TR-41 - Crypto Ransomware - Proactive defenses and incident response

Overview

Crypto ransomware is a growing threat against Internet users and even users on corporate networks. Attackers infected a system in order to encrypt all available files locally and remotely for the user. When the files are encrypted (and very often with advanced encryption techniques), the attackers try to extort the users via a ransom to recover the encrypted files. Such ransom attacks can be very successful especially in corporate networks where file servers (NAS, CIFS servers) are extensively used.

A new threat (WannaCry ransomware) has been discovered in May 2017. This ransomware uses a previously known exploit (which was used in operations by the NSA and eventually leaked to the public in 2017) to laterally move from machine to machine. This attack exploits a vulnerability in SMBv1. It is highly recommended to patch all systems and/or disable SMBv1. Alternatively, filter the corresponding ports. Microsoft has released patches, even for operating systems no longer supported (e.g. Windows XP).

Recommendations

Even if you were not a victim of such attack, proactive measures can be taken in order to limit the impact associated to an infection with a Crypto Ransomware.

Proactive measures for the WannaCry ransomware

  • Patch all systems affected by ms17-010. Patches are available even for EOL systems.
  • Disable SMBv1 everywhere else.
  • (Retroactively to Friday, 12th of May) move all email messages with active code in attachments into a quarantine (see list of file extensions below).
  • Control all incoming executable files via the Web/Proxy infrastructure.
  • Control returning laptops before Start-of-business on Monday, 15th of May.
  • Inform employees, preferably out-of-band, not to click anything
  • Check the backup system’s status and the integrity of backups.
  • If endpoint protection is turned on, restrict access to each other’s ports.

Proactive measures

  • The best defense against Crypto Ransomware are functional backups. If you are able to restore your backup easily, you defeat the main objective of the attacker.
  • Backups must be off-line (detached from network connectivity or system connectivity). Crypto Ransomware tries to encrypt local files on local disk, removal medias but also on connected file shares, backup must be detached to avoid encryption by the attackers themselves.
  • Backup retention period should be reviewed. Don’t forget that a Crypto Ransomware might run in the background multiple days before being detected. The longer the retention period is, the better the chances for recovery are.
  • Don’t forget that backup servers are exposed and can be a target for the attacker too.
  • Enable audit logging on file servers. To be able to track down potentially infected systems encrypting files on the file share.
  • Create monitoring scripts to keep track of systems modifying a lot of files in a short period of time. This monitoring can be used to detect pro-actively infected system doing encryption.
  • The most common initial infections to Crypto Ransomware are:
    • Execution of malicious attachments sent by emails.
    • Emails with URLs (links) to malicious documents.
    • Exploitation of vulnerable web browsers or components software.
  • Review the security policy of your mail and web gateways and ensure that adequate logging is active (if you need to find back infected users during incident response).
  • Mail and web gateways should block or quarantine all documents which are executable files, container formats and files potentially carrying active content. As example, please find a list of potential attachment files that would need to be quarantined or at least to be reviewed by your filtering gateway:
    • Container formats: “.zip”, “.rar”, “.ace”, “.gz”, “.tar”, “.7z”, “.z”, “.bz2”, “.xz”, “.iso”
    • Files potentially carrying active content: “.pdf”, “.doc”, “.rtf”, “.ppt”, “.xls”, “.odt”
    • Applications: “.exe”, “.pif”, “.application”, “.gadget”, “.msi”, “.msp”, “.com”, “.scr”, “.hta”, “.cpl”, “.msc”, “.jar”
    • Scripts: “.bat”, “.cmd”, “.vb”, “.vbs”, “.vbe”, “.js”, “.jse”, “.ws”, “.wsf”, “.wsc”, “.wsh”, “.ps1”, “.ps1xml”, “.ps2”, “.ps2xml”, “.psc1”, “.psc2”, “.msh”, “.msh1”, “.msh2”, “.mshxml”, “.msh1xml”, “.msh2xml”
    • Shortcuts: “.scf”, “.lnk”, “.inf”
    • Other: “.reg”, “.dll”
    • Office macro: “.docm”, “.dotm”, “.xlsm”, “.xltm”, “.xlam”, “.pptm”, “.potm”, “.ppam”, “.ppsm”, “.sldm”
    • banned from wirecode: “.asf”, “.asx”, “.au”, “.htm”, “.html”, “.mht”, “.vbs”, “.wax”, “.wm”, “.wma”, “.wmd”, “.wmv”, “.wmx”, “.wmz”, “.wvx”
  • Ensure that update policies are applied for web browsers including extensions and plug-ins.
  • Review your ‘Bring Your Own Device’ (BYOD) policy to limit impact of previously infected machines with Crypto Ransomware against corporate infrastructures.

Incident response to Crypto Ransomware

  • In the case of a detection, we recommend to unplug the infected systems from the network (don’t forget any wireless connectivity).
  • If you want to perform forensic analysis, a memory acquisition must be performed (if the system was not shutdown and a shell is accessible) before the disk acquisition. Check ‘TR-22 - Recommendations for Readiness to Handle Computer Security Incidents’ for the operational and technical procedure.
  • In some rare case, there are possibilities to recover some files (e.g. shadow copies in Windows, forensic recovery or some weak encryption used by some crypto ransomare). You should not rely on such possibility and ensure that you have the proactive measures (as described above) in place.
  • In case of infection, CIRCL recommends to reinstall the operating system from a clean installation source and restore the backups. Don’t forget to review the restored backup to ensure that there is no infection remaining.
  • Never try to contact the attacker and don’t pay the ransom. Paying a ransom means that you will support the business model of cybercriminals.
  • If possible, keep a copy of the original, encrypted device. There is a weak chance to reveal master keys and decrypt the files, as it is the case for TeslaCrypt.

Indicators

  • CIRCL offers the possibility to private organization to connect to the CIRCL MISP platform where indicators for malware including Crypto Ransomware are shared. Don’t hesitate to contact us.

References

Classification of this document

TLP:WHITE information may be distributed without restriction, subject to copyright controls.

Revision

  • Version 2.0 13th May, 2017 (TLP:WHITE) - added WannaCry ransomware recommendations
  • Version 1.2 19th May, 2016 (TLP:WHITE)
  • Version 1.1 23rd February, 2016 (TLP:WHITE)
  • Version 1.0 1st December, 2015 Initial version (TLP:WHITE)