Got hit by CryptoLocker? Look beyond Anti-Virus


Note: Lockstep has prepared a webinar covering this topic and will be performing a live demonstration of these technologies next Monday at 10 AM EST. Reserve your seat now!

Have you been hit by CrytoLocker? If so, you’re not alone. We’ve had more than a few customers to reach out to us over the last few weeks for help with dealing with this nasty piece of malware. Unfortunately, for all of these customers, it meant performing a restore of their encrypted files (assuming they have a good backup) to recover. Some even considered paying the ransom.

CryptoLocker has been particularly nasty for a few reasons:

  1. No Admin rights required. CryptoLocker malware encrypts data using standard user rights so all the efforts to restrict administrative PC access in your environment (while still important) does nothing to mitigate that risk.
  2. Immediate Business Productivity Impact. Because CryptoLocker encrypts (and renders unreadable) all files that a user has access to in a corporate environment, it has a particularly devastating effect on large swaths of the user community. While other pieces of malware and viruses may be annoying, this malware has an immediate and direct effect on a corporation’s bottom line and user productivity.

Why Anti-Virus is not enough

OK, so isn’t anti-virus supposed to stop malware like CryptoLocker? Don’t all companies have anti-virus these days? The short answer is, yes. However, the problem with anti-virus software it that is relies on signatures to prevent malware. That is, all of the PCs and laptops within your environment must always be up to date or else they’re vulnerable. This is easier said than done. There are always instances where a PC may be offline or unable to connect to the A/V update services for one reason or other. Invariably, the user without the update will be the one who clicks on that link you’ve always told them not to and then you have a major problem.

A Modern Approach – Forget Signatures, Block Unapproved Executables for Zero Day Protection

As we outlined before, CryptoLocker leverages standard user rights to run an executable to create the CryptoLocker encryption keys and then encrypt your data. So this begs the question: why should corporate users be able to execute non-approved executables?

If we block non-IT approved programs and applications, most modern malware could be stopped without relying on anti-virus signatures. Now, by no means are we advocating that you not use anti-virus; rather, this is an additional approach that can be used in tandem with anti-virus to mitigate your risk.

OK, so how?

The Hard Way – Restrict Application Execution Microsoft Software Restriction Policies

Since Windows XP, Microsoft has provided a mechanism for blocking the execution of applications based on Group Policy. Basically, you’ll define which application you want to block and the location on the operating system where the executables are located.

A number of people have posted entries on how to block CryptoLocker using this mechanism (http://bit.ly/I7LO3h). In this scenario, we block all .exe’s that try to run under the AppData folder.

What’s the problem with this? It’s a moving target. While this may address the CryptoLocker problem, it’s an “all-or-nothing” approach that may cause problems with poorly written apps that may run out of AppData and it will not protect from other zero-day malware that may execute from another location. Software Restriction Policies require specifying a “whitelist” or “blacklist” of applications – something that requires a lot of management overhead which is something most admins don’t want!

The Easy Way – “Trusted Ownership” with AppSense Application Manager

Instead of dealing with “whitelisting” and “blacklisting” of applications, AppSense’s Application Manager product has a novel way of handling unapproved applications – it allows execution if the NTFS owner permission on the file is set to approved administrative users or accounts within your domain. So, basically, if the application was installed by an administrator (or packaging service accounts), it is allowed to run. Otherwise, it is not and is blocked.

When a user downloads an application (or piece or malware) from the Internet – the user account is the NTFS file owner for that app – therefore it will be blocked from execution based on simple NTFS permissions. It’s a great tool in your arsenal to block malware like CryptoLocker and other zero-day threats without worrying about anti-virus signatures. Keep in mind, it’s not an A/V replacement (nobody is advocating that) but is a great way to manage approved applications in your environment and can mitigate many other risks. See our blog reference here for using Application Manager to manage software license compliance.

For more detailed technical aspects of Application Manager (and its use against CryptoLocker), see this great blog post by James Rankin.

The One-Two Punch – Application Execution Prevention and a Modern Datacenter Firewall

CryptoLocker affected most businesses by encrypting their file shares on their corporate servers. So why aren’t your servers behind your firewalls? And, more importantly, can your firewalls detect and mitigate threats like CryptoLocker, even if they are?

If you’re still using a port based firewall (think Cisco ASA), then you’re out of luck here. However, modern application-aware firewalls like Palo Alto Networks’ firewalls don’t work like traditional port-based firewalls; instead they classify traffic based on the application. This is important since most traffic works over port 80 or 443 and mitigating modern threats requires the ability to classify the app that is actually running over the port.

Firewalls like the Palo Alto Networks range allow you to protect both at the perimeter/Internet as well as in the datacenter. Palo Alto provides Threat Protection which utilizes a signature based mechanism to block malware as it comes in from the Internet and, if you place your server infrastructure behind them, allows you protect the crown jewels in the event that the virus or malware is introduced by a rogue PC/USB drive, etc.

Also, one of the other great things about Palo Alto Networks is the ability to easily report on what malware exists in your environment. Once you’ve put it in-line (or SPAN your Internet port), you can easily produce an Application Vulnerability Report that will give you unparalleled visibility into the current landscape of applications running on your network. You can download a sample AVR report here to see the type of information a Palo Alto Networks firewall will give you access to and the granular application control they make possible.

Utilizing AppSense Application Manager will allow easy control and administration of executables on your network. Combined with a modern next-generation firewall like a Palo Alto Networks solution, you will be able to stack the odds in your favor and protect your vital data from today’s threats like CryptoLocker and whatever threats tomorrow may hold.