Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Crypto Epidemic Corporate Issue Please Help


  • Please log in to reply
18 replies to this topic

#1 billo1007

billo1007

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 23 December 2015 - 10:40 AM

Hi Guys,

 

First off I follow these forums a long time, you know its bad news when I am returning. 

 

Anyway why I am here, I work for a company and we have been infected twice in the last week by first Teslacrypt 2.0 and secondly Cryptowall 4.0 , this looks like two isolated incidents on two different computers and neither of the guys have admin rights on the PC. Both machines have AVG pro 2015. 

 

Infection1 - A user opened some internet windows and files in his own words, AVG went nuts, picked it up and did nothing it encrypted our whole file server and his machine, I restored our fileserver from backup and everything went fine the following day. I have sourced the infection here and am happy this came in through a flash file that was opened in the app data folder. FYI Teslacrypt also encrypted the open permission network shares. 

 

Infection2 - This is a more tricky one, we do not know how this got in, we have identified the machine and the virus looks like a completely different one I can confirm it is cryptowall 4.0. different type of encryption and encryption strength also this did not set of the AVG anti virus, it backdoored AVG encrypted the file server again about 24 hours after the first incident, quite unbelievable really. 

 

Obviously I realize we need to up our game here in regards to security, the main questions I have are. 

 

1. How can I find out how the virus got onto the second machine? Malware bytes did pick it up but I would like a way to be sure so I can report back. 

- I have checked all the email the user received, cannot find anything remotely suspicious

- I have went through her PC with MBAM, Combofix, Stinger, Housecall and AVG. 

- Like to add that it is unclear what malware bytes found here specifically.

 

2. I have pasted a list of the actions we have taken to prevent this below, is there anything I am missing? or can be added? 

 

Actions we have taken. 

- Enabled IPS on our firewall - (Cryptowall 4 apparently bypasses this)

- Enabled a proxy system for the users blocking .EXE and .SWF files amongst some others (Cryptowall 4 apparently bypasses this)

- Looking at getting fireeye or AV on our firewall. (Cryptowall 4 apparently bypasses this)

- Full scan of malware bytes free on all of our machines - this turned up pretty much nothing tbh. Not surprised as we are generally on top of things here. (Cryptowall 4 apparently bypasses this)

- %appdata% folder in windows, we are adding some GPO's to block files running from here from non whitelisted applications, I reckon this will cut all viruses out. (Cryptowall 4 apparently bypasses this)

- GPO's to disable running of .EXE in general

- Changed NTFS share permissions to modify

 

Regards M


Edited by billo1007, 23 December 2015 - 10:43 AM.


BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:37 PM

Posted 23 December 2015 - 11:28 AM

- Full scan of malware bytes free on all of our machines - this turned up pretty much nothing tbh. Not surprised as we are generally on top of things here. (Cryptowall 4 apparently bypasses this)


I just want to say that right now, you breached the Terms and Conditions of Use of Malwarebytes Anti-Malware, so I wouldn't do that again in the future. If you want to use Malwarebytes in a corporate environment, you'll have to buy it.

Also on a side note, you say that "Cryptowall 4 bypass" this on everything, it isn't true. Cryptowall 4.0 isn't only one executable, some of them are detected and blocked, some of them are FUD and can go through the security that is in place on a network. It really depends on how the system gets hit, what access the user have, etc. For instance, where I work, most of the Ransomware infections via emails are blocked in our Barracuda Networks before reaching the Exchange server, while most of the infections via 0-day on the web aren't totally blocked. Considering the fact we do run outdated version of some software, it makes it even harder to block them.

Edited by Aura, 23 December 2015 - 11:40 AM.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 billo1007

billo1007
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 23 December 2015 - 11:56 AM

 

- Full scan of malware bytes free on all of our machines - this turned up pretty much nothing tbh. Not surprised as we are generally on top of things here. (Cryptowall 4 apparently bypasses this)


I just want to say that right now, you breached the Terms and Conditions of Use of Malwarebytes Anti-Malware, so I wouldn't do that again in the future. If you want to use Malwarebytes in a corporate environment, you'll have to buy it.

