Endpoint Protection

 View Only

Support Perspective: CTB-Locker and other forms of Crypto malware...and Upatre 

Jan 20, 2015 04:41 PM

Crypto-type malware is particularly nasty to deal with because it encrypts files.  While an infected file has had code added to it which antivirus can remove, an encrypted file isn’t repairable without the unique encryption key that was used. The criminals using crypto-type malware intend to sell you the unique key, giving you access to your files for a price. For this reason, crypto-type malware is also frequently called Ransomware. 

The key to dealing with crypto-type malware is prevention and planning.  While it is assumed you have antivirus and IPS protection in place, the criminals using crypto-malware are constantly updating code to avoid detection by these systems. Since the damage these threats do is often irreversible, taking additional steps to protect yourself is advised.

Preventive Measures

  • Do not follow unsolicited web links in email messages or submit any information to webpages in links.
  • Use caution when opening email attachments.
  • Keep operating systems and software, including anti-virus, up-to-date with the latest patches.
  • Perform regular backups of all systems/data to avoid serious consequences should your system fall under attack
  • Block known attachments types at the Email Gateway level (.SCR, .CAB, .EXE)


Typically, we see crypto-type malware delivered by exploit kits on compromised web pages. Exploit kits actively scan a visiting machine and deliver threats through any exploitable vulnerabilities it was able to detect. For this reason we advise that along with IPS, the operating systems, web browsers, Java installations, and all other software be kept up to date with the latest patches.

1651354535_0.png

Currently we are seeing an increase in reports of a crypto-malware called “CTB-Locker”. Diagnosing a specific variant from a picture is difficult as the criminals frequently re-use the digital “ransom note”, but for the spam campaign currently underway, we have detection of the final payload as Trojan.Cryptolocker.E

For more infom on Downloader.Upatre spam runs see:
Short, sharp spam attacks aiming to spread Dyre financial malware

The current malicious spam campaign has one additional detail which can be used to control outbreaks. The initial attack vector is an email with a ZIP or a CAB attachment claiming to be a FAX or invoice. These ZIP or CAB containers hold a downloader that are likely new variants of several different families such as: Downloader.Ponik, Downloader.Upatre, W97M.Downloader. These downloaders are generally a portable executable file type (.EXE, .SCR, .BAT, .PIF, .CMD) and are responsible from downloading the seconday threat, which is an encrytped file that performs the actual encryption routine.

  • Block .SCR, .CAB, and .EXE attachments at the mail gateway
  • Implement an Application and Device Control policy in SEP or via a GPO that prevents SCR files from executing across the network.

How to block users from downloading files with specific extensions, using Application and Device Control.

1. Log in to the Symantec Endpoint Protection Manager (SEPM).

2. Click on Policies.

3. Click on Application and Device Control.

4. Under Tasks, click on Add an Application and Device Control Policy.

5. On the top left click on Application Control.

6. Click on the Add... button.

7. Type a name for the Rule

8. Click on the Add... button on the bottom right "Apply this rule to the Following processes".

9. Make a seperate entry for each browsers process that you want to disallow the download the file.
Example: iexplore.exe or outlook.exe or chrome.exe

10. Click Ok.

11. Click on the Add... button on the bottom left under Rules.

12. Select Add Condition.

13. Select File and Folder Access Attempts.

14. Click on the Add... button on the right next to "Apply this rule to the Following files and folders".

15. On File or Folder Name to Match, type "*.extension". Example: " *.exe, *.scr "  (without quotes) 

16. Click Ok.

17 . On Actions Tab in Read Attempt and Create, Delete, or Write Attempt select "Block Access"

Optional: Can you Check Notify User for example "Is not permitted download executable files, contact the administrator"

16. Click Ok.

17 . Set to Production

18. Click Ok.

18. Click Yes to assign the policy.

19. Check the boxes for any group that the policy should be applied to.

20. Click OK

 

There are new variants of these threats coming out every hour and desktop AV is, at its core, reactive. If you have received an email containing a file you have reason to suspect, or have already received such a file and are experiencing symptoms, please submit the file to Symantec. Unfortunately, submitting an encrypted file is of no diagnostic use and we cannot decrypt these files for you, they will need to be restored from backup.    

 

Statistics
0 Favorited
2 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Apr 15, 2016 01:36 PM

You can tray with PcAnywhere de data over the internet restoren to your home or other pc.

you will see the extension is clean like before.

