johnycryptor@aol.com

allstarit

allstarit

Well-Known Member
Reaction score
462
Location
Melbourne Australia
So i got a call this morning from a new customer who has all their files encrypted.

Looking at the files i haven't come across this one before - all the original files are encrypted and it has saved another file with johnycryptor@aol.com on it. the file type shows as a MS-DOS Application.

Normally with the crypto virus it gives you some html file you click on that tells you how to decrypt ect.

Further issue i have discovered is this virus has somehow detected the client has Shadow Protect and has encrypted the base image files which makes all shadow protect images on the local side useless.

So luckily the offsite datacentre backups are ok - just delays the process of restoring.

Reading up on this type of virus it may have infected via RDP and manually run the cipher.

Nasty Piece of Work
 
I feared the day when the crypto programs would start hitting the backup images. That's why I only make the shared folder for backups accessible by one login and that one login is only entered into the backup software service. End result is the only thing that has access to these images are the backup services themselves, not the system the backup is running on.

I'm hoping this at least helps!
 
Guessing the built in windows backup can't have the login to itself (think it needs a mounted network drive pfff)

What are you using to backup with this feature (network credentials unique to the backup agent and only used at time of backup).

I'm thinking for the small chaps where storagecraft is a bit overkill
 
mrapoc - Most software will utilize this feature. When creating the destination, you often enter network share and credentials. This is where the login info is entered. On the storage side - whether it's a NAS or windows storage or other, just share out one folder for backups and only allow access to that one login.

Example: In cloudberry you setup a destination and enter credentials for that destination to backup to. If that system gets infected, the backups will remain ok because the only service allowed access to the backup destination is the cloudberry backup service.

I would need to verify but I believe it's same for veeam, macrium, easeus, etc.

There may be a day when this isn't true but for now, I haven't seen the possibility for an infection to do so.
 
Yeh it's a shame the built in basic windows backup/file history needs a network location mounted.
 
You can backup to network share w/o mounting but doesn't give you revisions. Just most recent. At least 2012 r2. I believe with NAS that supports iSCSI you can setup iSCSI target and have mutli revisions that way. Possibly create subfolder with only access is the login for backup. Haven't verified.
 
i was speaking to Shadow Protect about this issue and they forwarded me a document related to this topic and too good not to share:

How to help prevent your computer from becoming infected by CryptoLocker and to help prevent ShadowProtect Images from being encrypted.

The first thing to do is change the share structure that ShadowProtect backs up to. Stop the old share and then create a new share called sharename$ like this \\servername\sharename$ with all server folders under this share. You then need to change the permissions on the share to only the service account being used by the ShadowProtect in its destinations - try to avoid using service credentials EG what account the ShadowProtect SVC is running under. There should only be the one account in the share permissions and do not use the administrators account.

Next follow the below to assist controlling the stupidity or lack of knowledge of the end-users.
You can use the Windows Group or Local Policy Editor to create Software Restriction Policies that block executables from running when they are located in specific paths. For more information on how to configure Software Restriction Policies, please see these articles from MS:

http://support.microsoft.com/kb/310791
http://technet.microsoft.com/en-us/library/cc786941(v=ws.10).aspx

The file paths that have been used by this infection and its droppers are:
C:\Users\<User>\AppData\Local\<random>.exe (Vista/7/8)
C:\Users\<User>\AppData\Local\<random>.exe (Vista/7/8)
C:\Documents and Settings\<User>\Application Data\<random>.exe (XP)
C:\Documents and Settings\<User>\Local Application Data\<random>.exe (XP)

In order to block the CryptoLocker you want to create Path Rules so that they are not allowed to execute. To create these Software Restriction Policies use the Local Security Policy Editor or the Group Policy Editor for a Domain.

