally created as part of the SMBKitchen Project. Our goal is to help small business IT
continue to move forward. Please consider joining us! www.thirdtier.net Additional updates to this document
will be posted in our knowledgebase, blog and facebook page.
12
This document was originally created as part of the SMBKitchen Project. Our goal is to help small business IT
continue to move forward. Please consider joining us! www.thirdtier.net Additional updates to this document
will be posted in our knowledgebase, blog and facebook page.
13
IF you have an issue with a line of business application not liking this policy in particular on Windows XP
machines, you can set the WMI filter to have this policy only apply on Windows 7 machines. But try setting
the policy with no WMI filter initially and alert your clients to report if there are applications that do not like
this setting. If they do not, we can go back and add application exclusions on a per app basis.
(see also www.thirdtier.net/blog on how to configure Software Restriction Policy Exemptions and also the
post on how to move computers in and out of OUs temporarily.)
Path: %AppData%\*.exe
Security Level: Disallowed
Description: Don't allow executables from AppData
And
Path: %AppData%\*\*.exe
Security Level: Disallowed
Description: Don't allow executables from AppData
This document was originally created as part of the SMBKitchen Project. Our goal is to help small business IT
continue to move forward. Please consider joining us! www.thirdtier.net Additional updates to this document
will be posted in our knowledgebase, blog and facebook page.
14
Block executables run from archive attachments opened using Windows built-in Zip support:
Path: %Temp%\*.zip\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened using Windows built-in Zip
support.
This document was originally created as part of the SMBKitchen Project. Our goal is to help small business IT
continue to move forward. Please consider joining us! www.thirdtier.net Additional updates to this document
will be posted in our knowledgebase, blog and facebook page.
15
When you are complete it should look as above. Again close the policy you are working on.
This time choose the Windows Vista filter or set a WMI filter as follows:
select * from Win32_OperatingSystem Where Version>='6.0.6000'
So that it looks as follows:
When you are complete you should have two policies, with WMI filtering set up.
This document was originally created as part of the SMBKitchen Project. Our goal is to help small business IT
continue to move forward. Please consider joining us! www.thirdtier.net Additional updates to this document
will be posted in our knowledgebase, blog and facebook page.
16
Without a domain
For standalone workstations, you can use the local security policy and set software restrictions as well.
This document was originally created as part of the SMBKitchen Project. Our goal is to help small business IT
continue to move forward. Please consider joining us! www.thirdtier.net Additional updates to this document
will be posted in our knowledgebase, blog and facebook page.
17
Right mouse click on Software restriction policy and click on add new
Now right mouse click on additional rules and click on add new path rule. Just as before place the settings as
follows for Windows XP:
This document was originally created as part of the SMBKitchen Project. Our goal is to help small business IT
continue to move forward. Please consider joining us! www.thirdtier.net Additional updates to this document
will be posted in our knowledgebase, blog and facebook page.
18
Path: %AppData%\*.exe
Security Level: Disallowed
Description: Don't allow executables from AppData
And
Path: %AppData%\*\*.exe
Security Level: Disallowed
Description: Don't allow executables from AppData
Block executables run from archive attachments opened using Windows built-in Zip support:
Path: %Temp%\*.zip\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened using Windows built-in Zip
support.
You will need to reboot the computer to have them take effect.
This document was originally created as part of the SMBKitchen Project. Our goal is to help small business IT
continue to move forward. Please consider joining us! www.thirdtier.net Additional updates to this document
will be posted in our knowledgebase, blog and facebook page.
19
Shortcut tell
PLEASE NOTE: The included pre built group policy items include a short cut placed on the desktop as a visual
stamp that the Cryptolocker policy has been applied. This tell is used to create a quick visual that
computers have or have not received this important policy. In our environment we decided to use this so that
users could self-report that their computer did not get the group policy update.
This document was originally created as part of the SMBKitchen Project. Our goal is to help small business IT
continue to move forward. Please consider joining us! www.thirdtier.net Additional updates to this document
will be posted in our knowledgebase, blog and facebook page.
20
It is here as an example. Feel free to edit this as you need to place a reminder to yourself that the policy has
been applied, or remove it completely.