.PDF you safe your data on your pc and it is back clean.

if you will the file return to server 2012 the clean file will not vissible,

you must first clean de directory.

 

Jul 31, 2015 07:07 AM

On the CTB-Locker  issue

The removal part is the hardest, us AVG and a rootkit that will work.
Look at the infected files they have something like 

xxxx.jpg.ffhhhggg

Just do this  rename to original file  
rename xxxx.jpg.ffhhhggg    xxxx.jpg.
I still doesn't work but :


Choose properties , Version and  Restore an older version it works again  (Windows 7) 

I you are lazy like me , click the folder which contains the infected files
and restore an old version of the folder.

You  now have 2 copies ot files , the infected one an the original. Just delete
the infected files. Do the same thing witch docs.
This does'nt work for files in the root directory.  I am woking on that one.

Regards Layek

 

 

May 14, 2015 09:41 AM

Hi Victor, is above 1 and 2 notificatons are deferent or its needs to configure both, have you received any alerts after configuring or tested, please share me if possible.

Mar 10, 2015 05:57 AM

Me too, in the (slimmed down) SB edition, the mentioned options are not available.

Still a suggestion how to stop these Crypto-Ransomware malware from infecting our customers would be a welcome help.

You would think SEP should (by default) be able to block a malware infection like CBT-Locker wich is out in the open for almost a year!

Feb 13, 2015 11:05 AM

Would love to see a similar write-up for Symantec Endpoint Protection Small Business Edition (Symantec.cloud), because I am not sure there are sufficient safeguards available in the product.

Feb 11, 2015 03:54 AM

Now it's clear.Many thanks !

Just a warning for SEP11

It works only for SEP11-32bits versions

Feb 10, 2015 11:24 AM

Hi Mixit, 

You'll forgive me if i'm not able to provide a suggestion to breaking security on a Winzip or winrar file.
:)

90px_10905984_10205841386777895_8056439263294396519_n.jpg

Feb 10, 2015 11:05 AM

Yes to both

Feb 10, 2015 10:54 AM

thank you for your answer.

 

just to be sure 

yes I need a reboot 

and

yes it works with SEP11

 

for sep12.1.5 migration I know but it take more time than expected.

Feb 10, 2015 09:13 AM

Yes and yes

When you apply the ADC policy a restart is needed to kick the driver into action

Also, SEP 11.x is end of support life so you need to move to 12.1.5 ASAP

Feb 10, 2015 09:01 AM

Hello,

 

I've 2 questions :

- Does using Application and Device Control works with SEP11 clients ?

- Can anyone confirm or infirm quote from http://www.symantec.com/docs/HOWTO80856 :

Client computers require a restart when you enable application control rules.

 

Feb 06, 2015 09:18 AM

Hi, Brian,

Under the "Launch Process Attempts":

properties:

6.JPG

Apply to the following processes:

new "cryptolocker" and "download.ponic" variants md5's

(more and more variants, continuously, sep definitions and rapid definitions sometimes not enough..  :( we receive daily 5-15 new downloader.ponic variants after rapid update )

 

Actions:

7.jpg

Terminate process, Enable logging, severity - 0, Send e-mail alert.

 

Viktor

Feb 06, 2015 08:08 AM

@Viktor,

Does anything go under the "Launch Process Attempts" condition?

Feb 06, 2015 02:11 AM

(Update bold)

Hi!

How to detect infected computers?

1. Create an "Application and Device Control" rule.

"Apply this rule to the following processes:" *

5.JPG

Add "File and Folder Access Attempts"

1.1. "Properties"

1.JPG

Apply to the following files and folders:

decrypt all*.txt

decrypt_instruction*.txt

*.doc.???????

*.docx.???????

*.xls.???????

*.xlsx.???????

*.pdf.???????

*.rtf.???????

*.txt.???????

*.zip.???????

*.pst.???????

do not apply the following files and folders:

*.???.???

1.2. "Actions":

2.JPG

2. Create a "Notification condition":

4.JPG

Done.

When the malware makes an action (encrypting any files), SEPM generates a mail to system administrators.

 

Feb 05, 2015 12:43 PM

I have updated the blog to include the .CAB extensions currently being used.

