Cryptolocker. We have all heard it mentioned, be it in the back room of the IT closet or over a drink after a long day of remediation. It’s a malicious attack that is not going away, and dare we say it, continues to improve in its method of hijacking and holding computers, networks, and even gaming files ransom for untraceable funds. And when it hits an unprotected network, it is any client’s and IT pro’s worst nightmare.
With that in mind, and a strong, layered approach to network security in place to protect against future attacks, there are also a few additional steps we would like to provide to help secure your client’s environment. Using information provided by Roy Tobin, Threat Research Analyst for Webroot, here is a small guide that can help establish yet another layer of protection put in place against the nasty cryptoware and ransomwares.
This guide comes with a health warning, this may cause certain programs to not install/function.
Some tips before we start:
- Verify your endpoints and servers have an updated and modern AV installed and setup correctly, like Webroot SecureAnywhere
- Ensure the latest Windows updates are applied
- Keep all used plugins up to date (Java, Flash, Adobe etc.)
- Use a modern browser with an ad blocker plugin
- Disable Autoruns
- Disable Windows Scripting Host
- Have users running as limited users and NOT admins
- Backup+ Backup+ Backup+ Backup!
So after these are all checked, here are individual steps you can take to help prevent a cryptoware or ransomware infection on your network and endpoints.
Introduction to Common Paths:
In this blog we are going to talk a lot about paths and file types so a brief introduction is useful. Malware generally speaking drops in a few common paths, once there, it is free to move around about the PC (and network paths).
Common paths for malware to drop:
- Users temp folder (often called %localusertemp%)
- Appdata and its sub folders (Roaming,local app data)
- Users profile
- Temp folder (%temp% or C:\Windows\temp)
- Browsers cache folder (%cache path depends on browser used see below for an example)
- c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\
- Desktop folder
- To go to the paths with the % in them just type the full phrase into a run window or windows start search i.e. %temp% will go directly to C:\Users\admin\AppData\Local\Temp
Once the infection is on the PC and actively running (important distinction to make), it can move to make itself more difficult to find or move to a location that can help it spread. More sophisticated malware can spread to network paths. It can use a registry entry to autostart or another method (scheduled task, service etc).
It’s advisable to have a second browser installed for a number of reasons:
- If your only browser gets damaged, it can make connecting remotely difficult (not everybody uses RDP)
- PUA’s or malware can reduce the speed of browsers so badly that they become unusable.
- Some sites may not render correctly on old versions of IE. Firefox/Chrome can be used to test if this is the case
- Older versions of Windows do not have the ability to install newer versions of IE
- Newer browsers can use plugins
- There are dozens of browsers available to us but Chrome and Firefox are the two most popular browsers on the market at the moment. Another very useful ability of Chrome and Firefox is the use of plugins. Some of these can be quite helpful and can stop issues entirely.
While Autorun is a useful feature, it can be used by malware to spread around a corporate environment. With the growth of USB sticks, malware is increasingly using Autoruns as a method to automatically run (and spread). Commonly used by VBS malware and worms to spread, it's best to disable it as a policy. You can disable Autorun easily enough by using the Local Group Policy Editor:
Note that this doesn’t affect the functionality of USB drives.
Using the Policy Editor To Block Paths:
Policies are a powerful tool that you can use for a multitude of reasons. They are commonly used to stop users from opening or installing certain software, however you can get quite creative with them.
Policies can be setup in groups so you can have more/less strict policies for certain groups. This can be useful if you have a group of users that need more access or are more tech savvy. When creating new policies, it is vital that they are tested on non-mission critical PCs.
While local policies are common, the same principle applies to network group polices. This guide is only a brief introduction, but if you want more information please look at the guide from Microsoft below:
Fixing Issues With Blocked Programs
A number of programs may stop working if you apply policies to the local user’s appdata and temp folder. For example, the browser Chrome will no longer run on the PC after some policies are set in place. This is due to the policy of blocking all executables from the users profile folder. This is a strong policy, but is quite broad reaching! If after some testing this becomes a hassle, you can disable that broad policy and create small more focused path + file polices.
Blocking Access To The Volume Shadow Copy Service
On Windows XP and above, Windows will create local copies of files using the VSS copy service. It is located in the following path:
In the earlier versions of CryptoLocker, it was noticed that it didn’t stop and remove the VSS copies and thus data could be recovered. One of the most popular tools for this is Shadow Explorer, although you can use the Windows function to roll the data back. It’s worth noting that VSS copies are only for the local drive (normally C:\).
The VSS service is realistically only useful in Vista and above, and it’s a last ditch option for encrypted files.
Disabling The Windows Script Host To Block VBS Scripts:
VBS scripts are used by malware authors either to cause disruption in an environment or to run a process that will download more advanced malware. The ILOVEYOU VBS malware caused a huge amount of damage back in the early 2000’s. Nowadays, most VBS scripts are causing more irritation like hiding folders, moving files etc.
We can disable them completely by disabling the Windows Script Host engine which is what .VBS files use to run.
Warning if your company uses any login scripts they won’t be able to run
While ransomware and cryptoware are here to stay, that does not mean you can’t take the steps to prepare your network. Dedicate time and add another layer of security to your network infrastructure. It could mean the difference between client files being held for ransom or could even help avoid the infection overall.
Further information on each of these steps can be found on the Webroot Community. Click here!