Endpoint Protection

I have an endpoint that is infected by the Cryptowall 2.0 virus.

Symantec 12.0 did not detect it. Does Symantec have a Virus definition for this and if so when will it be released?

Thanks.

It will unless its a new variant that doesn't yet have a signature detection. You should submit to Symantec for review:

How to collect and submit to Symantec Security Response suspicious files found by the SymHelp utility

Hi GCJFS,

Thanks for the post.  This "2.0" is just the same old extortion scam with rebranding and a few minor changes.  It's still detected as Trojan.Cryptodefense.  1-2% of victims pay, some of which the authors use for R&D to create new variants. Every day these new samples are seen in the wild and new definitions written against them. 

We have also been working on more generic protection: for example, the Trojan.Cryptlocker!g7 released last week and several IPS definitions.  A good Connect forum thread on how to protect yourself: https://www-secure.symantec.com/connect/forums/cryptolockercryptodefense-defenses

Here are some posts about Cryptodefense/Cryptowall:

CryptoDefense, the CryptoLocker Imitator, Makes Over $34,000 in One Month
https://www-secure.symantec.com/connect/blogs/cryptodefense-cryptolocker-imitator-makes-over-34000-one-month

Rig Exploit Kit Used in Recent Website Compromise
https://www-secure.symantec.com/connect/blogs/rig-exploit-kit-used-recent-website-compromise

Australians increasingly hit by global tide of cryptomalware
https://www-secure.symantec.com/connect/blogs/australians-increasingly-hit-global-tide-cryptomalware

Prevention is far more convenient than restoring from known good backup: ensure your SEP is using all its components, suspicious email attachments are not clicked and browsers / browser plug-ins are up to date so that drive-by downloads will not push this onto any of your organization's computers.

Hope this helps. Please do update this thread with any additional questions!

Many thanks!

Mick

Do you think that there will be a decripter for encrypted files in the future?

i removed the virus, but files still unaccessible.

No backup or shadowcopy

i tried many data recover program, but nothing works fine

many thanks

Hi Macpain,

Unfortunately these things are designed to use very strong encryption and the keys used are usually unique to your computer.  Without that key (which nlt the uthors have) it's pretty much impossible to build a fixtool for these.  Recovery from backup is the only solution.

All the best,

Mick

We are in the same boat here. Knowing a little about encryption I realize its near impossible to recover data once it is encrypted. That being said, all the advice I see about this issue is ridiculously generic. "Patch your software, backup your data, limit plug ins".. Sure, we do the best we can with all of that. The last line of defense is SEP which we have painstakingly deployed to every machine in our company. That being the case why are we still getting infected ? I want to know what components are supposed to protect against pc infections and why its not working. We have 12 machines infected and many file shares encrypted. Sep is up to date on all these machines. Its a program running on the computer right ? Why can SEP not detect it ?

The biggest problem is new variants are always coming out and AV companies are always behind in getting out new signatures to detect it. It's a race that doesn't have a finish and the hope is the sensors the various AV companies use catch the stuff and get it processed ASAP so new updates can get pushed down.

All components work together (AV, IPS, firewall, SONAR, download insight) to detect and stop.

With that being said, what configuration do you have in place? Out of the box defaults, higher security policy?

Are you running all the components mentioned above?

I appreciate your response but as a technician I have to reject one of your comments.

"All components work together (AV, IPS, firewall, SONAR, download insight) to detect and stop."

Ok, but , I want Symantec to tell me exactly how they are preventing Cryptowall 2.0 Infections (when they actually start preventing it). Which component is doing what ? Given the amount of money we spend I feel its a fair question that deserves a specific an accurate answer.

I have to balance security with usability. If we turned on every feature we would be spending all of our time dealing with false positives. This thing runs as an executable and should be detectable in memory using standard AV.

IPS/firewall stops malicious network streams/traffic (before it hits the disk).