Feb 04, 2015 01:38 AM

My company is experiencing similar problems. All data that was encrypted, although we have used Symantec software

Feb 03, 2015 11:49 AM

HAve your tried this site: https://www.decryptcryptolocker.com/

 

 

Feb 02, 2015 03:54 PM

Ugh, 500.  That's a lot.  I thought maybe it would be $100 or something sort of "just enough" to make money but not too much to get people to say no thanks I don't really need those vacation pictures after all. 

 

On a side note, is there actually a functioning useful winrar or winzip password cracker out there?  This is not related to a ransomeware issue, just that since you mentioned winrar it occured to me I have a zip file I made now several years ago that I'd love to get back into, but have zero idea what I had put the password as. 

 

 

Jan 30, 2015 11:10 AM

Hi Mixit, 

500 USD has been the avergae amount.

Encryption schemes vary from fairly easy winrar and similliar compression utitlities to 128-bit encryption.

Jan 29, 2015 10:55 AM

One general question to all: 

 

What is the average amount of money asked for in ransomware to date (or ballpark, are they asking for $100, $1000, or what?). 

 

Also, what kind of crypto is being used to encrypt the files?  I realize it can change, but I"m wondering what's commonly in use now. 

Jan 29, 2015 10:54 AM

Will, did you somehow end up decrypting your locked files, or was it that the CTB Locker didn't get a chance to do any damage yet so you got rid of it as just a file or running process? 

 

This seems to be a phenomenon here, this ransomware stuff, so if all it took was a 3-step guide to fix I'd be surprised.  Plus once files are encrypted, you can't decrypt them without the proper key, which either this 3-step guide shows you how to extract, or, you hadn't been enrypted yet thankfully.  . 

 

Also note that as a paranoid person, I'm not too keen on clicking people's links to websites I don't know.  Even for a site that has a non-suspicious URL such as the oneyou posted, so I'm avoiding clicking it :) No offence.  If anybody else takes the time to read and eval the content I'd be intersted just the same to know the details. 

 

 

Jan 29, 2015 05:12 AM

Just a quick update: in recent days we have seen the malicious .scr file arrive inside of a .cab file.  This is a container less commonly used than .zip and other compression formats.  Please alert end users to treat any unexpected .cab attachments with caution!  As ever, please do submit the malicious samples to Security Response for analysis.

Many thanks,

Mick

 

Jan 26, 2015 02:09 PM

Hi Rudolf,  

The nature of this threat is that you will continue to see new variants on a rapid and consitent basis. It's not realistic to think that ANY vendor will always be the first to have detection out. 

I believe what Mick was replying to was that this and other forms of emnail threats must be dealt with at the email level, not at the desktop level.

Put another way, when you have a leak in the roof, you need to find a bucket to put under it to contain the leak. This still requires that something got wet that wasnt supposed to. Another leak, another bucket. By the time you are out of buckets and are using pots and pans, you need to start thinking about fixing the hole rather than looking at more buckets.

Its raining out there. We make a pretty good bucket, but you need to think about the leak and block .scr files now.

Jan 26, 2015 05:15 AM

Using software PhotoRec or Testdisk7.0 can recover many files but all the file names became remaned and starts with fd*****.ext (original extension) and you can then open the files...

 

Test it and post if works for you

Jan 26, 2015 05:06 AM

Hello. Don't pay the ransom. My client payed the ransom but only some files became decrypted. I can send the unlocker that they send and the private key to symantec analyze them if you want.

 

 

Jan 25, 2015 08:51 AM

Hi,

I am facing the similar issue. I have formatted the system but old files are still encrypted and unable to open. I have tried various Decrypt tools like Pandaunransom.exe,  Kaspersky Decrypt Tool (xoristdecryptor & rectordecryptor), Anti-CryptorBitV2, decrypt_cryptodefense,etc. but nothing worked. Looking for soution which helps to recover or repair complete data. Kindy advice if any other solution is available.

Mitesh Gosar

Jan 23, 2015 08:13 AM

Hi support. I got them issue this ctb locker malware change all folder extension to unique name and we can't open it. When i rename it it become Unicode file. We want to know whether we can pay the ransom to get our files fix back. Can you suggest to me. Tq rajae

Jan 22, 2015 09:51 AM

Then they only way at this point with the new variant is ensure a good backup is in place. At this point, you don't havea any other options.

Jan 22, 2015 09:49 AM

I've tried that. It said "file not infected with Cryptolocker". This is CTB-locker. 

