Endpoint Protection Small Business Edition

Hi All,

I have 1 client who was suspected to be infected with a new variant of ransomware (Cryptowall). Below is an example message of the ransomware:

What happened to your files ?

All of your files were protected by a strong encryption with RSA-2048 using CryptoWall.

More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)

What does this mean ?

This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,

it is the same thing as losing them forever, but with our help, you can restore them.

How did this happen ?

Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.

All your files were encrypted with the public key, which has been transferred to your computer via the Internet.

Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.

What do I do ?

Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.

If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.

Additional Information:

User is running on Windows Vista, SEP 12.1 and the last AV date use to scan is on 10/7/2014 r9. It has been isolated since then. No risk is found.

User has no idea how the malware infected the machine as it does not show any signs of infection until they started to encrypt the files.

As the user is in an strict environment, we wouldn't be able to use any other tools such as SymHelp. The only way is to update SEP's definitions for this new variant so that it can remove the malware.

As such, any advice on which files to extract for Symantec signature creation/analysis? Any other recommendations would be greatly appreciated too.

Did you submit a sample? Symhelp would be able to find it but sounds like you cannot run it?

The defs you had were a few days old. Are you running the IPS or firewall components? This will surely up your protection.

Two Reasons why IPS is a "Must Have" for your Network

https://www-secure.symantec.com/connect/articles/two-reasons-why-ips-must-have-your-network

A cryptowall guide can be found here:

http://www.bleepingcomputer.com/forums/t/532879/cryptowall-new-variant-of-cryptodefense/

Nope, have yet to submit any sample. What files should I ask from the user?

The AV date were a few days old because it has been isolated since the detection date, thus, they AV date is not updated.

We are running on IPS and firewall components too, but I believe this can be reviewed later.

upload it here

https://submit.symantec.com/websubmit/retail.cgi

With no access to the machine, this will be very difficult. You're going to need to do some manual analysis to find the files that were dropped on the machine. A google search will show you some guides to follow as well as the one I posted.

Submissions are here:

http://www.symantec.com/security_response/submitsamples.jsp

From what I have read, it seems that once there is no damage done anymore by the infection, it will remove itself from the machine. If this is the case, we won't be able to get the sample of the infected file right? What other way is possible then?

You can run it on infected system

How to run the Threat Analysis Scan in Symantec Help (SymHelp)

http://www.symantec.com/docs/TECH215519

As per KB above run Symhelp with threat analysis scan (http://www.symantec.com/docs/TECH215519).

This will check the common load points on the machine for possible suspicious files (according to reputation score) - you can as well submit the report back to symantec support for analysis. If any files are detected here - those would be candidates for submission. It is possible that the threat you encountered is yet an undetected variant.

Hi danielteoks,

Thanks for the post.  This is a new evolution of Trojan.Cryptodefense that has been around for a few months.  Here is our write-up for it:

Trojan.Cryptowall
http://www.symantec.com/security_response/writeup.jsp?docid=2014-061923-2824-99

See also this thread: https://www-secure.symantec.com/connect/forums/i-have-virus-cryptowall

This one arrives mostly through drive-by downloads.  Here's a video:                   
 

Symantec Guide to Scary Internet Stuff - No 4 Drive-by downloads
https://www.youtube.com/watch?v=J0QXD2ts4Qc

Every day brings new variants of cryptolockers- keep AV, IPS and other protection up-to-date.  Keep browsers and browser plugins patched.  These resources might help:

•  Cryptolocker Q&A: Menace of the Year
•  Recovering Ransomlocked Files Using Built-In Windows Tools
•  Additional information about Ransomware threats
•  Ransomcrypt: A Thriving Menace (aka Cryptolocker: A Thriving Menace)

There's no way to decrypt the sabotaged files, unfortunately- restore from a known-good backup.

Please do keep this thread up to date in case there is any extra data you need, or do mark it completed if this has answered your question.  Many thanks!!

Hi All,

It has been confirmed that the infected started from this website (it is suspended already):

hxxp://www.j-morin.fr/share/document-128_712.zip

The user downloaded the file attached in .zip format and it is surprising that SEP did not detect it intially. It was downloaded and executed on 26th June, but SEP did not catch it. The anti-vrius definition date was up to date then.

Any idea why this happen?

A detection signature for this specific variant was not available then.

So what was the signature for this variant? When was it released?

You'd have to go back thru the signature releases and look for it. Is it detected now?

http://www.symantec.com/security_response/definitions/certified/

You see... the problem is that I couldn't get the original file as it was removed from the website. However, according to my client's encounter, SEP wasn't able to detect it on 26th June.

Was close to a month ago...my guess is it will be detected now.

This is totally not helpful at all. I couldn't simply tell the client "I guess it is detected now and the signature wasn't created on 26th June".

From what I understand, there was a rapid release on 19th June which detects it as Trojan.Cryptodefense or Trojan.Cryptdef!gen1.

However, the incident occured on 26th June and the AV definitions is updated since then, so the question I am asking is, is this another new variant? Or there is a new release after 19th June (or after 26th June) which will be able to detect this.

What I'm telling you is if defs were up to date as you say and it was not detected then Symantec obviously did not have a signature to detect it at that time, which makes it a new variant or Symantec was somehow delayed in getting out a signature. If you don't currently have the same sample then there is no way to tell if it is detected now. Since this was close to a month ago, my hope is that it is now detected.

I apologise for not being helpful.