cryptolocker remediation
DESCRIPTION
How to use Varonis DatAdvantage to remediate CryptoLocker attackTRANSCRIPT
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL
Our mission is to help enterprises realize value from their unstructured data.
CryptoLocker Remediation
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL2
About Varonis
Started operations in 2005
Over 3000 Customers
(as of September, 2014)
Software Solutions for
Human Generated Data
A Story About Trees
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL4
Focus on Frequency
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL5
The Crypto Locker
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL6
Crypto Locker
Cryptolocker is a well know Trojan/virus that is spread all over
the internet.
Usually enters the company by email.
Latest variant was not detected by any anti-virus nor firewall.
If a user clicks on executable it starts immediately scanning
network drives, renames all the files & folders and encrypts
them.
Most effective counter-measure to identify & limit the damage,
is to use DatAdvantage & DatAlert.
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL7 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL7
Actions and behavior
Actions Notes Events on files
Encrypt files Uses a RSA 2048bits key to encrypt the files
Encryption cypher seems to be symmetrical (depending on the CryptoLocker variant).
OPEN then MODIFY
Add file extensions(next to existing ones)
Adds one of these new extension to the end of the files(depending on CryptoLocker variant) :- « .encrypted »OR- « .cryptolocker »OR- « .<RANDOM 7 characters> »
RENAME
Instruction files written in each directory
Writes a file containing a link to a web page to get instructions to decrypt the files (require the user to pay some bitcoins)
The file names are :- « DECRYPT_INSTRUCTION.txt »OR- « DECRYPT_INSTRUCTIONS.html »
CREATE
« file.docx » Encryption Add extension
« .encrypted »
« file.docx » + OR
« .cryptolocker »
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL8 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL8
Filetypes affected
*.zip ; *.rar ; *.7z ; *.tar ; *.gzip ; *.jpg ; *.jpeg ; *.tif ; *.psd
; *.cdr ; *.dwg ; *.max ; *.bmp ; *.gif ; *.png ; *.doc ; *.docx
; *.xls ; *.xlsx ; *.ppt ; *.pptx ; *.txt ; *.pdf ; *.djvu ; *.htm ;
*.html ; *.mdb ; *.cer ; *.p12 ; *.pfx ; *.kwm ; *.pwm ; *.1cd
; *.md ; *.mdf ; *.dbf ; *.odt ; *.vob ; *.iso ; *.ifo ; *.csv ;
*.torrent ; *.mov ; *.m2v ; *.3gp ; *.mpeg ; *.mpg ; *.flv ;
*.avi ; *.mp4 ; *.wmv ; *.divx ; *.mkv ; *.mp3 ; *.wav ; *.flac
; *.ape ; *.wma ; *.ac3 ; *.epub ; *.eps ; *.ai ; *.pps ; *.pptm
; *.accdb ; *.pst ; *.dwg ; *.dxf ; *.dxg ; *.wpd ; *.dcr ; *.kdc
; *.p7b ; *.p7c ; *.raw ; *.cdr ; *.qbb ; *.indd ; *.qbw
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL9 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL9
Identification of the impacted files
AFTER INFECTION : DatAdvantage
― Check for high number of OPEN, RENAME and CREATE events
generated by a user account, filtering on file extensions
Report « 01.A.01 - User Access Log »
― Check for statistically significant deviation on access events from
(infected) user/computer
« Alerts – Daily deviation »
DURING INFECTION (DETECT & ARREST): DatAlert
― Configure a threshold alert on file server OPEN, RENAME and
CREATE events
― Configure an automatic action to disable the user account in
directory service to arrest file encryption before it propagates
They’re in—now what?
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL11
6 Mitigation Tips
1. Eliminate Global Access
2. Eliminate Excessive Permissions
3. Alert on Privilege Escalations
4. Alert on Behavioral Deviations
5. Setup Honeypots
6. Closely Monitor High-Risk People and Data
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL12
Tip #1: Eliminate Global Access
Locate groups like “Everyone” and “Authenticated Users”
and replace them with tighter security groups
How do I avoid cutting off legitimate access?
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL13
Tip #2: Eliminate Excessive Permissions
People and software!
Figure out what people have access to but shouldn’t
Amazon-like recommendations
Auto-expire temporary access
Periodically review entitlements
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL14
Tip #3: Alert on Privilege Escalations
Do you know when someone gets root access?
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL15
Tip #4: Alert on Behavioral Deviations
Behavioral activity spikes (email, files, access denied)
Monitor activity outside of normal business hours
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL16
Tip #5: Setup Honeypots
Setup a shared folder that is open to everyone
X:\Share\Payroll
X:\Share\Confidential
X:\Share\CEO
See who abuses it
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL17
Tip #6: Monitor High Risk People and Data
Alert or auto-quarantine sensitive data when it shows up
in a public place
Watch what root/domain admins are doing
Watch what contractors are doing
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL18
Detecting CryptoLocker
Alert on more than 100 file modify events from a
single user in under a minute
Alert triggers an action to:
Notify IT admins
Grab the username and machine
Check the machine’s registry for key/value that
CryptoLocker creates
Get-Item HKCU:\Software\CryptoLocker\Files).GetValueNames()
If value exists, disable user automatically:
Disable-ADAccount -Identity $actingObject
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL19 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL19
Detecting CryptoLocker - DataLert configuration
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL20 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL20
Cleaning your filers using DatAdvantage Report
Identify infected files
Create a report to
identify all modified
files over the last 30
days
XML template
containing predefined
filters for DA
(v6.0.52)
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL21 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL21
Remediating File Servers
Restoring the files, using a backup or Volume Shadow Copies
(Windows Servers ; if enabled), after identification of
infected/encrypted files
Another solution: Encryption seems to be reversible
Using a real-time disassembler on the PE (Portable Executable)
that infected the files through the computer/user session, it is
possible to skip the code part where the encryption mechanisms
occurs, and activate a code part that decrypts the files, without
the need of getting the decryption key.
Depends on CryptoLocker variant that infected the files.
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL22 VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL22
For More Information…
Join the Varonis Connect Community Developer Forum:
https://connect.varonis.com/community/developercom
munity/blog/2014/10/16/powershell-tools-for-
cryptolocker
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL23
Free Threat Assessment
http://bit.ly/threatcheck
VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL
Thank you!