- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-15-2014 01:34 PM
Starting to see Cryptowall 2.0 infections anyone heard any updates from PA on a threat update for this? based on my google search it's been in the wild for a week or so.
10-15-2014 01:40 PM
Here are some detection/prevention best practices Cryptowall:
Palo Alto Networks firewall detect over 242 Crypto variants and 2686 Ransom variants as of today. CryproWall could very well be known by another name in the Cryptolock/CryptoDefense ransom ware virus family; and detected by Palo Alto. But unfortunately it's not possible to say weather Palo Alto is currently detecting all the CryptoWall Ransom signature unless we have that signature variant. Once we have the signature we can investigate further and see if we are mitigating or not. Implementing Wildfire (non-license version) can help with capturing new signatures.
You can also effectively reduce the risks of this or any other malware within your organization by following the guidelines from our product management team for our Threat features:
Use a layered approach: IPS signatures, AV, URL filtering and Wildfire for best protection
1. IPS: consider using inline blocking with a strict policy
2. AV: enable AV. To see our cryptolocker signatures search "LOCK" on our Threat DB portal. Keep in mind that we have added many of these samples under the names: Virus/Win32.generic.jnxyz" type name. Trojan-Ransom, Ransom/Win32.crilock.cl, Trojan/Win32.lockscreen.ajq
3. Spyware/CnC detection to find infected systems that may try to pull down variants: ensure DNS detection is enabled; Look for ID # 13433 "CryptoLocker Command and Control Traffic"
4. URL filtering with PANDB: prevent access to malicious/malware domains
5: Wildfire: free version allows uploads of files for scanning; subscription version provides hourly updates 24 hours a day with latest malware coverage from all Wildfire samples seen in the past hour
6. File blocking: no executables should be allowed to enter an enterprise without inspection.
7. Decryption: leverage SSL decryption to inspect all of your user's webmail sessions (doesn't let you read their mail, but it does allow you to block malware downloads).
8. Reporting: regularly look at your device's botnet report to spot any infections that came in via sneaker net
9. Sinkhole: PAN-OS 6.0 feature to prevent infected systems from contacting command-and-control servers
Hope that helped.
Regards
Khan
10-15-2014 01:48 PM
I would also request you to check if you have the latest version of Application and Threat detection signatures. You can check this from Device->Content updates-> Check now. Make sure that you download and install the new latest one available.
10-15-2014 02:14 PM
Thank you for the responses. We have most of that in place, completely block Zips, A/v scanning, users can't download files. The new varient seems to be getting around the older threat signatures somehow. I'm still trying to figure out exactly where it entered at and not having much luck.
Where would i find the botnet report mentioned? We have 2 pa2050's with a panorama server.
10-15-2014 02:24 PM
Hi Travisj,
Refer following document it has information about Bonet configuration and Reports. Let me know if that helps.
Again, you may want to check with TAC on new variant.
Regards,
Hardik Shah
10-20-2014 06:27 AM
We have been hit by CryptoWall 2.0 also, behind our PA-500, and we have done/implemented all of the suggestions in kattaullah's post prior to the attack. I am also awaiting an Application/Threat upload by Palo Alto.
10-21-2014 07:49 AM
After researching last week I found out that the new variant uses TOR for Command and Control. I blocked TOR application using security rule and that seems to have stopped it from actually doing any encrypting on new infections. Only seen a couple since last Thursday so it looks like a new update to either PA or McAffee might be detecting and blocking the new variant now.
jhartsook: the rule I used if interested is:
from zone ANY to zone UNTRUST Application TOR Service ANY (make sure to change this off "default application" so that it will block on any port)
10-21-2014 07:54 AM
And it looks like the Botnet report does not exist in 6.0 panos
10-27-2014 08:32 AM
A recently published writeup on the Palo Alto Networks Blog regarding cryptowall 2.0 infection vectors, best practices etc:
Tracking New Ransomware CryptoWall 2.0 - Palo Alto Networks BlogPalo Alto Networks Blog
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!