Petya/Nyetya and the future of Ransomware

Not to get too soapboxy, but with Petya/Nyetya ransomware hammering the news I’d like to take the time to recommend that anyone in any position of IT authority make sure the following things are in place:

Patch your servers and endpoints consistently — do not lag behind patches by months. The primary (but not only) mechanism for this ransomware spreading is an exploit that Microsoft patched in March of 2017.

Make consistent backups and do not for one second believe that “to another hard drive on the same computer” is a safe place to back up.

Run antivirus or anti-malware software. It’s not a ‘nice to have’ anymore, it’s a requirement for keeping your data secure in the current internet climate. Keep it updated.

Utilize proper role based access controls. Do not grant people Domain Admin rights. Create specialized roles once and apply them as necessary. Domain Admin rights may as well be keys to the full kingdom and are a perfect example of “quick and easy” not being “the right way”.

Never rely on a single thing to protect yourself or your environment. True protection requires multiple layers of defense — e-mail malware protection, network exploit protection, endpoint malware protection, and proper training.

I hope no one I know or their respective employers got hit by this — just like WannaCry, this is a wake up call that spending the time to secure yourself is not an option any more, it is a requirement if you want to protect yourself and your data.

100% Free SSL Certs

The Linux Foundation has been working on a free SSL certificate generating tool for a while with the assistance of Cisco, Akamai, the EFF, Mozilla, and others.  The key about this is that it is a legitimate SSL certificate generated by a trusted root CA, all for free!

The install process was ridiculously painless and took me less than about 15 minutes from start to finish.  I can’t recommend this highly enough.  It is imperative that people learn about encryption and cryptography and protect their sites and their content with encryption.

What are you waiting for?

Get to it!

E-mail Attachment Security, AKA I shouldn’t have to say this …

But, I do.

Here’s how you can prevent ~90% of malware attacks in your organization.  You, yes you.  The very person reading this.  Regardless of your position or your access, regardless of your function in the business — this absolutely applies to you.  It’s also super easy.

  1. If you get an e-mail with an attachment to it and you didn’t expect it, EVEN if you know the person sending it, DON’T OPEN IT.

Seriously, that’s it.  Call them, confirm it’s legitimate, whatever, just don’t open the e-mail.  It’s crazy how many malware variants ONLY spread by you opening that e-mail attachment.

Remember in the 80s they had the “Don’t Copy That Floppy” tagline?  We need one for the new world.  I can’t come up with anything great that rhymes, so I’ll leave you with a simple question:

“Am I willing to stake my company’s data confidentiality and perhaps reputation on the guess that this unexpected attachment is legitimate?  Or is it easier to just pick up the phone and call the person who sent it to me to validate that it is legitimate?”

I appreciate that it doesn’t quite roll off the tongue, but it’s far more real than people expect!

DISCLAIMER:  I obviously can’t guarantee this will stop 90% of malware attacks in YOUR organization, but I can guarantee it will notably reduce your exposure!  The actual percentage depends on what kind of malware your organization gets hit with on a regular basis.  With that said, most of the deepest impacting malware (ransomware, the T5000/T9000 Skype recording malware) does not spread by itself, it requires user intervention to begin the infection process, and this practice will do wonders to minimizing the potential for impact from that type of malware.

SourceFire IPS/IDS – Automatic Blacklist

One of the things I wanted to automate recently was blacklisting IP addresses outright that attempt exploits and vulnerabilities against a network I am protecting with the Cisco SourceFire IPS/IDS device.  After spending some time working with their correlation rules, I realized that what I wanted to happen was not really available.  Here’s what I’d like the workflow to be:

  1. Someone attempts to exploit vulnerabilities against the public IP address routed through the Cisco SourceFire and generates an Impact 1 or Impact 2 severity intrusion event.
  2. If the same source IP attempts a second exploit vulnerability within 5 minutes that generates an Impact 1 or Impact 2 severity intrusion event, blacklist the source IP address.

This seems like something that should be reasonable to expect the device to inherently support — unfortunately, that seems not to be the case.

I was able to work around the lack of functionality to get somewhat close to the desired outcome by doing the following:

  1. Install the IP Blacklist Remediation module available for the Cisco SourceFire, located here on your SourceFire Defense Center.  NOTE:  This is a third party extension/module to the Cisco SourceFire platform.  Use this at your own risk.  I didn’t write it, I accept no liability whatsoever if you implement it and it sets your data center on fire, sends your corporate secrets to China, etc.
  2. Follow the instructions in the README file to configure the remediation action, instance, security intelligence feed, and access control policy.
    1. Make sure you use full https:// link when you’re providing the .HTML file in the security intelligence feed.  When configuring the remediation instance, you can just say ‘custom_blacklist.html’, but when configuring the security intelligence feed, you need to use ‘https://your.sourcefire.domainorip/custom_blacklist.html’

Once this is done, I got very close to what I wanted:

  1. Someone attempts to exploit vulnerabilities against the public IP address routed through the Cisco SourceFire and generates an Impact 1 or Impact 2 severity intrusion event.
  2. The IP address is added to the Local Blacklist and synchronized at the next Security Intelligence Feed update cycle.