How to manually create Software Restriction Policies to block CryptoLocker:
In order to manually create the Software Restriction Policies you need to be using Windows Professional or Windows Server. If you want to set these policies for a particular computer you can use the Local Security Policy Editor. If you wish to set these policies for the entire domain, then you need to use the Group Policy Editor and set this on the Default Domain Policy. Unfortunately, if you are a Windows Home user, the Local Policy Editor is not available. To open the Local Security Policy editor, click on the Start button and type Local Security Policy and select the search result that appears. You can open the Group Policy Editor by typing Group Policy instead. In this guide we will use the Local Security Policy Editor in our examples.
Once you open the Local Security Policy Editor or the Default Domain Policy, you will see a screen similar to the one below.

upload_2016-2-3_9-1-35.png


Once the above screen is open, expand Security Settings and then click on the Software Restriction Policies section. If you do not see the items in the right pane as shown above, you will need to add a new policy. To do this click on the Action button and select New Software Restriction Policies. This will then enable the policy and the right pane will appear as in the image above. You should then click on the Additional Rules category and then right-click in the right pane and select New Path Rule.... You should then add a Path Rule for each of the items listed below.

If the Software Restriction Policies cause issues when trying to run legitimate applications, you should see the end of this document on how to enable specific applications.
Below are a few Path Rules that are suggested you use to not only block the infections from running, but also to block attachments from being executed when opened in an e-mail client.


Block CryptoLocker executable in %AppData%
Path: %AppData%\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from %AppData%.
Block CryptoLocker executable in %LocalAppData%
Path if using Windows XP: %UserProfile%\Local Settings\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from %AppData%.
Block Zbot executable in %AppData%
Path: %AppData%\*\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from immediate subfolders of %AppData%.
Block Zbot executable in %LocalAppData%
Path if using Windows XP: %UserProfile%\Local Settings\*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\*\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from immediate subfolders of %AppData%.
Block executables run from archive attachments opened with WinRAR:
Path if using Windows XP: %UserProfile%\Local Settings\Temp\Rar*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\Rar*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinRAR.
Block executables run from archive attachments opened with 7zip:
Path if using Windows XP: %UserProfile%\Local Settings\Temp\7z*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\7z*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with 7zip.
Block executables run from archive attachments opened with WinZip:
Path if using Windows XP: %UserProfile%\Local Settings\Temp\wz*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\wz*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinZip.
Path if using Windows XP: %UserProfile%\LocalSettings\Temp\*.zip\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\*.zip\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened using Windows built-in Zip support.

How to allow specific applications to run when using Software Restriction Policies
If you use Software Restriction Policies, or CryptoPrevent, to block CryptoLocker you may find that some legitimate applications no longer run. This is because some companies mistakenly install their applications under a user's profile rather than in the Program Files folder where they belong. Due to this, the Software Restriction Policies will prevent those applications from running.

Thankfully, when Microsoft designed Software Restriction Policies they made it so a Path Rule that specifies a program is allowed to run overrides any path rules that may block it. Therefore, if a Software Restriction Policy is blocking a legitimate program, you will need to use the steps given above to add a Path Rule that allows the program to run. To do this you will need to create a Path Rule for a particular program's executable and set the Security Level to Unrestricted instead of Disallowed as shown in the image below.

upload_2016-2-3_9-7-4.png

Once you add these Unrestricted Path Rules, the specified applications will be allowed to run again.

have attached as a PDF as well - Hopefully will be useful
 

Attachments

L
Last time I came across Crypto Lock they had a backup hard drive plugged in but it did not encrypt that

Unfortunately he had a very old backup
 
allstarit said:
speaking to Shadow Protect about this issue and they forwarded me a document related to this topic and too good not to share
Click to expand...

A bunch of the stuff in there is some of what CryptoPrevent automates, though there may be some non-overlapping areas. I had some issues after CryptoPrevent so I switched to just HitmanPro.Alert.

Also, their recommendation for adding a $ to the end of the share names is less effective than you might think - that's basically just a convention that translates to "Hey client software - here's a list of all the shares, but please don't display the ones ending with $ in the user interface."
 
So couple months on and i have been busy spending time locking down my clients down and educating them on Ransomware. So i thought id share some of the things i have been doing which maybe useful to others.

Its something ive been asking my boss at my full time job to do for a while but its never gotten approval to be forced on all clients. After having a couple of crypto/ransomware hits he has finally seen the light and this has become a high priority project.
For my business however i have been implementing this to my own clients but also happy to report its now being rolled out to my full time job clients as well.