Also on a side note, you say that "Cryptowall 4 bypass" this on everything, it isn't true. Cryptowall 4.0 isn't only one executable, some of them are detected and blocked, some of them are FUD and can go through the security that is in place on a network. It really depends on how the system gets hit, what access the user have, etc. For instance, where I work, most of the Ransomware infections via emails are blocked in our Barracuda Networks before reaching the Exchange server, while most of the infections via 0-day on the web aren't totally blocked. Considering the fact we do run outdated version of some software, it makes it even harder to block them.

 

 

We are actually going to buy malware bytes for all of our computers, we are just deciding whether to use hitman or malware bytes. I have taken note of this apologies. 

 

In regards to cryptolocker bypassing things actually its listed online as being known to bypass IPS systems, Fireeye systems too, it backdoored my own anti virus, I have seen versions of crypto locker backdoor other AV products, also seen Conficker and Cutwail backdoor AV too. 

Viruses backdoor anti virus programs.

 

What is FUD? 
Also when you say "zero day on the web" can you elaborate on this, are you talking about zero day on the webserver or client pc? 
 
Additionally one would think zero day on the client side is covered under my app data folder suggestion right?


#4 Jo*

Jo*

  • Malware Response Team
  • 3,428 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:37 PM

Posted 23 December 2015 - 11:58 AM

Hi,

Q2: I have pasted a list of the actions we have taken to prevent this below, is there anything I am missing? or can be added?

Add protection againts exploits and drive-by downloads:
Example: Malwarebytes Anti-Exploit for Business
But there are other tools on the market as well.


Q1: How can I find out how the virus got onto the second machine?

Scan the infected pc with ESET Online Scanner

Connect any existing external hard drives and / or other removable media.

Note:
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.



If this program is already installed: Skip the installation and run only the scan!
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the esetOnline.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.
  • Check esetAcceptTerms.png
  • Click the esetStart.png button.
  • Accept any security warnings from your browser.
  • Check esetScanArchives.png
  • Make sure that the option "Remove found threats" is Unchecked
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push esetListThreats.png
  • Push esetExport.png, and save the file to your desktop using a unique name, such as MyEsetScan. Alternatively, look for report in C:\Program Files\ESET\ESET Online Scanner\log.txt. Include the contents of this report in your next reply.
  • Push the Back button.
  • Select Uninstall application on close check box and push esetFinish.png

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:37 PM

Posted 23 December 2015 - 12:00 PM

Crypto malware and other forms of ransomware is typically spread and delivered through social engineering (trickery) and user interaction...opening a malicious email attachments (usually from an unknown or unsolicited source), clicking on a malicious link within an email or on a social networking site. Crypto malware can be disguised as fake PDF files in email attachments which appear to be legitimate correspondence from reputable companies such as banks and other financial institutions, or phony FedEx and UPS notices with tracking numbers. Attackers will use email addresses and subjects (purchase orders, bills, complaints, other business communications) that will entice a user to read the email and open the attachment. Another method involves tricking unwitting users into opening Order Confirmation emails by asking them to confirm an online e-commerce order, purchase or package shipment. Still another technique uses spam emails and social engineering to infect a system by enticing users to open an infected word document with embedded macro viruses and convince them to manually enable macros that allow the malicious code to run. Social engineering has become one of the most prolific tactics for distribution of malware, identity theft and fraud.

Crypto malware can also be delivered via exploit kits and drive-by downloads when visiting compromised web sites...see US-CERT Alert (TA14-295A).There have been reports that some victims have encountered crypto malware following a previous infection from one of several botnets (such as Zbot frequently used in the cyber-criminal underground) which downloads and executes the ransomware as a secondary payload from infected websites...see US-CERT Alert (TA13-309A). And there have been cases where crypto malware has been reported to spread via YouTube ads and on social media, a popular venue where cyber-criminals can facilitate the spread of malware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:37 PM

Posted 23 December 2015 - 12:48 PM

I have seen versions of crypto locker backdoor other AV products, also seen Conficker and Cutwail backdoor AV too.


Don't you mean "bypass"? A backdoor in a software, and bypassing a software aren't the same thing at all :) If Ransomwares really had "backdoors" in Antivirus products, we would have a big, big problem.