Go to Computer configuration, Preferences, Windows Settings, Shortcuts and edit as needed.
This document was originally created as part of the SMBKitchen Project. Our goal is to help small business IT
continue to move forward. Please consider joining us! www.thirdtier.net Additional updates to this document
will be posted in our knowledgebase, blog and facebook page.
21
Additional steps
Its possible that you can prevent encryption of the files by blocking the command and control servers using
firewall or web based filtering. But be aware that we will always be one step behind the attackers so this
may not work.
As noted from
http://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/24000/PD24786/
en_US/McAfee%20Labs%20Threat%20Advisory%20-%20Ransom-Cryptolocker.pdf
As of 10/15/2013 the list of CC servers are:
asrktkfsixcyosb.org
sbfuwsxasjkp.net
emixfepanfsy.co.uk
fkdovmdntspl.info
fqswanunybwt.com
gonnqvibfotg.net
qnkhpddfmtsm.biz
eaffoijeveky.ru
soudpmiyvxmd.org
gbpboroxfiep.co.uk
ofoauksakmgs.info
crjxtpyytwxf.com
qgyvutxttqaj.net
estttyesdbrv.biz
uwuexnaukgiy.ru
vupuoseotond.org
wxfaxwfotkcp.co.uk
xvaqocjidsht.info
soywduppiyvf.com
tmtntatjrhbj.net
upjsdeujrdpv.biz
vnejtjydblua.ru
ynnivqvmcyxxr.org
mxoguylttevli.co.uk
This document was originally created as part of the SMBKitchen Project. Our goal is to help small business IT
continue to move forward. Please consider joining us! www.thirdtier.net Additional updates to this document
will be posted in our knowledgebase, blog and facebook page.
22
avlpfgiqwdudk.info
ngmneoxxoisqk.com
udsmjlwhfkmeg.net
intkitmowpkrw.biz
vlqtsbjlaojjg.ru
jvrrrjysrthwg.org
hjxywcvnbotlg.co.uk
ifylakjpsgyhf.info
irvggrirvsqqy.com
jnwsjavtnkvmh.net
dyddkwwieairg.biz
euepnfkkvrnnf.ru
ehbktmjmyefwg.org
fdcwwuwoqvkso.co.uk
fxcyhrpfigvcu.info
sidwgwvsyqlxu.com
hdauthcpbwblw.net
unbssmidrhqhn.biz
bnhdumqalrkij.ru
oxibtrwnccaej.org
dsfyhcdkeiprs.co.uk
qdgwghjxusfnj.info
ntmpidpuhvjxm.com
opnclitaxswlu.net
pykluscfamoho.biz
qulxxxgkqjcun.ru
jjrtvxqpkhxem.org
kfsgyduubelru.co.uk
loppindadxdnv.info
mkqclshftuqbu.com
tnfhkwqywydsb.net
hxgfjfggoebgr.biz
uvdotgvjluqgb.ru
igemsolqdaotb.org
This document was originally created as part of the SMBKitchen Project. Our goal is to help small business IT
continue to move forward. Please consider joining us! www.thirdtier.net Additional updates to this document
will be posted in our knowledgebase, blog and facebook page.
23
But be aware as noted in http://blog.emsisoft.com/2013/09/10/cryptolocker-a-new-ransomwarevariant/#sthash.ia2QByWF.E15vKKdG.dpbs the malware will start generating seemingly random domain
names using a domain generation algorithm. This is done by creating a seemingly random string of characters
based on the current system time and prepending it to one of the following seven possible top level
domains So this method is probably not viable and probably best left to be attempted by DNS providers and
ISP.
As noted by Michael Pope for those using Kaseya, you can use the Application Blocker feature (Agent >
Protection > Application Blocker) to block the file {213D7F33-4942-1C20-3D56=8-1A0B31CDFFF3}.exe from
running on machines.
While we are into our clients servers on a regular basis sometimes the occasional domain admin account
password will expire in the interim.
ShadowProtect will start failing to back up to the shared folder as a result of not being able to log on so a
small bonus in the mix.
