Starting to see Cryptowall 2.0 infections anyone heard any updates from PA on a threat update for this? based on my google search it's been in the wild for a week or so.
Here are some detection/prevention best practices Cryptowall:
Palo Alto Networks firewall detect over 242 Crypto variants and 2686 Ransom variants as of today. CryproWall could very well be known by another name in the Cryptolock/CryptoDefense ransom ware virus family; and detected by Palo Alto. But unfortunately it's not possible to say weather Palo Alto is currently detecting all the CryptoWall Ransom signature unless we have that signature variant. Once we have the signature we can investigate further and see if we are mitigating or not. Implementing Wildfire (non-license version) can help with capturing new signatures.
You can also effectively reduce the risks of this or any other malware within your organization by following the guidelines from our product management team for our Threat features:
Use a layered approach: IPS signatures, AV, URL filtering and Wildfire for best protection
1. IPS: consider using inline blocking with a strict policy
2. AV: enable AV. To see our cryptolocker signatures search "LOCK" on our Threat DB portal. Keep in mind that we have added many of these samples under the names: Virus/Win32.generic.jnxyz" type name. Trojan-Ransom, Ransom/Win32.crilock.cl, Trojan/Win32.lockscreen.ajq
3. Spyware/CnC detection to find infected systems that may try to pull down variants: ensure DNS detection is enabled; Look for ID # 13433 "CryptoLocker Command and Control Traffic"
4. URL filtering with PANDB: prevent access to malicious/malware domains
5: Wildfire: free version allows uploads of files for scanning; subscription version provides hourly updates 24 hours a day with latest malware coverage from all Wildfire samples seen in the past hour
6. File blocking: no executables should be allowed to enter an enterprise without inspection.
7. Decryption: leverage SSL decryption to inspect all of your user's webmail sessions (doesn't let you read their mail, but it does allow you to block malware downloads).
8. Reporting: regularly look at your device's botnet report to spot any infections that came in via sneaker net
9. Sinkhole: PAN-OS 6.0 feature to prevent infected systems from contacting command-and-control servers
Hope that helped.
I would also request you to check if you have the latest version of Application and Threat detection signatures. You can check this from Device->Content updates-> Check now. Make sure that you download and install the new latest one available.
Thank you for the responses. We have most of that in place, completely block Zips, A/v scanning, users can't download files. The new varient seems to be getting around the older threat signatures somehow. I'm still trying to figure out exactly where it entered at and not having much luck.
Where would i find the botnet report mentioned? We have 2 pa2050's with a panorama server.
Refer following document it has information about Bonet configuration and Reports. Let me know if that helps.
Again, you may want to check with TAC on new variant.
We have been hit by CryptoWall 2.0 also, behind our PA-500, and we have done/implemented all of the suggestions in kattaullah's post prior to the attack. I am also awaiting an Application/Threat upload by Palo Alto.
After researching last week I found out that the new variant uses TOR for Command and Control. I blocked TOR application using security rule and that seems to have stopped it from actually doing any encrypting on new infections. Only seen a couple since last Thursday so it looks like a new update to either PA or McAffee might be detecting and blocking the new variant now.
jhartsook: the rule I used if interested is:
from zone ANY to zone UNTRUST Application TOR Service ANY (make sure to change this off "default application" so that it will block on any port)
A recently published writeup on the Palo Alto Networks Blog regarding cryptowall 2.0 infection vectors, best practices etc:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!