South Africa Security and Compliance User Group

Hi there,

A customer called to say that a domain controller has been infected with a cryptolocker type variant. File extensions have been modified and extensions have .crysis at the end of the files.

Any ideas on what to get these files cleaned/decrypted? I have recommended the symdiag tool ,power eraser and nothing gets detected.

Thanks

It's suggested to use the backup files which have been encrypted.

Below is the writeup of malware which is similar as you have described. The file which encrypted file should be submitted to the symantec security response team.

https://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2016-060920-2315-99

In order to decrypt the files, you will need the "key". As you do not have it, it's impossible to recover it from that.

And that's where you will start the DR process - recover from backup. It's the only way, I'm afraid. Once complete, SECURE THE NETWORK. Educate the users not to open any unknown files from unknown sources.

As a final point... please do NOT pay them to get the key, it will only encourage for them to spread even further as they will make money out of it.

Looks like you're giong to have to go with a restore from backup or re-image.

Sorry to say it but your only true recovery process at this point is to restore from a backup.

I will say this, all the Crypto/Ransomware style of attacks have definitely been a great test and validation for many organizations BDR processes.

I don't see a frigging reply button for the original post so I'll reply here, hopefully it gets seen. 

A non-profit anti-ransomware website, I think maybe Symantec is involved with this though I could be wrong, is nomoreransom.org .  The site is updated as solutions become available, most notably decryyptor tools that become public after the ransomware keys are either broken or released.  Cyrsis is apparently able to be descrypted but it has evolved in some ways too so I have no idea if the tool noted here would work on the variant this DC was infected with but at least check out this link, and of course head to the home page to review the rest of what the site says.  And no this is not a phish or drive-by site uless it gets hacked but I suspect that's not an issue. 

https://www.nomoreransom.org/decryption-tools.html

By the way, I really have to say that people need to stop telling other people not to pay the ransoms.  Yes it will put those people on a "they paid so let's get em again" list, but maybe the victim really does need to get up and running.  Granted, if a DC gets infected the concern over lateral spread is VERY HIGH, so I would seek to re-image well, unfortunatley, all machines because there's a trend now towards ransomware being the initial distractor while more persistent malware remains behind to harvest data and such.  You have to hope behavioral anti-malware will catch onto that, but time-delay detonations and such make it tough to know if/when further infections had occured.  This customer needs Symantec's Email.cloud service, if nothing else but of course investigating the incident will hopefully produce actionable intel and an origin of infection. 

You may be in luck, master decryption keys were just released:

https://threatpost.com/crysis-ransomware-master-decryption-keys-released/121942/

http://www.bleepingcomputer.com/news/security/master-decryption-keys-and-decryptor-for-the-crysis-ransomware-released-/

Instructions for decrypting the files are at the second link.

Great. Thanks for the update. Will check it out.

What is Symantec doing "Really" to prevent this kind of brute force attack .......I only see IPS, SONAR and that's what the customer had but still got infected.

It's not just Symantec, it's affecting other AV vendors as well.

Every time they update the def files, they work around it. They also use many payloads to hide as well, including using zero day flaws to gain access.

That's why Microsoft is asking Google (and others) not to release the details of the zero day flaw until they have a patch ready.

Here's one example which happened very recently.

http://www.lifehacker.com.au/2016/11/google-just-revealed-a-zero-day-bug-in-windows-and-microsoft-isnt-happy/

"Attackers would start by exploiting an Adobe Flash zero-day vulnerability to gain control of a web browser's process, elevate privileges to escape the browser sandbox and then install a backdoor to access the victim's computer."

And this is how viruses (including cryptolocker) is spread...

Downloaded it and tested it.Still nothing as the tool is meant for desktop OS and not server OS and comes back as file that is encrypted not recognizable.

Downloaded it and tested it. still nothing as the tool is meant for desktop OS and not server OS.

Agreed that its hard, but we are constantly working to try and detect more ransomware and prevent the attacks in the first place.

If you haven't seen it, we have just released SEP14 which includes some exciting new features to combat polymorphic malware and such threats as ransomware:

Advanced Machine Learning - the endpoint now has machine learned malware decision trees on the endpoint, allowing it to quickly determine previously unknown threats without definitions.  The decision trees are trained against millions of samples of similar threats in order to build better detection for new variants.

Generic Exploit Mitigation - GEM blocks fundamental holes in the OS that malware is relying on to take a hold on the endpoint.  In the initial release we are enforcing SEHOP, blocking the disabling of Java Security Manager and detecting and preventing heap spray - all very well known techniques used by malware (especially zero day threats).

