How to prevent cryptxxx attack ?

Don921
Don921 W/ Alumni Posts: 1 Security Scout
in WithSecure Business Suite

We have a lot of  files encrypted by cryptxxx. But Client Security doesn't detect any infection and also DeepGuard doesn't block any executeable files. How do we prevent this issue happens again?

Comments

  • etomcat
    etomcat W/ Alumni Posts: 1,172 Firewall Master

    Hello,

     

    The "Rannoh Decryptor" utility, made by a russian AV firm, also has partial ability to restore CryptXXX ransomed files. May be worth giving it a try:

     

    https://support.kaspersky.com/viruses/disinfection/8547?_ga=1.16372150.1899500609.1457014283#block1

     

    In general, F-Secure Corp. currently doesn't have  a DEDICATED anti-cryptor detection and blocking module in their protection suite. Their standardized answer is that F-Secure DeepGuard, when enabled and working in "Advanced" mode, detects and blocks all possible ransomware before damage could be done.

     

    On the other hand, I cannot corroborate that claim from practical experience, because there are many possible caveats, concerning compatibility of DeepGuard mini-DLL injection mode, the potential for end-user errors, etc. I wish F-Secure added (licensed) a dedicated anti-cryptor module that has no caveats and fine print, just protect the computers.

     

    Best regards: Tamas Feher, Hungary.

  • NickJ
    NickJ W/ Alumni Posts: 29 Security Scout

    I would recommend some additional controls on your clients. A lot of malware runs from unusual locations, like APPDATA - how many of your legitimate apps run from APPDATA?

     

    You can use Group Policy's Software Restriction Policies to only allow known applications to run from the APPDATA folder (or anywhere else on the system).

     

    Also consider how this malware is getting onto your machines and executing. Maybe you have lots of patches missing from your machines, so they are vulnerable to drive by downloads on the web? Maybe your users have unpatched versions of Office and they are allowing macros to run?

     

    In my opinion, the top three things you can do to prevent malware are:

    1. Sandbox all incoming email to prevent against 0-day attachments (like Office documents with macros or .pdf files that exploit Adobe vulnerabilities). Block all executables.

    2. Patch, Patch, Patch! Apply all Critical security vulnerabilities ASAP, particularly Adobe, Java, Office, and web browsers.

    3. Use a security focused web filter. This doesn't mean blocking facebook - this means blocking exploit kits like Angler and known malicious websites

     

     

  • etomcat
    etomcat W/ Alumni Posts: 1,172 Firewall Master

    Hello,

     

    There is a rumor spreading that the ransomware frenzy recently hit game over. Allegedly an underlying conceptional weakness has been found, which makes ALL possible ransomware schemes vulnerable to non-cooperative (i.e. for free) data restoration - but the trick is kept secret for now, so that hackers waste much resources writing new malware variants, while AV companies are able to recover data privately if a customer contacts them.

     

    Is there any truth to that conspiracy theory? It seems strange that the Tesla gang just gave up and also how KL and ESET have released tools to decode files hurt by some cryptors that were considered unbreakable in previous times.

     

    Best regards: Tamas Feher, Hungary.

This discussion has been closed.

Categories