As I presently work with a security focus, one of the things I wrote recently is a high level white-paper about ransomware and some information about what it is, where it comes from, and a few key ways to stop it.  The full white paper and content should be published soon at http://ivision.com/,  but until then I wanted to get the info out all the same.


The persistent threat of ransomware

The last few months have seen a resurgence of the CryptoLocker/Cryptowall ransomware malware across many IT organizations.  This malware is particularly impacting and has cost many companies significant time and money, and in some cases has caused the permanent destruction of business critical information and documents.

 

Where did it come from and what does it do?

This malware primarily preys on uninformed or untrained security behavior, as it arrives via a Trojan dropper primarily in an e-mail attachment.  For example, the current version masquerades as a resume, “my_resume.zip”.

Once executed, the Trojan dropper runs, connects to a command and control server, then downloads the actual encrypting ransomware and executes it.  The ransomware then encrypts all files it has access to (both locally and on explicitly mapped network drives with drive letter associations), and then generates a dialog that informs the user that their files have been encrypted and that they can only decrypt the files if they send an amount of money via Bitcoin to a specific Bitcoin address.  At present, very few of the ransomware variants use encryption that can be decrypted without the purchase of the private key from the ransomware vendor, and as such in most cases the encrypted files and documents must be recovered from backup.  Additionally, there is no guarantee that the ransomware vendor will actually provide the decryption key if the ransom is paid, and the method of payment they request is unable to be cancelled or refunded, and in most cases, unable to be traced.

 

Persistent, but largely predictable…

The behavior of the existing ransomware variants is all very similar, and as such, simple security steps can largely mitigate the attack risk in an organization.  Ensuring security against these types of threats requires a metered and thoughtful security approach that manages each of the possible ingress points and should be viewed end to end to ensure the confidentiality, integrity, and availability of your organization’s information.

 

What can you do?

One of the most effective methods of addressing these issues relates to managing the primary ingress point for these types of malware – your user base.  Proper security training and spear phishing training for users will substantially reduce company infection likelihood by limiting the malware’s ingress point via user action and should be completed on a quarterly basis with checks in place to ensure compliance.  Additional means for mitigating the possibility of infection without requiring the purchase of additional software include the implementation of file security policies via GPO that block the execution of specific types of files in malware specific locations.  IT organizations should also use these occurrences as a reason to reassess their backup and recovery process, as utilizing a proper backup regime with defined RPO and RTO that is tested on a frequent basis will ensure that if your environment is infected and ransomware is executed, you will have recent state in time backups to restore from to minimize data loss.  Lastly, malware detection platforms with advanced persistent threat analysis, deep malware protection and packet inspection tools such as Damballa or Cisco SourceFire with AMP can block the execution of the dropper, the execution of the encryption ransomware, and even the command and control connection to the malware vendor at a network and endpoint level.

 

Windows 10 will help!

Changes in the security behavior of Microsoft Windows in the upcoming Windows 10 release will also take tremendous steps towards removing many of the vulnerabilities and insecure file interaction behaviors that allow for this type of exploit and infection to happen.  New technologies such as the file container model and the virtualization of the primary authentication system that manages Active Directory access tokens severely limit or even fully remove the capabilities of rogue software.  These features work in concert with drive encryption to help protect the confidentiality and integrity of your company’s data by placing each individual file in a sandboxed container that uses Windows as the broker of access control between the file and any other file on the filesystem.  This means that ransomware applications like CryptoLocker will be unable to modify files or folders if explicit access has not been granted via established corporate policy.  The virtualization of the Active Directory authentication layer further protects your organization by ensuring that even if Windows 10 becomes infected with malware, rootkit, or botnet software, the unauthorized application will not have access to any mechanism to retrieve information about or forge authentication against your corporate network.


As mentioned above, administrators can implement a few group policies fairly quickly to help address the ingress points for this type of malware.  Obviously, high level solutions include deep advanced malware protection software, but if you’re on a budget and can’t afford that yet you can still help minimize the likelihood of infection beyond just simple end-user training.  Below you’ll see outlined the steps to take to implement group policy that blocks the execution of the current strands of ransomware by disallowing execution from the temporary directories that it deploys to.

