Cryptowall 2.0?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Cryptowall 2.0?

L2 Linker

Starting to see Cryptowall 2.0 infections  anyone heard any updates from PA  on a threat update for this?   based on my google search it's been in the wild for a week or so.

10 REPLIES 10

L3 Networker

Here are some detection/prevention best practices Cryptowall: 

Palo Alto Networks firewall detect over 242 Crypto variants and 2686 Ransom variants as of today. CryproWall could very well be known by another name in the Cryptolock/CryptoDefense ransom ware virus family; and detected by Palo Alto. But unfortunately it's not possible to say weather Palo Alto is currently detecting all the CryptoWall Ransom signature unless we have that signature variant. Once we have the signature we can investigate further and see if we are mitigating or not. Implementing Wildfire (non-license version) can help with capturing new signatures. 

You can also effectively reduce the risks of this or any other malware within your organization by following the guidelines from our product management team for our Threat features: 

Use a layered approach: IPS signatures, AV, URL filtering and Wildfire for best protection 

1. IPS: consider using inline blocking with a strict policy 

2. AV: enable AV. To see our cryptolocker signatures search "LOCK" on our Threat DB portal. Keep in mind that we have added many of these samples under the names: Virus/Win32.generic.jnxyz" type name. Trojan-Ransom, Ransom/Win32.crilock.cl, Trojan/Win32.lockscreen.ajq 

3. Spyware/CnC detection to find infected systems that may try to pull down variants: ensure DNS detection is enabled; Look for ID # 13433 "CryptoLocker Command and Control Traffic" 

4. URL filtering with PANDB: prevent access to malicious/malware domains 

5: Wildfire: free version allows uploads of files for scanning; subscription version provides hourly updates 24 hours a day with latest malware coverage from all Wildfire samples seen in the past hour 

6. File blocking: no executables should be allowed to enter an enterprise without inspection. 

7. Decryption: leverage SSL decryption to inspect all of your user's webmail sessions (doesn't let you read their mail, but it does allow you to block malware downloads). 

8. Reporting: regularly look at your device's botnet report to spot any infections that came in via sneaker net 

9. Sinkhole: PAN-OS 6.0 feature to prevent infected systems from contacting command-and-control servers 

Hope that helped.

Regards

Khan

I would also request you to check if you have the latest version of Application and Threat detection signatures. You can check this from Device->Content updates-> Check now. Make sure that you download and install the new latest one available.

L6 Presenter

Hi Travisj,

Cryptowall was covered long back. I have a doubt abour cryptowall 2.0. I strongly suggest you to check with TAC.

Regards,

Hardik Shah

L2 Linker

Thank you for the responses.  We have most of that in place, completely block Zips, A/v scanning, users can't download files.   The new varient seems to be getting around the older threat signatures somehow.   I'm still trying to figure out exactly where it entered at and not having much luck.

Where would i find the botnet report mentioned?  We have 2 pa2050's with a panorama server.

Hi Travisj,

Refer following document it has information about Bonet configuration and Reports. Let me know if that helps.

Botnet Report in PAN-OS 4.0

Again, you may want to check with TAC on new variant.

Regards,

Hardik Shah

L0 Member

We have been hit by CryptoWall 2.0 also, behind our PA-500, and we have done/implemented all of the suggestions in kattaullah's post prior to the attack.  I am also awaiting an Application/Threat upload by Palo Alto.

L2 Linker

After researching last week I found out that the new variant uses TOR for Command and Control.  I blocked TOR application using security rule and that seems to have stopped it from actually doing any encrypting on new infections.  Only seen a couple since last Thursday so it looks like a new update to either PA or McAffee might be detecting and blocking the new variant now.

jhartsook:  the rule I used if interested is:

from zone ANY  to zone UNTRUST   Application TOR   Service ANY   (make sure to change this off "default application" so that it will block on any port)

And it looks like the Botnet report does not exist in 6.0 panos

L7 Applicator

A recently published writeup on the Palo Alto Networks Blog regarding cryptowall 2.0 infection vectors, best practices etc:

Tracking New Ransomware CryptoWall 2.0 - Palo Alto Networks BlogPalo Alto Networks Blog

L3 Networker

Cryptowall 2.0 is going through our PALO's as well.  I have the hash for it, i need a way to give it to Support.

  • 5686 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!