  • Obviously ensure client has a good backup solution in place. $Share all the backup as mentioned above.
  • Dedicated User/Password just for backups- not a user on domain but completely separate from every. We use shadow protect so we put the password into the software that connects directly to the destination path using the credentials.
  • Password protecting the backup images. Whilst this wont stop or prevent crypto its an added security measure.
  • Remove RDP Access where possible and limit RDP to VPN Access or whitelist our office's IP to gain access. We use screen connect on all clients so unless they have a terminal server there is no need. Ive heard of stories where some servers got ransomware via RDP sessions. I have a feeling the original virus i got above maybe related to RDP exploits but not sure. Best to reduce threats and turn it off if no needed.
  • Remove Access to the modem login page- Restricted to local access only or whitelist our office's IP to gain access.
  • Ensure users dont have local admin rights - in some cases users have needed this but when its not needed we have been removing it.
  • Restrict %APPDATA% from running executables via group policy
  • Allow Exchange to only receive mail from Spam Filter IPs. Either set SMTP rules on modem or apply it on Exchange. Also have similar settings in Office 365 if client is using this to limit what mail can be sent to the client. This forces all mail to go through the filter.
  • Block Port 25 from being accessed - Similar to previous port but restricts telnet and people emailing directly to the SMTP server.
  • Review who has access to Mapped Drives and if they have access to more than they really need then adjust the security groups to give employees only access to what they need
  • Web Filter- Review with client what websites should be blocked - EG Social Media- Advise clients on danger. Have been adding all common IP's and domains. I have been using this as a guide which is good to add to block lists: https://ransomwaretracker.abuse.ch/
  • Password - Ensure staff have been educated on having strong passwords
  • Frequent Newsletters to educate end users - I have subscribed to a few good websites that send out routine newsletters that advise on recent outbreaks or phishing scams. I then compile this into posts on my website and send out newsletters to end users. Also tips on spotting a phishing scam email or how to spot a link. Educate them on opening attachments that look suspicious
  • Disconnect from Wifi or Network when infected- Train users to disconnect from Wifi or network in the event of encryption or virus on PC and call IT immediately.
  • Patch Management and Antivirus - Obviously ensure PC's and Servers are Patched and have good Antivirus is on the list too. I use Max Focus so this part is covered by that.
  • Ensure you have a good Spam Filter-. Im using Spam Hero at the moment and been quite happy with. It was either Spam Hero which charges by the domain name or Max Mail which was per user. I opted for Spam Hero because i can add multiple domain Alias's to Exchange servers and it doesn't cost extra. Plus its not user based which can become pricey. Even encourage Staff to report strange emails. Get them to forward the spam or crypto type viruses to a specific email like spam@domain.com. This keeps them on the look out and makes them feel important by stopping nasty viruses getting on the server.
  • Physical Server Checks - Who has access to the Server or Backups. Ensure adequate security is in place -eg locking cabinet. - Its not just the Ransomware or viruses we need to be cautious about its the physical security as well.
  • Show File Extensions - this can help with end users identifying double extensions like document.pdf.exe
  • Resetting Passwords for Users - : Generally i know who is who when a end user calls up but the bigger companies grow they hard this gets. Anyone can ring up and pretend to be another staff member so its good practice to be cautious when resetting users passwords ect. I usually request it in writing from the onsite contact. I then have been asking for mobile numbers for users and i then message them a Password which they need to provide to me. It does add extra time to the task but its about being vigilant as the IT Consultant.
If you can think of any other tips please add them to this. My Idea is to turn this into a Ransomware Prevention Service or a Security Audit Service and charge a price to come out and conduct this service to a network. Ransomware seems to be becoming a common topic of late in the IT world so
 
Last edited:
You must log in or register to reply here.

Similar threads

HCHTech
Slow opening times for files on a network drive
Replies
10
Views
389
trevm999
trevm999
Larry Sabo
ASUS Vivobook keyboard not functional in Windows, but does in WinPE
2
Replies
23
Views
1K
Porthos
Porthos
Appletax
[SOLVED] Can't remove fake BSOD that might use mshta.exe
Replies
5
Views
276
NviGate Systems
NviGate Systems
HCHTech
M365 Office apps crashing on open
Replies
4
Views
719
HCHTech
HCHTech
GTP
Unusual problem with WPV
2
Replies
21
Views
3K
GTP
GTP
Back
Top