Virus - Cryptlocker and Ramsoware mitigation actions

From this article I proceed to highlight main activities to mitigate Cryptlocker. 

More details on original italian article.

http://www.devadmin.it/2016/02/15/crypto-ransomware-mitigations/

<------->

Considering that this kind of virus can not be solved with normal AV definition here they are some mitigation approaches:

1. Using a product like Sophos UTM (Unified threat management)

2. Proceed to block these files extension going over extension itself but analyzing file header too (this task should be done from antispam provider/tools)


  • Applications Files: *.exe, *.lnk, *.pif, *.dll, *.ocx, *.sys, *.scr, *.msi, *.msp, *.gadget, *.application, *.com, *.hta, *.html, *.htm, *.jar, *.cpl, *.msc, *.hlp
  • File VBScript e JavaScript: *.vb, *.vbs, *.vbe, *.js, *.jse
  • File script Monhad (rinominato poi in ProwerShell): *.msh, *.msh1, *.msh2, *.mshxml, *.msh1xml, *.msh2xml
  • File script PowerShell: *.ps1, *.ps1xml, *.ps2, *.ps2xml, *.psc1, *.psc2
  • File script DOS: *.bat, *.cmd
  • File Windows Script: *.ws, *.wsf, *.wsc, *.wsh
  • File di collegamento e configurazione: *.lnk, *.pif, *.sfc, *.inf, *.reg
  • *.zip, *.rar, *.7z.

3. With outlook you could filter precedents attachment extentions using these articles:

Blocked attachments in Outlook

KB829982 You may receive an “Outlook blocked access to the following potentially unsafe attachments” message in Outlook

4. Turnoff hyperlink inside Outlook


5. Block application running inside user profile (could create problems)

You can utilize this article to create suitable GPO to prevent this kind of problem:

http://www.mcbsys.com/blog/2013/10/block-user-folder-executables/

6. Enabling File extension view creating a GPO for that

image

Alternatively using Folder Options Extension


7. Using The Enhanced Mitigation Experience Toolkit a Microsoft tool that was created against Zero Day vulnerabilities.

8 . Verifying that each user has minimal permissions on pc/shares to maximum reduce attack surface utilizing these tools too:

9.  Enabling server auditing on shares and files to quickly identify infection location searching for technet Microsoft article, otherwise there is this script 

Auditing File Access on File Servers


Here is Netwrix free tool ( Netwrix Change Notifier for File Servers)

[udate 2016.05.16]

Very intersting Microsoft Article.

I am highlighting more important sections:

https://blogs.technet.microsoft.com/mmpc/2016/05/18/the-5ws-and-1h-of-ransomware/



How can you avoid and bounce from a ransomware attack?

Prevention

  • Keep your Windows Operating System and antivirus up-to-date.  Upgrade to Windows 10.
  • Regularly back-up your files in an external hard-drive.
  • Enable file history or system protection. In your Windows 10 or Windows 8.1 devices, you must have your file history enabled and you have to setup a drive for file history.
  • Use OneDrive for Consumer or for Business.
  • Beware of phishing emails, spams, and clicking malicious attachment.
  • Use Microsoft Edge to get SmartScreen protection. It will prevent you from browsing sites that are known to be hosting exploits, and protect you from socially-engineered attacks such as phishing and malware downloads.
  • Disable the loading of macros in your Office programs.
  • Disable your Remote Desktop feature whenever possible.
  • Use two factor authentication.
  • Use a safe and password-protected internet connection.
  • Avoid browsing web sites that are known for being malware breeding grounds (illegal download sites, porn sites, etc.).

Detection

Recovery

In Office 365’s How to deal with ransomware blog, there are several options on how one can remediate or recover from a ransomware attack. Here are some of the few that are applicable for a home user or those in the information industry like you:
  1. Make sure you have backed-up your files.
  2. Recover the files in your device. If you have previously turned File History on in Windows 10 and Windows 8.1 devices or System Protection in Windows 7 and Windows Vista devices, you can (in some cases) recover your local files and folders.

To restore your files or folders in Windows 10 and Windows 8.1:

  • Swipe in from the right edge of the screen, tap Search (or if you’re using a mouse, point to the upper-right corner of the screen, move the mouse pointer down, and then click Search). Enter “restore your files” in the search box, and then tap or click Restore your files with File History.
  • Enter the name of file you’re looking for in the search box, or use the left and right arrows to browse through different versions of your folders and files.
  • Select what you want to restore to its original location, and then tap or click the Restore button. If you want to restore your files onto a different location than the original, press and hold, or right-click the Restore button, tap or click Restore To, and then choose a new location.

To restore your files in Windows 7 and Windows Vista

  • Right-click the file or folder, and then click Restore previous versions. You’ll see a list of available previous versions of the file or folder. The list will include files saved on a backup (if you’re using Windows Backup to back up your files) as well as restore points. Note: To restore a previous version of a file or folder that’s included in a library, right-click the file or folder in the location where it’s saved, rather than in the library. For example, to restore a previous version of a picture that’s included in the Pictures library but is stored in the My Pictures folder, right-click the My Pictures folder, and then click Restore previous versions. For more information about libraries, see Include folders in a library.
  • Before restoring a previous version of a file or folder, select the previous version, and then click Open to view it to make sure it’s the version you want. Note: You can’t open or copy previous versions of files that were created by Windows Backup, but you can restore them.
  • To restore a previous version, select the previous version, and then click Restore.
Warning: The file or folder will replace the current version on your computer, and the replacement cannot be undone. Note: If theRestore button isn’t available, you can’t restore a previous version of the file or folder to its original location. However, you might be able to open it or save it to a different location.
Important: Some ransomware will also encrypt or delete the backup versions and will not allow you to do the actions described before. If this is the case, you need to rely on backups in external drives (not affected by the ransomware) or OneDrive (Next step).
Warning: If the folder is synced to OneDrive and you are not using the latest version of Windows, there might be some limitations using File History.
3. Recover your files in your OneDrive for Consumer.
4. Recover your files in your OneDrive for Business.
If you use OneDrive for Business, it will allow you to recover any files you have stored in it. You can use either of the following options:

Restoring the files using the Portal

Users can restore previous version of the file through the user interface. To do this you can:
1. Go to OneDrive for Business in the office.com portal.
2. Right click the file you want to recover, and select Version History.
3. Click the dropdown list of the version you want to recover and select restore.

If you want to learn more about this feature, take a look at the Restore a previous version of a document in OneDrive for Business support article.

Site Collection Restore service request


If a large number of files were impacted, using the user interface in the portal will not be a viable option. In this case, create a support request for a ‘Site Collection Restore’. This request can restore up to 14 days in the past. To learn how to do this please take a look at theRestore Option in SharePoint Online blog post.
[update 27/05/2016]

Link (.lnk) to Ransom

https://blogs.technet.microsoft.com/mmpc/2016/05/26/link-lnk-to-ransom/

Limited Periodic Scanning in Windows 10 to Provide Additional Malware Protection

https://blogs.technet.microsoft.com/mmpc/2016/05/26/limited-periodic-scanning-in-windows-10-to-provide-additional-malware-protection/

[update 2017.05.08]

I would like to mention this commercial product that is suitable againsta Cruptlocker and any Ramsoware software too.

https://www.webroot.com/us/en/business/smb/endpoint-protection