GPO Creation Instructions 

1)      Log in to DC as a Domain Admin

2)      Run GPMC.MSC

3)      Create a new GPO Object and provide a descriptive name (such as AppData Restriction Policy)

4)      Navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Software Restriction Policies -> Additional Rules

5)      From the Action menu, select “New Path Rule” and enter the following information:

  • Path:     %AppData%\*.exe
  • Security Level:   Disallowed
  • Description:        Block execution of applications from the %AppData% folder

6)      Do the same for the following locations:

  • Path:     %AppData%\*\*.exe
  • Path:     %LocalAppData%\*.exe
  • Path:     %LocalAppData%\*\*.exe
  • Path:     %LocalAppData%\Temp\*.zip\*.exe      (Optional) Blocks the execution of compressed .EXE files from a .ZIP compressed file
  • Path:     %LocalAppData%\Temp\7z*\*.exe        (Optional) Blocks the execution of compressed .EXE files from a .7Z compressed file
  • Path:     %LocalAppData%\Temp\Rar*\*.exe       (Optional) Blocks the execution of compressed .EXE files from a .RAR compressed file
  • Path:     %LocalAppData%\Temp\wz*\*.exe        (Optional) Blocks the execution of compressed .EXE files from a .ZIP compressed file on machines with WinZip installed

7)      Save the GPO and link to the OU that contains the target computer objects.

 

This policy blocks the execution of applications in a single or double nested subfolder in %AppData% and %LocalAppData%, blocking almost all current ransomware execution locations.  It does, however, impact a few legitimate programs.  We have detailed our known whitelist applications which should also be reviewed and whitelisted in your environment as necessary.

 

Whitelist Instructions:

  1. Have the user provide you the full path of the .EXE file that is not executing –OR- review the Event Log on the client machine as it will be indicated in the event that records the blocked software execution.
  2. Open the GPO in gpmc.msc (right click -> edit)
  3. Expand Computer Configuration -> Polices -> Windows Settings -> Security -> Software Restriction Policies -> Additional Rules
  4. Right-Click to create a new Path rule.
    1. Path should be the actual EXE file, using the %AppData% or %LocalAppData% variable.  For example “%AppData%\Spotify\Spotify.exe”
    2. Security level should be “Unrestricted”
    3. (Optional, recommended) Description should include what program is being allowed, what user requested it, and on what date it was requested.
  5. Click OK to save the policy, then close out of the GPO.
  6. (If whitelisting in response to user request) Have the end-user complete a gpupdate to receive the latest policy.

 

Known applications to whitelist:

Office Source Engine Updates (Office 2010 – Office 2013 Click to Run Updates):

  • %LocalAppData%\Temp\ose00000.exe
  • %LocalAppData%\Temp\ose00001.exe
  • %LocalAppData%\Temp\ose00002.exe
  • %LocalAppData%\Temp\ose00003.exe
  • %LocalAppData%\Temp\ose00004.exe
  • %LocalAppData%\Temp\ose00005.exe
  • %LocalAppData%\Temp\ose00006.exe
  • %LocalAppData%\Temp\ose00007.exe
  • %LocalAppData%\Temp\ose00008.exe
  • %LocalAppData%\Temp\ose00009.exe
  • %LocalAppData%\Temp\ose00010.exe

Adobe Flash 12 – 18 updates:

  • %LocalAppData%\Temp\install_flashplayer_12x32ax_gtbd_chrd_dn_aaa_aih.exe
  • %LocalAppData%\Temp\install_flashplayer_13x32ax_gtbd_chrd_dn_aaa_aih.exe
  • %LocalAppData%\Temp\install_flashplayer_14x32ax_gtbd_chrd_dn_aaa_aih.exe
  • %LocalAppData%\Temp\install_flashplayer_15x32ax_gtbd_chrd_dn_aaa_aih.exe
  • %LocalAppData%\Temp\install_flashplayer_16x32ax_gtbd_chrd_dn_aaa_aih.exe
  • %LocalAppData%\Temp\install_flashplayer_17x32ax_gtbd_chrd_dn_aaa_aih.exe
  • %LocalAppData%\Temp\install_flashplayer_18x32ax_gtbd_chrd_dn_aaa_aih.exe
  • %LocalAppData%\Adobe\gccheck.exe
  • %LocalAppData%\Adobe\gtbcheck.exe
  • %LocalAppData%\Adobe\install_flash_player_ax.exe

Microsoft System Center Pre-requisites (Client Push):

  • %LocalAppData%\Temp\vcredist_x86.exe

GoToMeeting Installer:

  • %LocalAppData%\Temp\G2MInstallerExtractor.exe

Mozilla Firefox:

  • %LocalAppData%\Mozilla Firefox\firefox.exe

Cisco WebEx Installer/Uninstaller:

  • %LocalAppData%\atcliun.exe