Cryptowall 2.0?

Reply
L2 Linker

Cryptowall 2.0?

Starting to see Cryptowall 2.0 infections  anyone heard any updates from PA  on a threat update for this?   based on my google search it's been in the wild for a week or so.

L3 Networker

Re: Cryptowall 2.0?

Here are some detection/prevention best practices Cryptowall: 

Palo Alto Networks firewall detect over 242 Crypto variants and 2686 Ransom variants as of today. CryproWall could very well be known by another name in the Cryptolock/CryptoDefense ransom ware virus family; and detected by Palo Alto. But unfortunately it's not possible to say weather Palo Alto is currently detecting all the CryptoWall Ransom signature unless we have that signature variant. Once we have the signature we can investigate further and see if we are mitigating or not. Implementing Wildfire (non-license version) can help with capturing new signatures. 

You can also effectively reduce the risks of this or any other malware within your organization by following the guidelines from our product management team for our Threat features: 

Use a layered approach: IPS signatures, AV, URL filtering and Wildfire for best protection 

1. IPS: consider using inline blocking with a strict policy 

2. AV: enable AV. To see our cryptolocker signatures search "LOCK" on our Threat DB portal. Keep in mind that we have added many of these samples under the names: Virus/Win32.generic.jnxyz" type name. Trojan-Ransom, Ransom/Win32.crilock.cl, Trojan/Win32.lockscreen.ajq 

3. Spyware/CnC detection to find infected systems that may try to pull down variants: ensure DNS detection is enabled; Look for ID # 13433 "CryptoLocker Command and Control Traffic" 

4. URL filtering with PANDB: prevent access to malicious/malware domains 

5: Wildfire: free version allows uploads of files for scanning; subscription version provides hourly updates 24 hours a day with latest malware coverage from all Wildfire samples seen in the past hour 

6. File blocking: no executables should be allowed to enter an enterprise without inspection. 

7. Decryption: leverage SSL decryption to inspect all of your user's webmail sessions (doesn't let you read their mail, but it does allow you to block malware downloads). 

8. Reporting: regularly look at your device's botnet report to spot any infections that came in via sneaker net 

9. Sinkhole: PAN-OS 6.0 feature to prevent infected systems from contacting command-and-control servers 

Hope that helped.

Regards

Khan

L3 Networker

Re: Cryptowall 2.0?

I would also request you to check if you have the latest version of Application and Threat detection signatures. You can check this from Device->Content updates-> Check now. Make sure that you download and install the new latest one available.

L6 Presenter

Re: Cryptowall 2.0?

Hi Travisj,

Cryptowall was covered long back. I have a doubt abour cryptowall 2.0. I strongly suggest you to check with TAC.

Regards,

Hardik Shah

Highlighted
L2 Linker

Re: Cryptowall 2.0?

Thank you for the responses.  We have most of that in place, completely block Zips, A/v scanning, users can't download files.   The new varient seems to be getting around the older threat signatures somehow.   I'm still trying to figure out exactly where it entered at and not having much luck.

Where would i find the botnet report mentioned?  We have 2 pa2050's with a panorama server.

L6 Presenter

Re: Cryptowall 2.0?

Hi Travisj,

Refer following document it has information about Bonet configuration and Reports. Let me know if that helps.

Botnet Report in PAN-OS 4.0

Again, you may want to check with TAC on new variant.

Regards,

Hardik Shah

L0 Member

Re: Cryptowall 2.0?

We have been hit by CryptoWall 2.0 also, behind our PA-500, and we have done/implemented all of the suggestions in kattaullah's post prior to the attack.  I am also awaiting an Application/Threat upload by Palo Alto.

L2 Linker

Re: Cryptowall 2.0?

After researching last week I found out that the new variant uses TOR for Command and Control.  I blocked TOR application using security rule and that seems to have stopped it from actually doing any encrypting on new infections.  Only seen a couple since last Thursday so it looks like a new update to either PA or McAffee might be detecting and blocking the new variant now.

jhartsook:  the rule I used if interested is:

from zone ANY  to zone UNTRUST   Application TOR   Service ANY   (make sure to change this off "default application" so that it will block on any port)

L2 Linker

Re: Cryptowall 2.0?

And it looks like the Botnet report does not exist in 6.0 panos

L7 Applicator

Re: Cryptowall 2.0?

A recently published writeup on the Palo Alto Networks Blog regarding cryptowall 2.0 infection vectors, best practices etc:

Tracking New Ransomware CryptoWall 2.0 - Palo Alto Networks BlogPalo Alto Networks Blog

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!