cryptolocker remediation

VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL

Our mission is to help enterprises realize value from their unstructured data.

CryptoLocker Remediation

VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL2

About Varonis

Started operations in 2005

Over 3000 Customers

(as of September, 2014)

Software Solutions for

Human Generated Data

A Story About Trees


Focus on Frequency


The Crypto Locker


Crypto Locker

Cryptolocker is a well know Trojan/virus that is spread all over

the internet.

Usually enters the company by email.

Latest variant was not detected by any anti-virus nor firewall.

If a user clicks on executable it starts immediately scanning

network drives, renames all the files & folders and encrypts

them.

Most effective counter-measure to identify & limit the damage,

is to use DatAdvantage & DatAlert.

VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL7 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL7

Actions and behavior

Actions Notes Events on files

Encrypt files Uses a RSA 2048bits key to encrypt the files

Encryption cypher seems to be symmetrical (depending on the CryptoLocker variant).

OPEN then MODIFY

Add file extensions(next to existing ones)

Adds one of these new extension to the end of the files(depending on CryptoLocker variant) :- « .encrypted »OR- « .cryptolocker »OR- « .<RANDOM 7 characters> »

RENAME

Instruction files written in each directory

Writes a file containing a link to a web page to get instructions to decrypt the files (require the user to pay some bitcoins)

The file names are :- « DECRYPT_INSTRUCTION.txt »OR- « DECRYPT_INSTRUCTIONS.html »

CREATE

« file.docx » Encryption Add extension

« .encrypted »

« file.docx » + OR

« .cryptolocker »


Filetypes affected

*.zip ; *.rar ; *.7z ; *.tar ; *.gzip ; *.jpg ; *.jpeg ; *.tif ; *.psd

; *.cdr ; *.dwg ; *.max ; *.bmp ; *.gif ; *.png ; *.doc ; *.docx

; *.xls ; *.xlsx ; *.ppt ; *.pptx ; *.txt ; *.pdf ; *.djvu ; *.htm ;

*.html ; *.mdb ; *.cer ; *.p12 ; *.pfx ; *.kwm ; *.pwm ; *.1cd

; *.md ; *.mdf ; *.dbf ; *.odt ; *.vob ; *.iso ; *.ifo ; *.csv ;

*.torrent ; *.mov ; *.m2v ; *.3gp ; *.mpeg ; *.mpg ; *.flv ;

*.avi ; *.mp4 ; *.wmv ; *.divx ; *.mkv ; *.mp3 ; *.wav ; *.flac

; *.ape ; *.wma ; *.ac3 ; *.epub ; *.eps ; *.ai ; *.pps ; *.pptm

; *.accdb ; *.pst ; *.dwg ; *.dxf ; *.dxg ; *.wpd ; *.dcr ; *.kdc

; *.p7b ; *.p7c ; *.raw ; *.cdr ; *.qbb ; *.indd ; *.qbw


Identification of the impacted files

AFTER INFECTION : DatAdvantage

― Check for high number of OPEN, RENAME and CREATE events

generated by a user account, filtering on file extensions

Report « 01.A.01 - User Access Log »

― Check for statistically significant deviation on access events from

(infected) user/computer

« Alerts – Daily deviation »

DURING INFECTION (DETECT & ARREST): DatAlert

― Configure a threshold alert on file server OPEN, RENAME and

CREATE events

― Configure an automatic action to disable the user account in

directory service to arrest file encryption before it propagates

They’re in—now what?


6 Mitigation Tips

1. Eliminate Global Access

2. Eliminate Excessive Permissions

3. Alert on Privilege Escalations

4. Alert on Behavioral Deviations

5. Setup Honeypots

6. Closely Monitor High-Risk People and Data


Tip #1: Eliminate Global Access

Locate groups like “Everyone” and “Authenticated Users”

and replace them with tighter security groups

How do I avoid cutting off legitimate access?


Tip #2: Eliminate Excessive Permissions

People and software!

Figure out what people have access to but shouldn’t

Amazon-like recommendations

Auto-expire temporary access

Periodically review entitlements


Tip #3: Alert on Privilege Escalations

Do you know when someone gets root access?


Tip #4: Alert on Behavioral Deviations

Behavioral activity spikes (email, files, access denied)

Monitor activity outside of normal business hours


Tip #5: Setup Honeypots

Setup a shared folder that is open to everyone

X:\Share\Payroll

X:\Share\Confidential

X:\Share\CEO

See who abuses it


Tip #6: Monitor High Risk People and Data

Alert or auto-quarantine sensitive data when it shows up

in a public place

Watch what root/domain admins are doing

Watch what contractors are doing


Detecting CryptoLocker

Alert on more than 100 file modify events from a

single user in under a minute

Alert triggers an action to:

Notify IT admins

Grab the username and machine

Check the machine’s registry for key/value that

CryptoLocker creates

Get-Item HKCU:\Software\CryptoLocker\Files).GetValueNames()

If value exists, disable user automatically:

Disable-ADAccount -Identity $actingObject


Detecting CryptoLocker - DataLert configuration


Cleaning your filers using DatAdvantage Report

Identify infected files

Create a report to

identify all modified

files over the last 30

days

XML template

containing predefined

filters for DA

(v6.0.52)


Remediating File Servers

Restoring the files, using a backup or Volume Shadow Copies

(Windows Servers ; if enabled), after identification of

infected/encrypted files

Another solution: Encryption seems to be reversible

Using a real-time disassembler on the PE (Portable Executable)

that infected the files through the computer/user session, it is

possible to skip the code part where the encryption mechanisms

occurs, and activate a code part that decrypts the files, without

the need of getting the decryption key.

Depends on CryptoLocker variant that infected the files.


For More Information…

Join the Varonis Connect Community Developer Forum:

https://connect.varonis.com/community/developercom

munity/blog/2014/10/16/powershell-tools-for-

cryptolocker

https://connect.varonis.com/community/developercommunity/blog/2014/10/16/powershell-tools-for-cryptolocker


Free Threat Assessment

http://bit.ly/threatcheck

http://bit.ly/threatcheck

VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL

Thank you!

cryptolocker remediation

Documents

cryptolocker varonis

treesvaronis systems

proprietary confidential4focus

frequencyvaronis systems

qbwvaronis systems

cryptolocker variant

file encryption

user account