Crypto-type malware is particularly nasty to deal with because it encrypts files. While an infected file has had code added to it which antivirus can remove, an encrypted file isn’t repairable without the unique encryption key that was used. The criminals using crypto-type malware intend to sell you the unique key, giving you access to your files for a price. For this reason, crypto-type malware is also frequently called Ransomware.
The key to dealing with crypto-type malware is prevention and planning. While it is assumed you have antivirus and IPS protection in place, the criminals using crypto-malware are constantly updating code to avoid detection by these systems. Since the damage these threats do is often irreversible, taking additional steps to protect yourself is advised.
Preventive Measures
- Do not follow unsolicited web links in email messages or submit any information to webpages in links.
- Use caution when opening email attachments.
- Keep operating systems and software, including anti-virus, up-to-date with the latest patches.
- Perform regular backups of all systems/data to avoid serious consequences should your system fall under attack
Typically, we see crypto-type malware delivered by exploit kits on compromised web pages. Exploit kits actively scan a visiting machine and deliver threats through any exploitable vulnerabilities it was able to detect. For this reason we advise that along with IPS, the operating systems, web browsers, Java installations, and all other software be kept up to date with the latest patches.
Currently we are seeing an increase in reports of a crypto-malware called “CTB-Locker”. Diagnosing a specific variant from a picture is difficult as the criminals frequently re-use the digital “ransom note”, but for the spam campaign currently underway, we have detection of the final payload as Trojan.Cryptolocker.E
The current malicious spam campaign has one additional detail which can be used to control outbreaks. The initial attack vector is an email with a ZIP attachment claiming to be a FAX or invoice. The ZIP contains a threat we identify as Downloader.Ponik, and this is what downloads the crypto malware attachment. The file is typically a .SCR which gives you two additional tools to prevent an infection.
- Block SCR attachments at the mail gateway
- Implement an Application and Device Control policy in SEP or via a GPO that prevents SCR files from executing across the network.
How to block users from downloading files with specific extensions, using Application and Device Control. |
1. Log in to the Symantec Endpoint Protection Manager (SEPM). 2. Click on Policies. 3. Click on Application and Device Control. 4. Under Tasks, click on Add an Application and Device Control Policy. 5. On the top left click on Application Control. 6. Click on the Add... button. 7. Type a name for the Rule 8. Click on the Add... button on the bottom right "Apply this rule to the Following processes". 9. Type a name of the browsers processes that will not able to download the file. Example: IEXPLORE.EXE,outlook.exe 10. Click Ok. 11. Click on the Add... button on the bottom left under Rules. 12. Select Add Condition. 13. Select File and Folder Access Attempts. 14. Click on the Add... button on the right next to "Apply this rule to the Following files and folders". 15. On File or Folder Name to Match, type "*.extension". Example: " *.exe, *.scr " (without quotes) 16. Click Ok. 17 . On Actions Tab in Read Attempt and Create, Delete, or Write Attempt select "Block Access" Optional: Can you Check Notify User for example "Is not permitted download executable files, contact the administrator" 16. Click Ok. 17 . Set to Production 18. Click Ok. 18. Click Yes to assign the policy. 19. Check the boxes for any group that the policy should be applied to. 20. Click OK. |
There are new variants of these threats coming out every hour and desktop AV is, at its core, reactive. If you have received an email containing a file you have reason to suspect, or have already received such a file and are experiencing symptoms, please submit the file to Symantec. Unfortunately, submitting an encrypted file is of no diagnostic use and we cannot decrypt these files for you, they will need to be restored from backup.