My concern (and what I’m hoping someone out there can comment on) is that this seems overzealous, as it does blacklist every IP that ever tries a single exploit against any of the public IPs, and over time that seems unsustainable.  I’d love to have threshold capability so that it only added IP addresses if they tried multiple exploits.  I mean, the SourceFire *is* dropping the traffic anyway, so blacklisting the IP of anyone who has attempted a single exploit does seem like it will end up with a tremendous amount of IP addresses over time, which will generate unnecessary load on the system.

I also think it doesn’t add up that the SourceFire can’t do this internally with correlation rules and remediation actions, but after hours of searching, I could not come up with another way to achieve this.

Anyone have any ideas?

Ransomware in 2015

As I presently work with a security focus, one of the things I wrote recently is a high level white-paper about ransomware and some information about what it is, where it comes from, and a few key ways to stop it.  The full white paper and content should be published soon at,  but until then I wanted to get the info out all the same.

The persistent threat of ransomware

The last few months have seen a resurgence of the CryptoLocker/Cryptowall ransomware malware across many IT organizations.  This malware is particularly impacting and has cost many companies significant time and money, and in some cases has caused the permanent destruction of business critical information and documents.


Where did it come from and what does it do?

This malware primarily preys on uninformed or untrained security behavior, as it arrives via a Trojan dropper primarily in an e-mail attachment.  For example, the current version masquerades as a resume, “”.

Once executed, the Trojan dropper runs, connects to a command and control server, then downloads the actual encrypting ransomware and executes it.  The ransomware then encrypts all files it has access to (both locally and on explicitly mapped network drives with drive letter associations), and then generates a dialog that informs the user that their files have been encrypted and that they can only decrypt the files if they send an amount of money via Bitcoin to a specific Bitcoin address.  At present, very few of the ransomware variants use encryption that can be decrypted without the purchase of the private key from the ransomware vendor, and as such in most cases the encrypted files and documents must be recovered from backup.  Additionally, there is no guarantee that the ransomware vendor will actually provide the decryption key if the ransom is paid, and the method of payment they request is unable to be cancelled or refunded, and in most cases, unable to be traced.


Persistent, but largely predictable…

The behavior of the existing ransomware variants is all very similar, and as such, simple security steps can largely mitigate the attack risk in an organization.  Ensuring security against these types of threats requires a metered and thoughtful security approach that manages each of the possible ingress points and should be viewed end to end to ensure the confidentiality, integrity, and availability of your organization’s information.


What can you do?

One of the most effective methods of addressing these issues relates to managing the primary ingress point for these types of malware – your user base.  Proper security training and spear phishing training for users will substantially reduce company infection likelihood by limiting the malware’s ingress point via user action and should be completed on a quarterly basis with checks in place to ensure compliance.  Additional means for mitigating the possibility of infection without requiring the purchase of additional software include the implementation of file security policies via GPO that block the execution of specific types of files in malware specific locations.  IT organizations should also use these occurrences as a reason to reassess their backup and recovery process, as utilizing a proper backup regime with defined RPO and RTO that is tested on a frequent basis will ensure that if your environment is infected and ransomware is executed, you will have recent state in time backups to restore from to minimize data loss.  Lastly, malware detection platforms with advanced persistent threat analysis, deep malware protection and packet inspection tools such as Damballa or Cisco SourceFire with AMP can block the execution of the dropper, the execution of the encryption ransomware, and even the command and control connection to the malware vendor at a network and endpoint level.


Windows 10 will help!

Changes in the security behavior of Microsoft Windows in the upcoming Windows 10 release will also take tremendous steps towards removing many of the vulnerabilities and insecure file interaction behaviors that allow for this type of exploit and infection to happen.  New technologies such as the file container model and the virtualization of the primary authentication system that manages Active Directory access tokens severely limit or even fully remove the capabilities of rogue software.  These features work in concert with drive encryption to help protect the confidentiality and integrity of your company’s data by placing each individual file in a sandboxed container that uses Windows as the broker of access control between the file and any other file on the filesystem.  This means that ransomware applications like CryptoLocker will be unable to modify files or folders if explicit access has not been granted via established corporate policy.  The virtualization of the Active Directory authentication layer further protects your organization by ensuring that even if Windows 10 becomes infected with malware, rootkit, or botnet software, the unauthorized application will not have access to any mechanism to retrieve information about or forge authentication against your corporate network.

As mentioned above, administrators can implement a few group policies fairly quickly to help address the ingress points for this type of malware.  Obviously, high level solutions include deep advanced malware protection software, but if you’re on a budget and can’t afford that yet you can still help minimize the likelihood of infection beyond just simple end-user training.  Below you’ll see outlined the steps to take to implement group policy that blocks the execution of the current strands of ransomware by disallowing execution from the temporary directories that it deploys to.

