topic Re: Cryptowall 2.0? in General Topics

Cryptowall 2.0?

travisj — Wed, 15 Oct 2014 20:34:08 GMT

Starting to see Cryptowall 2.0 infections anyone heard any updates from PA on a threat update for this? based on my google search it's been in the wild for a week or so.

Re: Cryptowall 2.0?

kattaullah — Wed, 15 Oct 2014 20:40:15 GMT

Here are some detection/prevention best practices Cryptowall:

Palo Alto Networks firewall detect over 242 Crypto variants and 2686 Ransom variants as of today. CryproWall could very well be known by another name in the Cryptolock/CryptoDefense ransom ware virus family; and detected by Palo Alto. But unfortunately it's not possible to say weather Palo Alto is currently detecting all the CryptoWall Ransom signature unless we have that signature variant. Once we have the signature we can investigate further and see if we are mitigating or not. Implementing Wildfire (non-license version) can help with capturing new signatures.

You can also effectively reduce the risks of this or any other malware within your organization by following the guidelines from our product management team for our Threat features:

Use a layered approach: IPS signatures, AV, URL filtering and Wildfire for best protection

1. IPS: consider using inline blocking with a strict policy

2. AV: enable AV. To see our cryptolocker signatures search "LOCK" on our Threat DB portal. Keep in mind that we have added many of these samples under the names: Virus/Win32.generic.jnxyz" type name. Trojan-Ransom, Ransom/Win32.crilock.cl, Trojan/Win32.lockscreen.ajq

3. Spyware/CnC detection to find infected systems that may try to pull down variants: ensure DNS detection is enabled; Look for ID # 13433 "CryptoLocker Command and Control Traffic"

4. URL filtering with PANDB: prevent access to malicious/malware domains

5: Wildfire: free version allows uploads of files for scanning; subscription version provides hourly updates 24 hours a day with latest malware coverage from all Wildfire samples seen in the past hour

6. File blocking: no executables should be allowed to enter an enterprise without inspection.

7. Decryption: leverage SSL decryption to inspect all of your user's webmail sessions (doesn't let you read their mail, but it does allow you to block malware downloads).

8. Reporting: regularly look at your device's botnet report to spot any infections that came in via sneaker net

9. Sinkhole: PAN-OS 6.0 feature to prevent infected systems from contacting command-and-control servers

Hope that helped.

Regards

Khan

Re: Cryptowall 2.0?

kattaullah — Wed, 15 Oct 2014 20:48:40 GMT

I would also request you to check if you have the latest version of Application and Threat detection signatures. You can check this from Device->Content updates-> Check now. Make sure that you download and install the new latest one available.

Re: Cryptowall 2.0?

hshah — Wed, 15 Oct 2014 21:03:11 GMT

Hi Travisj,

Cryptowall was covered long back. I have a doubt abour cryptowall 2.0. I strongly suggest you to check with TAC.

Regards,

Hardik Shah

Re: Cryptowall 2.0?

travisj — Wed, 15 Oct 2014 21:14:00 GMT

Thank you for the responses. We have most of that in place, completely block Zips, A/v scanning, users can't download files. The new varient seems to be getting around the older threat signatures somehow. I'm still trying to figure out exactly where it entered at and not having much luck.

Where would i find the botnet report mentioned? We have 2 pa2050's with a panorama server.

Re: Cryptowall 2.0?

hshah — Wed, 15 Oct 2014 21:24:00 GMT

Hi Travisj,

Refer following document it has information about Bonet configuration and Reports. Let me know if that helps.

Botnet Report in PAN-OS 4.0

Again, you may want to check with TAC on new variant.

Regards,

Hardik Shah

Re: Cryptowall 2.0?

jhartsook — Mon, 20 Oct 2014 13:27:53 GMT

We have been hit by CryptoWall 2.0 also, behind our PA-500, and we have done/implemented all of the suggestions in kattaullah's post prior to the attack. I am also awaiting an Application/Threat upload by Palo Alto.

Re: Cryptowall 2.0?

travisj — Tue, 21 Oct 2014 14:49:01 GMT

After researching last week I found out that the new variant uses TOR for Command and Control. I blocked TOR application using security rule and that seems to have stopped it from actually doing any encrypting on new infections. Only seen a couple since last Thursday so it looks like a new update to either PA or McAffee might be detecting and blocking the new variant now.

jhartsook: the rule I used if interested is:

from zone ANY to zone UNTRUST Application TOR Service ANY (make sure to change this off "default application" so that it will block on any port)

Re: Cryptowall 2.0?

travisj — Tue, 21 Oct 2014 14:54:08 GMT

And it looks like the Botnet report does not exist in 6.0 panos

Re: Cryptowall 2.0?

goku123 — Mon, 27 Oct 2014 15:32:09 GMT

A recently published writeup on the Palo Alto Networks Blog regarding cryptowall 2.0 infection vectors, best practices etc:

Tracking New Ransomware CryptoWall 2.0 - Palo Alto Networks BlogPalo Alto Networks Blog

Re: Cryptowall 2.0?

markk96 — Thu, 06 Nov 2014 00:58:20 GMT

Cryptowall 2.0 is going through our PALO's as well. I have the hash for it, i need a way to give it to Support.