This is the second of an informal series on how to keep your enterprise environment secure using often-overlooked capabilities of Symantec Endpoint Protection (and the OS upon which it functions).
The first article, Using SEPM Alerts and Reports to Combat a Malware Outbreak, demonstrated how to use reporting features of SEP 12.1's SONAR component to identify Suspicious files for which there were no AntiVirus signatures yet created.
This article deals with a few possible ways how to prevent and recover from one of today's most-destructive threats, should it infect your network and hold your data hostage.
About Cryptolocker and Ransomware: An Ounce of Prevention....
Recent years have shown a rise in the number of ransomware threats in circulation. These threats hijack a whole computer or its data and demand that a payment is made in order to unlock or decrypt them. The authors of these malicious threats have a very strong financial motive for infecting as many computers as possible, and have put substantial resources into making these threats prevalent. New variants are seen all the time. The following articles (and the links they contain) have more detail on the subject.
Additional information about Ransomware threats
Ransomcrypt: A Thriving Menace
One recent variation calls itself "CryptoLocker." Current definitions from Symantec detect this family as Trojan.Cryptolocker though older definitions classified it as Trojan.ransomcrypt.f or Trojan.Gpcoder.H. Prevention is far better than a cure for ransomware and ransomlock threats: end user education and the use of some of SEP's optional capabilities can help keep your data safe!
This infection is typically spread through emails sent to corporate email addresses, pretending to be from an array of legitimate companies. These emails would contain an attachment that, when opened, infects the computer. These .zip attachments contain executables that are disguised as PDF files: they have a PDF icon and are typically named something like FORM_101513.pdf.exe. Since Microsoft does not show extensions by default, they look like normal PDF files and trick victims into opening them. If SEP12.1's optional Proactive Threat Protection (SONAR) is running, it will prevent these double executable filenames from causing harm.
|Sometimes Trojan.Cryptolocker is brought into the network from Trojan.Zbot, so full system scans are necessary to identify any and all threats introduced in the environment. Do not rely on SEP's AutoProtect alone!|
Once it is on the computer, Trojan.CryptoLocker will contact a "secret server" (Command and Control server) and generate a unique key with which to encrypt the victim's files. Using SEP's optional IPS components will block this communication and keep files from being locked by this threat. Definitely deploy IPS, if it is not already in use!
If it is able to generate a key, Trojan.CryptoLocker will then begin to sabotage all the MS Office documents. Open Office documents, and other valuable materials it can. A list of affected extentions is available in the Trojan.ransomcrypt.f Technical Details (though, of course, different variants will behave differently....). Both files on the local computer and on any mapped network shares can be affected. Once the encryption is complete, the threat will display a pop-up which explains what it has done and demand payment for those files to be decrypted. It may also change the Windows desktop.
...The Pound of Cure
If your files have been locked by this threat, Symantec advises: do not to pay the ransom. If these scams make money for their authors, it will only encourage the attackers. Your payment will fund R&D for new and more sophisticated attacks against you.
Follow the steps in this document to contain and eliminate the threat:
Best Practices for Troubleshooting Viruses on a Network
Article URL http://www.symantec.com/docs/TECH122466
Now it's time to think about recovery.
Decryption without the key from your attackers is not feasible, but that does not mean that a Trojan.CryptoLocker threat must seriously disrupt your business. A scan with new AntiVirus definitions will be able to detect and remove the executable file and prevent any further damage. If your organization has been following best Disaster Recovery practice and maintaining a routine schedule of backups, then simply delete all the encrypted files and restore them from their last known-good backup. Symantec supplies Backup Exec, NetBackup, and a number of backup tools in the Norton consumer products. Other vendors supply other products which can likewise make the job of recovering from Trojan.CryptoLocker quite straightforward.
With some variants of Trojan.Cryptolocker, it is possible to use Windows Powershell to generate a list of files that have been encrypted by ransomlock. You can dump the list of files in the CryptoLocker registry key using the following command:
(Get-Item HKCU:\Software\CryptoLocker\Files).GetValueNames().Replace("?","\") | Out-File CryptoLockerFiles.txt -Encoding unicode
Note that more recent variants seem to have changed their code to prevent the generation of such a list. It will be necessary to identify the corrupted files manually.
Microsoft Built-In Tools: Windows Backup
Windows comes with a built-in backup and restore utility. Windows Backup is a freebie that can restore encrypted files (or files otherwise damaged by any threat), providing that you have made a backup of them prior to the damage. Microsoft have released a video on how to use the built-in backup and restore tool to backup your important files. Watching this simple how-to will enable you to schedule a known-good backup of your selected data, and will only cost a minute of your life. Definitely recommended!
Back up your files
This Windows Backup tool also has the ability to create a system image- this is an exact image of the entire drive: system settings, programs, files, everything. If this system image is restored, it will not only replace all the corrupted files that Trojan.CryptoLocker has damaged- it will overwrite everything! Use system image restoration with caution.
Use a Previous Version
An alternative, if it is a technology in use in your organization, is to restore from a Previous Version. Previous versions are copies of files and folders that Windows automatically saved as part of system protection. This feature is fantastic at rescuing files that were damaged by malware. Here's another Microsoft article with all the details:
Previous versions of files: frequently asked questions
If system protection is enabled, Windows automatically creates previous versions of files and folders that have been modified since the last restore point was made.
As an example: let's say that Trojan.CryptoLocker has turned the important MS Word document "Network and Telco.doc" into gibberish. From Windows Explorer, just right-click it, "Restore previous versions" highlight the version from last week (before the damage was done) and click Restore.
One the File Server: Volume Shadow Copies
If Trojan.CryptoLocker has damaged files that reside in a mapped directory on a corporate file server, there's a slightly different method for restoring them. If Volume Shadow Copies are enabled on the server, recovery should be easy. More details and a mention of gourmet snacks can be found in this Technet article:
Rapid Recovery with the Volume Shadow Copy Service
After cleaning up from this Trojan.CryptoLocker threat, it would be a very good idea to run a diagnostic to ensure there are no additional undetected malicious files on the computer(s). The following article provides an illustrated example of how this can be done:
Using Symantec Help (SymHelp) Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team
And it would also be a good time to ensure that the organization's defenses are in good order. There is a great deal of malware in circulation, and it is guaranteed that tomorrow the baddies will come up with new code and techniques. Take precautions now!
Symantec Endpoint Protection – Best Practices
Many thanks for reading! Please do leave comments and feedback below.