What is FUD?


FUD stands for "Fully Undetectable". We use that term when a malicious sample, payload, etc. isn't detected by any Antivirus or security software (like scanning it on VirusTotal returns 0 detections on 66 engines). A lot of crooks will advertise what they call "crypters", which are programs used by hackers and spreaders to make their malicious payloads FUD.

Also when you say "zero day on the web" can you elaborate on this, are you talking about zero day on the webserver or client pc?


0-days you get when navigating the web (like get hit by an Exploit Kit delivered via malvertising).

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 billo1007

billo1007
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 23 December 2015 - 01:53 PM

Hi,

Q2: I have pasted a list of the actions we have taken to prevent this below, is there anything I am missing? or can be added?

Add protection againts exploits and drive-by downloads:
Example: Malwarebytes Anti-Exploit for Business
But there are other tools on the market as well.


Q1: How can I find out how the virus got onto the second machine?

Scan the infected pc with ESET Online Scanner

Connect any existing external hard drives and / or other removable media.

Note:
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.



If this program is already installed: Skip the installation and run only the scan!

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the esetOnline.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.
  • Check esetAcceptTerms.png
  • Click the esetStart.png button.
  • Accept any security warnings from your browser.
  • Check esetScanArchives.png
  • Make sure that the option "Remove found threats" is Unchecked
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push esetListThreats.png
  • Push esetExport.png, and save the file to your desktop using a unique name, such as MyEsetScan. Alternatively, look for report in C:\Program Files\ESET\ESET Online Scanner\log.txt. Include the contents of this report in your next reply.
  • Push the Back button.
  • Select Uninstall application on close check box and push esetFinish.png

 

 

Brilliant post, thank you very much. 



#8 billo1007

billo1007
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 23 December 2015 - 02:01 PM

 

 

- Full scan of malware bytes free on all of our machines - this turned up pretty much nothing tbh. Not surprised as we are generally on top of things here. (Cryptowall 4 apparently bypasses this)


I just want to say that right now, you breached the Terms and Conditions of Use of Malwarebytes Anti-Malware, so I wouldn't do that again in the future. If you want to use Malwarebytes in a corporate environment, you'll have to buy it.

Also on a side note, you say that "Cryptowall 4 bypass" this on everything, it isn't true. Cryptowall 4.0 isn't only one executable, some of them are detected and blocked, some of them are FUD and can go through the security that is in place on a network. It really depends on how the system gets hit, what access the user have, etc. For instance, where I work, most of the Ransomware infections via emails are blocked in our Barracuda Networks before reaching the Exchange server, while most of the infections via 0-day on the web aren't totally blocked. Considering the fact we do run outdated version of some software, it makes it even harder to block them.

 

 

We are actually going to buy malware bytes for all of our computers, we are just deciding whether to use hitman or malware bytes. I have taken note of this apologies. 

 

In regards to cryptolocker bypassing things actually its listed online as being known to bypass IPS systems, Fireeye systems too, it backdoored my own anti virus, I have seen versions of crypto locker backdoor other AV products, also seen Conficker and Cutwail backdoor AV too. 

Viruses backdoor anti virus programs.

 

What is FUD? 
Also when you say "zero day on the web" can you elaborate on this, are you talking about zero day on the webserver or client pc? 
 
Additionally one would think zero day on the client side is covered under my app data folder suggestion right?

 

 

 
Don't you mean "bypass"? A backdoor in a software, and bypassing a software aren't the same thing at all  :) If Ransomwares really had "backdoors" in Antivirus products, we would have a big, big problem.

Obviously I meant bypass which you knew! And theoretically it could still be described as a backdoor or an exploit of windows because that is what it is.  

 

FUD stands for "Fully Undetectable". We use that term when a malicious sample, payload, etc. isn't detected by any Antivirus or security software (like scanning it on VirusTotal returns 0 detections on 66 engines). A lot of crooks will advertise what they call "crypters", which are programs used by hackers and spreaders to make their malicious payloads FUD.