We are seeing CryptoLocker problems abound lately where someone clicks on a link in an e-mail or is drawn
to a compromised site. What that means is that _any_ file/folder set the user has permissions to access and
modify may end up encrypted by the malware.
The _only_ way to recover from this situation is via Shadow Copies or backup.
If the backup drive and/or backup folder destinations for those ShadowProtect backup files, or any other
product that lays down files for backup, is open for users to access then we all know what can happen.
Point of order: Any backup product that uses the volume snapshot service should have its backup times
staggered over the Volume Shadow Copy snapshots as having two snapshots running simultaneously could
end up with data toast on both sides.
2.
This document was originally created as part of the SMBKitchen Project. Our goal is to help small business IT
continue to move forward. Please consider joining us! www.thirdtier.net Additional updates to this document
will be posted in our knowledgebase, blog and facebook page.
25
Computer\HKEY_Current_User\Software\Microsoft\Windows\CurrentVersion\Run
3.
4.
5.
Reboot
6.
Delete bmp file that virus left on desktop and change background to regular windows.
7.
In windows 7 system restore by default is turned ON on the C drive for system settings and files
8.
This document was originally created as part of the SMBKitchen Project. Our goal is to help small business IT
continue to move forward. Please consider joining us! www.thirdtier.net Additional updates to this document
will be posted in our knowledgebase, blog and facebook page.
26
If this is unavailable, you may need to use Shadow Explorer to recover the files
http://www.shadowexplorer.com/downloads.html
Please note, normal antivirus will not remove this, nor will you be able to unecrypt the files. I cannot stress
this enough the only recovery at this time is to ensure you have a backup that you can get to that is not
impacted.
9.
This document was originally created as part of the SMBKitchen Project. Our goal is to help small business IT
continue to move forward. Please consider joining us! www.thirdtier.net Additional updates to this document
will be posted in our knowledgebase, blog and facebook page.
27
Please note, you may need to remove the drive to an enclosure to scan and edit while the system is not
mounted.
But you need to ask yourself if you are truly assured that you have cleaned the system. Without totally
rebuilding or rolling back to an image from known good sources, you will always question the health and
security of this system.
Talk to your client. Go with your gut. If you do not feel that it is completely secure, (and it probably isnt)
rebuild the machine.
From Help: I got Hacked. Now what do I do? http://technet.microsoft.com/en-us/library/cc512587.aspx
You cant clean a compromised system by removing the back doors. You can never guarantee that you found
all the back doors the attacker put in. The fact that you cant find any more may only mean you dont know
where to look, or that the system is so compromised that what you are seeing is not actually what is there.
Windows 2012 r2 whereby the Essentials role can be added to a normal Windows domain and be used as a
client backup as well.
3. Access Control Lists. Unless you're OK with everybody having that data, everybody shouldn't have access to
it. (And everybody definitely shouldn't have full control or write access to it.) Review your networks to
determine how much Everyone Full Access is used - http://4sysops.com/archives/find-shares-withpowershell-where-everyone-has-full-control-permissions/ or http://thephuck.com/server-management/listall-shares-with-everyone-having-fullcontrol-access/ or you can use the Get-ACL command http://blogs.technet.com/b/heyscriptingguy/archive/2009/09/14/hey-scripting-guy-september-14-2009.aspx
, or Solarwinds tool from
http://www.solarwinds.com/products/freetools/permissions_analyzer_for_active_directory/ or AccessEnum
http://technet.microsoft.com/en-us/sysinternals/bb897332.aspx
4. Especially with more and more Cloud services in use, review your use of Encryption at the client and add
encryption at rest and encryption in flight.
5. Review what the client did to get infected. If they clicked on an attachment, add email filtering. If they
had outdated Java on their systems, remove old outdated versions of Java by using a tool called JavaRA
http://sourceforge.net/projects/javara/ or http://singularlabs.com/software/javara/
This document was originally created as part of the SMBKitchen Project. Our goal is to help small business IT
continue to move forward. Please consider joining us! www.thirdtier.net Additional updates to this document
will be posted in our knowledgebase, blog and facebook page.
29