CryptoWall continues to infect and plague both companies and consumers. At this point it is estimated that tens of thousands of machines have been infected and that the perpetrators of CryptoWall have sent millions of emails. While anti-virus software can block some variants of CryptoWall the speed with which criminals are releasing new variants makes it necessary to consider additional protections.
In our earlier posting we provided you an overview of CryptoWall. In this update we detail measures you can consider implementing to help mitigate your risk. We understand that there are challenges in implementing additional security measures and that these can result in a direct impact to your own productivity. To help in this we have ordered the following suggestions beginning with those most practical to do and with the greatest benefit. At a minimum we would strongly advise that you make sure you have addressed numbers 1-3.
- Ensure you have good backups. Good backups will allow you to recover previous versions of encrypted files. You may of course still lose files started or changed that have not gone through a backup cycle.
- Refresh your end user training. Most exploits gain their foothold through social engineering. Companies should have an acceptable use policy in place that instructs end users on safe internet practices and how they can use corporate devices in accessing the intranet.
- Update and patch your software. Malware, including CryptoWall, frequently exploits outdated software with known vulnerabilities. Make sure you follow a practice of updating your software often. This includes updates to the operating system, third party add-ons such as Flash and Java, Groupware applications such as Microsoft Office, and line of business applications.
- If you have the Java Runtime Engine (JRE) installed make sure you actually need it and that you have the latest version. If your business applications do not require JRE then remove it.
- Show full file extensions. As mentioned, one method that CryptoWall uses to deliver an infected file is with a PDF file that is actually an ‘.EXE’ file (‘file name.PDF.EXE’). If you enable the operating system to display the full file extension it may be easier for users to identify suspicious files.
- Consider running your spam filter in a more aggressive mode to block even more threats. The down side of this can be additional false-positive you will need to deal with through whitelisting or other means.
- Filter files in email. If you have the ability to filter files by extension you can deny emails that are sent with an ‘.EXE’ attachment. Some CryptoWall files are being sent with two extensions ‘.PDF.EXE’, again blocking the ‘.EXE’ extension would prevent its delivery to an end user. If you elect to filter executable files and you do need to exchange these files you could still accomplish this through a cloud service offering or by embedding and sending these files within a ZIP file (assuming you are not blocking ZIP files).
- Disable allowing files to run from the AppData/LocalAppData folders. CryptoWall has historically run its executable from the AppData or LocalAppData folders. If you disable executables from running in these folders you can help take another step in mitigating the potential for infection. While software commonly runs from the Program Files area, if you do have legitimate software that needs to run from the AppData/LocalAppData folders you can exclude that software from the rule you set up not allowing files to run from these two folders.
- Disable RDP. CryptoWall can spread via Remote Desktop Protocol (RDP) ports that have been left open to the internet. RDP, a Microsoft utility that grants others remote access to your desktop, can be a valuable tool but if your organization does not require the use of RDP you can disable RDP to help mitigate risk.
- Block access to “Tor” web anonymizing sites at your firewall. Recent information shows that these sites are being used as part of the C2 or Command and Control network by the criminals.
- Use UNC names. As opposed to mapping drives, use UNC names to connect to other devices (servers, cloud storage, etc.) Remember that CryptoLocker infects not only your local desktop but will also encrypt files on any mapped drives such as network, cloud based, or USB drives that you have assigned a drive letter. Moving to UNC names will remove the risk of an infected system possibly infecting other devices.