Insight scans files prior to download and makes detections based on reputation.

AV/SONAR detect threats on the disk.

There is also application and device control and system lockdown which really tighten up a system. Very resource intensive though to start.

At the very least you should be running both AV and IPS. Any component after that strengthens your security greatly. I understand the balance thing but I can only speak from experience and if you're not using the suite to it's fullest potential, you may as well install a free version of AV.

And yea you're right, AV will detect it, if there is a known signature available to actually detect it.

How Symantec Endpoint Protection policy features work together on Windows computers

This has occured as well where I work. SEP 12.1.1101.401 did not pick up on this ransomeware with current virus defintions. The SEPM was upgraded on July 28, 2014 to 12.1.4.104.4130.

Files dropped in shared folders

DECRYPT_INSTRUCTION.HTML

DECRYPT_INSTRUCTION.TXT

INSTALL_TOR.URL

Files contain text indicating that all the files were encrypted using CryptoWall 2.0

To obtain a key, they would have to click on the “paytor dmbdek mizq.pay2tor.com” link and pay the ransom. (spaces added to make prevent link from being clickable)

All files in her personal share are encrypted.

I currently have a case open with Symantec. They instructed to use symhelp.

Unless you have a backup or decide to pay, the files are likely gone. I wouldn't pay and suggest you don't either.

Support can't work with you on strengthening SEP policies.

Do you have IPS and firewall enabled? SONAR?

Yes we have AntiVirus, SONAR, and Advanced Download Protection enabled but not Symantec's IPS or firewall technologies. -Rosie-

IPS has multiple signatures to detect potential malicious downloads for cryptowall, using the firewall to block cryptowall domains would also be a big help

SymHelp has some security best practice reports that work with AV, IPS and SONAR.  If you run a scan for common issues on a system with these components you can quickly determine if your system is configured per Symantec best practice recommendations.

I had a client who got hit with it.

Vipre found it.
I copied the encrypted files to the desktop, deleted the originals, deleted the DECRYPT_INSTRUCTIONS and INSTALL_TOR files and the docs were perfect!
I couldn't believe it, but it's true.

Give it a shot...couldn't hurt. The files aren't infected, just encrypted.

Looking for some support. We paid the ransom today and received our zip file that contained 3 files.

decrypt, private.key and public.key

The instructions stated to Turn Off All Anti-Virus software and run the tool.

Yea right, not so quick there. Since some of the encrypted files were on a remote drive and loaded the Zip file there.

When we opened the file Norton stopped a trojan (Trojan.Asprox.B) from being loaded. I wrote back to the priates and they stated the same thing again. "If you want my files decrypted, turn off all anti-virus software and run the tool."

So I am unsure if this Trojan is used to decode my files? since I have both keys ?

and if it is safe to perform this activity.

Just wondering if anyone has gone through this process?

Who knows to be honest. They have your money so frankly I'm surprised they even responded a second time.

May need to just google it or reach out on some underground forums.

Thanks - Ive been all over the web this morning and also wrote to Symantec but no response yet.

Bleeping Computer has a lot of details but nothing about how to decrypt using the keys provided.

You're not going to find public documentation for it most likely. You'll need to find someone else who paid and talk to them. That list is small so it's just going to make it more difficult.

Was your data that important? I know some have paid due to this but I always advise against it regardless of the sensitivity.

It was our financials. Tried every method but they got our back up also. Just happened to be backing up when it hit. I moved the data to another PC and tried use the decrypt but it stated the pairng was not proper. I think it might be looking for original files?

I believe it needs to be done on the original PC where this happened.

@ Brian

I agree.  The encryption keys were most likely derived specifically to the computer that the encryption happened on / from.  These keys are most likely not user based keys, but machine based public / private key pair.  I've always wondered how these ransomeware applications really work behind the scenes.  There are native encryption commands on each computer that will allow you to create a certificate and encrypt / decrypt any files with that specific certificate or private / public key.