 

Extremely helpful info thank you very much for this, yes the files they are using are encrypted agreed i was aware of this already and this being a massive problem with AV these days. 
 

0-days you get when navigating the web (like get hit by an Exploit Kit delivered via malvertising).


Excellent again thank you, can you perhaps outline the technical steps on this one as to how it gets deployed, i.e. technical steps for cryptolocker i would describe as , user opens file -> pc makes contact with server to gin user account and encryption key -> server sends info to pc along with some other things viruses and commands, code updates etc -> pc begins encrypting locally and does a network scan for shared folders and ransom demands deployed. 



#9 billo1007

billo1007
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 23 December 2015 - 02:03 PM

Can I also ask how malware bytes anti exploit will help? in comparison to banning the files from the appdata folder it does not seem as effective a suggestion tbh.

 

All the help I can get is great and some good posts, thanks guys. 



#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:37 PM

Posted 23 December 2015 - 02:17 PM

Everything you need to know about Malwareytes Anti-Exploit and how it can help you mitigate 0-days is in the webpage for the product.

https://www.malwarebytes.org/business/antiexploit/

Also, I don't know how putting GPOs on %appdata% will help, since %appdata% is AppData\Roaming, and not AppData\Local where the temp folder is and payloads often gets dropped there :)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 billo1007

billo1007
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 23 December 2015 - 02:23 PM

Everything you need to know about Malwareytes Anti-Exploit and how it can help you mitigate 0-days is in the webpage for the product.

https://www.malwarebytes.org/business/antiexploit/

Also, I don't know how putting GPOs on %appdata% will help, since %appdata% is AppData\Roaming, and not AppData\Local where the temp folder is and payloads often gets dropped there :)

 

Thanks again, I should have been more specific and said all app data folders. I watched the ads and read about it, i dont buy it seeing encrypted code im sorry. 

 

Can someone actually technically explain how this is going to be better stopping encrypted files against a GPO blocking all files from running in the app data folders. 


Edited by billo1007, 23 December 2015 - 02:27 PM.


#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:37 PM

Posted 23 December 2015 - 02:27 PM

Malwarebytes Anti-Exploit is an action level security application that runs in the background as a standard Windows Service and protects against, the malicious action of exploiting software vulnerabilities, blocks zero-day exploits that target browser and application vulnerabilities, blocks exploit kits and defends against drive-by download attacks. Malwarebytes Anti-Exploit provides four layers of exploit protection to include application hardening, protection against Operating System security bypasses, memory caller protection, and application behavior protection. MBAE continuously monitors popular applications, preventing vulnerabilities in software and browsers from being exploited, blocks unknown and known exploit kits, proactively preventing the exploit from installing its payload before it can do damage.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 billo1007

billo1007
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 23 December 2015 - 04:01 PM

 

Everything you need to know about Malwareytes Anti-Exploit and how it can help you mitigate 0-days is in the webpage for the product.

https://www.malwarebytes.org/business/antiexploit/

Also, I don't know how putting GPOs on %appdata% will help, since %appdata% is AppData\Roaming, and not AppData\Local where the temp folder is and payloads often gets dropped there :)

 

Thanks again, I should have been more specific and said all app data folders. I watched the ads and read about it, i dont buy it seeing encrypted code im sorry. 

 

Can someone actually technically explain how this is going to be better stopping encrypted files against a GPO blocking all files from running in the app data folders. 

 



#14 Jo*

Jo*

  • Malware Response Team
  • 3,428 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:37 PM

Posted 23 December 2015 - 06:20 PM

It is not a question what is better.

But you would have a better protection doing both of it.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#15 billo1007

billo1007
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 24 December 2015 - 05:19 AM

It is not a question what is better.

But you would have a better protection doing both of it.

 

Good answer, and thank you so much for that ESET recommendation, this found the virus on the laptop and I have scanned it with AVg, Trend, Stinger, MBAM and few others. 

 

ESET found the following on the second machine, it had Cryptowall 4 on it. 

 

1. JS/Kryptik.AYR Trojan

2. SWF/EXPLOIT.ExKitBH Trojan

3. JS/Exploit.Agent.NLF Trojan

 

Does this shed anymore light on this? 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users