Emulator - Emulator lets us emulate around 85% of the Operating System API calls and underlying processor architecture, in order to get enough information from packed or encrypted malware to either determine its malware OR to trick it into unpacking its payload, which we will then analyse with AV and machine learning.

Its a powerful combination, you will see in coming months that we are detecting and blocking more threats than our competitors, including the next-gen folks too.

As supported SEP customers, you are all entitled to SEP14 for free and can upgrade from FileConnect today.. I urge you to take a look!

More information on the release can be found here: 

https://www.symantec.com/connect/forums/symantec-endpoint-protection-140-has-been-released

and here:

https://www.symantec.com/connect/blogs/machine-learning-new-frontiers-advanced-threat-detection

Hi ThaveshinP,

Restoring from a known good backup is the way to go, and taking measures to minimize the risk of a future successful ransomware attack.

These resources may help:

Support Perspective: W97M.Downloader Battle Plan
https://www-secure.symantec.com/connect/articles/support-perspective-w97mdownloader-battle-plan

Hardening Your Environment Against Ransomware
https://www.symantec.com/connect/articles/hardening-your-environment-against-ransomware

Special Report: Ransomware and Businesses 2016
https://www.symantec.com/connect/blogs/report-organizations-must-respond-increasing-threat-ransomware

With thanks and best regards,

Mick

A domain controller infected? How is it even possible this is disgraceful

In addition to the new features of SEP 14, an existing protection that is often not implemented due to fears that servers could be negatively impacted is IPS, which is proven to protect against Network and Download-borne ramsonware. In the dozens of engagements with large enterprises I've done over the years this is one of the hardest features of SEP to deploy on servers due to the resistance of the support teams and in many cases the security departments themselves; it usually takes a long running pilot to convince them to deploy system-wide, during which only a few issues are encountered and easily corrected.

IPS can be safely deployed to server endpoints, as long as the well documented caveats Symantec has for high utilization servers. The most important aspect of IPS that has to be clarified for many administrators is that IPS is signature-based and is highly unlikely to detect false-positives.

To anyone not using IPS on servers, and worse yet, on workstations, I encourage them to implement the feature in a fast running pilot.

If it's badly configured DC and poor user access management/permission, it can be infected with ease.

Exactly my point !

What kind of person would disable IPS on a workstation, that's just stupidity.  I am ignorant of reasons why HIPS would be turned off though, since it is not an optional component by any means.  About half of all detections occur at that level, and in theory it will stop an attack from reaching the execution level on the workstation, so well, anyway, I'm sure admins have their reaosns but geez. 

Thanks very much for this great info, I had no idea any of this existed. 

You'd be surprised how many places I've found this at, but at least these organizations recognized they had issues, I wonder how many more are going without. 

The typical reason given for not implementing on servers  is concern over performance, admins usually concerned it might inflict harm on the endpoint and/or affect the business in a negative manner. IPS is more commonly not deployed to Servers for the reasons above, but I have seen a few instances where even workstations were not running IPS.

There is absolutely no technical reason it should not be put on servers, just follow Symantec's recommendations for high transaction servers, and by all means a pilot can be conducted to feel comfortable (as long as the pilot doesn't take months)

It seems a lot of old-school IT folks still think of antivirus as definition-based primarily.  I am basically 100% Symantec when it comes to endpoint security so I have to wonder what everyone else is doing.  I know everyone is pushing to link their endpoint products to threat intelligence networks, and that most of those feeds are proprietary to the vendor, and that we need some standardizard intel-sharing cloud structures to combat this silo effect, but, at the end of the day, argh I lost my train of thought.  What were we talking about?  Oh yes, biscuits.  I like buttery ones but....oh wait, endpoint security.  Ok so yeah, keep HIPS turned on folks,turning it off probably violates all of your compliance requirements and is just bad security.  Might as well turn off the firewall too while you're at it. 

mmmmm biscuits. 

As a managed security service provider we are constantly asked why the AV companies can't stop these types of attacks.  Simply put they are going about it wrong.  If you truly want to prevent crypto/ransom style attacks then you'll want to look at Cylance.  My company is not in their sales program and we do not benefit in any way from my posting this.  In fact, we are a customer.

We have seen a complete stop with regards towards crypto/ransomware in all of our managed service customer environments.  It has made our job easier to manage their environments and the customers lives easier as we aren't continuosly testing their BDR processes.