Jan 22, 2015 09:45 AM

Very unlikely but maybe you'll get lucky trying this:

https://www.decryptcryptolocker.com/

Jan 22, 2015 09:42 AM

Hello there

 

I'm infected with ctb-locker. No system restore, no backup. How van i decrypt files without pay?

 

Can anyone help?

Jan 22, 2015 08:00 AM

Either they don't have the latest defs yet or there is some sort of corruption. Running the symhelp tool will verify this.

Jan 22, 2015 07:58 AM

Restore from a good backup.

Jan 22, 2015 06:16 AM

What about if file already corrupted with CBT-Locker, how can i recover it 

Jan 22, 2015 05:08 AM

Guys,

I have zipped CTP-Locker on my HDD. I have newest virus Definitions on my SEP and SEP after scan this archive file still can't see the virus. 

I send yesterday this file to Symantec Security Response and now i have information that this file is Downloader.Ponik

File3:

sonic_invoice_2015_01_20-13_03.scr 

MD5:

0x58FD231FD7586AD6329ACAD30C004C5E

SHA-1:

0xE0338895CDFAB5BDFB1A7254D46D8FCBE9D0D937

Determination:

AlreadyDetected

Submission Detail:

This file is detected as Downloader.Ponik with our existing certified LiveUpdate definitions.

Signature Protection Name:

Downloader.Ponik

Live Update Sequence Number:

160904

 

but SEP and symantec gateway still can't see this virus !!

 

Where is the problem?

 

Konrad

Jan 21, 2015 06:03 PM

Perhaps, but, that response can only come from them.

Jan 21, 2015 05:22 PM

Hello, 

 

yes I know that AV alone is pointless. As I sad, my customer gave me this question. They are using SEP with all the protections enabled, sure they don't use ADC like here was described.

And Brian, franky, Symantec as a leader in security should always get them first, or be at least n the first line who gets them....always. 

Sorry, I am naive. 

 

Rudolf

Jan 21, 2015 04:30 PM

Application and Device Control is not a "workaround". It is another security layer in the many that are needed to secure an enterprise.

Frankly, when it comes to AV signatures, they're hit or miss and it's about who can get them out the quickest. For whatever reason, others had a sample to write a signature for it before Symantec.

Relying on AV alone is pointless. I would hope that your're using ADC, IPS, firewall, SONAR, Download Insight components etc. that SEP also offers. They are key to fighting advanced malware.

Jan 21, 2015 04:25 PM

Sorry about that,

I really like what Symantec is doing, but after yesterday experience I am really dissapointed. 

 

Rudolf

 

Jan 21, 2015 04:21 PM

Hello Brandon, 

I don't agree with Mick regarding the "Excelent advice" 

We as a Partner in Slovakia had yesterday two customers with the CBT-Locker. I have received some virus samples from the customers. There were .scr files. It was about 9:00am our time. I have submitted the samples via virustotal portal. 28/56 engines successfully detected this threat....but Symantec not!!! 

Also our biggest competitor in our region, ESET was able to detect it quicker than Symantec!!!

So I have submitted them to Symantec. I have received about at 7:00pm the response, that the samples were detected as Downloader.Ponik and that there will be Rapid Response updates in COUPLE OF HOURS and certified updates the NEXT DAY.

So my question is, what are you doing wrong?  What should I answer my customer if he asked me "why should I make up these workarounds like application and Device policies if I could simply install another competitors solution and just rely on their AV engine ?"

Rudolf

 

Jan 21, 2015 05:15 AM

Excellent advice, Brandon!

Just an update: the ultimate payload of this campaign may also be detected as Trojan.Cryptolocker.G.

Please do make submissions of any undetected "fax" attachments from these messages so that Downloader.Ponik detections can be improved for all.  The following article has advice on how best to get those to Security Response:

Symantec Insider Tip: Successful Submissions!
https://www-secure.symantec.com/connect/articles/symantec-insider-tip-successful-submissions

I also recommend ensuring that mail servers are using the latest definitions.  It would be a good idea to apply Rapid Release defs to SMSMSE and other products protecting mail servers a couple times per day.  This will improve detection of the very latest Downloaders that are used to deliver the ultimate cryptolocking payload.

Many thanks!

Mick

Related Entries and Links

No Related Resource entered.