GPO Creation Instructions 

1)      Log in to DC as a Domain Admin

2)      Run GPMC.MSC

3)      Create a new GPO Object and provide a descriptive name (such as AppData Restriction Policy)

4)      Navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Software Restriction Policies -> Additional Rules

5)      From the Action menu, select “New Path Rule” and enter the following information:

  • Path:     %AppData%\*.exe
  • Security Level:   Disallowed
  • Description:        Block execution of applications from the %AppData% folder

6)      Do the same for the following locations:

  • Path:     %AppData%\*\*.exe
  • Path:     %LocalAppData%\*.exe
  • Path:     %LocalAppData%\*\*.exe
  • Path:     %LocalAppData%\Temp\*.zip\*.exe      (Optional) Blocks the execution of compressed .EXE files from a .ZIP compressed file
  • Path:     %LocalAppData%\Temp\7z*\*.exe        (Optional) Blocks the execution of compressed .EXE files from a .7Z compressed file
  • Path:     %LocalAppData%\Temp\Rar*\*.exe       (Optional) Blocks the execution of compressed .EXE files from a .RAR compressed file
  • Path:     %LocalAppData%\Temp\wz*\*.exe        (Optional) Blocks the execution of compressed .EXE files from a .ZIP compressed file on machines with WinZip installed

7)      Save the GPO and link to the OU that contains the target computer objects.


This policy blocks the execution of applications in a single or double nested subfolder in %AppData% and %LocalAppData%, blocking almost all current ransomware execution locations.  It does, however, impact a few legitimate programs.  We have detailed our known whitelist applications which should also be reviewed and whitelisted in your environment as necessary.


Whitelist Instructions:

  1. Have the user provide you the full path of the .EXE file that is not executing –OR- review the Event Log on the client machine as it will be indicated in the event that records the blocked software execution.
  2. Open the GPO in gpmc.msc (right click -> edit)
  3. Expand Computer Configuration -> Polices -> Windows Settings -> Security -> Software Restriction Policies -> Additional Rules
  4. Right-Click to create a new Path rule.
    1. Path should be the actual EXE file, using the %AppData% or %LocalAppData% variable.  For example “%AppData%\Spotify\Spotify.exe”
    2. Security level should be “Unrestricted”
    3. (Optional, recommended) Description should include what program is being allowed, what user requested it, and on what date it was requested.
  5. Click OK to save the policy, then close out of the GPO.
  6. (If whitelisting in response to user request) Have the end-user complete a gpupdate to receive the latest policy.


Known applications to whitelist:

Office Source Engine Updates (Office 2010 – Office 2013 Click to Run Updates):

  • %LocalAppData%\Temp\ose00000.exe
  • %LocalAppData%\Temp\ose00001.exe
  • %LocalAppData%\Temp\ose00002.exe
  • %LocalAppData%\Temp\ose00003.exe
  • %LocalAppData%\Temp\ose00004.exe
  • %LocalAppData%\Temp\ose00005.exe
  • %LocalAppData%\Temp\ose00006.exe
  • %LocalAppData%\Temp\ose00007.exe
  • %LocalAppData%\Temp\ose00008.exe
  • %LocalAppData%\Temp\ose00009.exe
  • %LocalAppData%\Temp\ose00010.exe

Adobe Flash 12 – 18 updates:

  • %LocalAppData%\Temp\install_flashplayer_12x32ax_gtbd_chrd_dn_aaa_aih.exe
  • %LocalAppData%\Temp\install_flashplayer_13x32ax_gtbd_chrd_dn_aaa_aih.exe
  • %LocalAppData%\Temp\install_flashplayer_14x32ax_gtbd_chrd_dn_aaa_aih.exe
  • %LocalAppData%\Temp\install_flashplayer_15x32ax_gtbd_chrd_dn_aaa_aih.exe
  • %LocalAppData%\Temp\install_flashplayer_16x32ax_gtbd_chrd_dn_aaa_aih.exe
  • %LocalAppData%\Temp\install_flashplayer_17x32ax_gtbd_chrd_dn_aaa_aih.exe
  • %LocalAppData%\Temp\install_flashplayer_18x32ax_gtbd_chrd_dn_aaa_aih.exe
  • %LocalAppData%\Adobe\gccheck.exe
  • %LocalAppData%\Adobe\gtbcheck.exe
  • %LocalAppData%\Adobe\install_flash_player_ax.exe

Microsoft System Center Pre-requisites (Client Push):

  • %LocalAppData%\Temp\vcredist_x86.exe

GoToMeeting Installer:

  • %LocalAppData%\Temp\G2MInstallerExtractor.exe

Mozilla Firefox:

  • %LocalAppData%\Mozilla Firefox\firefox.exe

Cisco WebEx Installer/Uninstaller:

  • %LocalAppData%\atcliun.exe


© 2019 TJ in IT

Theme by Anders NorénUp ↑