If anyone wants to discuss this please feel free to contact me or post a reply here.

True, the customer did not have proper permissions in place and as such a file was identified to be the source of infection. Yet SEP 12RU6Mp6 SONAR detected , quarantined and the left it alone? According to Symantec after we submitted the logs, this same file was indicated as the culprit. A backup exec profile, with the exe residing on the desktop. Why did SONAR do that - SEP did not detect the file as ransomware but when sumbitted to virustotal, about 50% of the vendors detected the file as a ransomware variant. Symantec only detected as suspicious behaviour and was left alone - Heuristic variant.

How does one explain to a customer that this file was not detected the first time by SEP?

 If you truly want to prevent crypto/ransom style attacks then you'll want to look at Cylance.

I've had a look at their website - its motto is "Advanced Threat Prevention Built on Artificial Intelligence"

SEP v14 now comes with Machine Learning, so hopefully things will improve from now on by Symantec.

If you watch the webcast from Symantec which is done through BrightTalk you will see that they do comparison numbers and Cylance is often mentioned - I guess Cylance had a particular advantage over everyone else, prior to SEP 14 that is.   Of course I never trust vendor comparisons but this one was good.  I don't recall the specific name, but it's a SEP 14 webcast, probably the Product Launch one. 

Even prior to version 14 SEP was faring very well when tested against Cylance, check out AV Comparatives results in their "Product Comparative Real-World Protection Test Focus on Exploit and In-The-Wild Malware Tested Products • Cylance / Cylance Protect • Symantec / Symantec Endpoint Protection" from February 16th. I too am hoping that the new technologies introduced in SEP 14 raise the level of protection provided.

A big stumbling block for large companies of even considering Cylance  is that it's a hosted solution, which is nearly impossible to accept by the organizations I have consulted for, however I don't know if that is still the case.

Agreed...but I've seen the same dog and pony from McAfee and a few others with regards to AI or ML.  This is a good start but in our own testing we found every AV solution just let stuff by which was stopped and blocked by Cylance.  I'm not sayin to rip and replace Symantec and the major AV vendors shouldn't be looking at them this way either...Cylance is an "also" solution which should be included in your endpoint strategy.

Here is the post from the endpoint malware demonstration:

Thank you to everyone that was able to participate in yesterday’s event. The results speak for themselves when it comes to a more effective and efficient means to protect endpoints.

METHODOLOGY

For those that were not able to attend, we downloaded 50 net new malware samples that were less than 3MB in size. We then packed the malware creating 48 new variants. Two samples were already packed and could not be repacked. Then then used scripts to execute the samples in a Virtual Machine dedicated to each vendor’s installed AV software. Each product was the latest version and explicitly updated, where appropriate, immediately prior to malware execution. For reference the virtual systems were 64-bit Windows 7 SP1 systems with 2 vCPU and 4GB RAM.

We considered a detection and block a successful result. We did give the benefit of the doubt to a few applications which prompted us what to do with a detection. The option to delete malware likely just needed to be configured. Alas I am not an expert in every AV system! MalwareBytes was tested after the event yesterday afternoon immediately after lunch.

RESULTS

I fully expected McAfee and Kaspersky to rank close to each other and in distant 2^nd place. Only one vendor surprised me: AVG. I suspect that their teams happened to have seen variants of our malware earlier than some of the others and consequently their signatures were ready. The performance of Webroot and Symantec were inconclusive and poor. To clarify both systems seem to have deleted all the malware from the directory, however both machines had 25+ malware processes executing in memory.  CylancePROTECT version 1380 and 1390 were both tested and were able to detect/block/quarantine all threats in under 30 seconds. Some AV systems crashed before the tests were complete and most took several minutes to run through the samples usually with very poor responsiveness due to excessive CPU and memory consumption.

CONCLUSION                                                                                                  

Predicting, then blocking, cyberattacks on the endpoint in real time using pre-execution artificial intelligence algorithms is clearly the most effective and efficient approach. Additional information about CylancePROTECT can be found here: https://www.cylance.com/products-protect

That said, yesterday’s event was but a single data point in time. We will repeat the bake-off in the near future with a fresh set of malware and will communciate the results. Do let me know if there are any other AV engines that you would like tested.

@DLondon - have you seen how cylance runs these tests? It's not apples to apples. It's rigged to make their product come out on top every time. Do your research before you post that shill garbage.