Hello;

My network has been hit with both CryptoLocker and more recently CryptoDefense.  When first hit with CryptoLocker, the only repair that could be done was network Restore.  The same solution with the second.  After the first attack, I enabled ShadowCopy on all networked drives in which available.  The problem I ran into was finding the source of the infection.

CryptoLocker was quite straightforward that it had infected my network.  The end user reported the all-too-familiar CryptoLocker Ransom request.  At that time, we only had SEP 11.x running, antivirus only.  If found the infection and removed it, but it was too late.

We instituted Group Policies to help alleviate the possibility of future infections . .. but to no avail.

CryptoDefense never made itself pronounced until several days later, when the user reported the Trojan.CryptoDefense poppe up on his SEP Client.

My Real Questions Pertaining to SEP are:

1-What are the least restrictive Settings the SEP Client that could prevent another initial infection?

-----that lightly affect users

-----that minimally impact overall administration of workstations

2-Is there a way to implement the initial SEP Client updates from the local SEPM server?

 ----bandwidth at my site is extremely limited and client install commonly take an hour to update when run individually, making remote deployment unusuable.

I know the real defense is to never get infected in the first place. . . I have gone over this several times with my users as these attacks gain access through email.  Even with our third party smtp scanning, using Brightmail or its newer equivalent, they never catch the possibility of infection.

Each time this network gets infected, the minimal IT staff (Me) gets overwhelmed for several days. That's why I am putting this out there to ask for guidance.

Thanks

You need to make sure you're running IPS as this adds another layer of defense. In addition, Download Insight and SONAR are a huge help as well.

Two Reasons why IPS is a "Must Have" for your Network

Additional information about Ransomware threats

Key to this is making sure you have a valid backup. Nice article by Mick2009 here:

Recovering Ransomlocked Files Using Built-In Windows Tools

And you can use GUPs at remote sites to distribute content locally instead of coming back across the WAN.

Configuring the Group Update Provider (GUP) in Symantec Endpoint Protection 11.0 RU5 and later

Thumbs Up to Brian.  Not only is IPS a great tool to prevent infection, it can also prevent a CryptoLocker  infected machine from getting the keys it needs to do the encryption.  It is also almost entirely transparent to users (you can control from the SEPM whether or not IPS notifications appear to users).

Another component is Application and Device Control, which can be used to prevent the infection from running or prevent it's creation (in the default location) as per my comments in the below thread.

https://www-secure.symantec.com/connect/forums/cryptolocker-and-adc-policies#comment-9320151

Both will require you update the client estate to include these components though.

With regards to getting content out to clients, again Brian has the answer here.  You can push out the client installer with no defs at first (speeding up your initial install), then leave the machine to update via it's closest GUP.  The update however, will take a wile longer as it will be reliant upon the heartbeat interval and randomisation window of the client, but it will help minimise network load (especially if deploying to more than one client at a time).

Alternatively, you could export the client install package with all defs included, then copy it across to the remote site, before pushing it out using the Push Deployment Wizard (found under the Part2_Tools download from FileConnect).

This is Great information . . . . Not to mention Quick Responses.

I guess more homework is in order but I definitely have somewhere to start.

Thanks .  . .

---I will keep this topic live as I need the experiences/guidance from all the Talented Professionals I can get.

By the way, you might also want to look at this too:

Custom Application and Device Control policy to prevent file encryption-based threat

Also requires A&DC though 

Finally, as far as tracking and investigating which machine is infected (and encrypting files on network shares), the one that springs to mind is using Windows file auditing (to see which user/machine last amended a file).  The problem with this is that the logs can be humungous and a pain to sort through.

If you have another product for File Integrity Monitoring, that might be easier to manage...

Hi OmegaMan,

Thanks for starting this thread.  It is definitely a threat that has hit many individuals and companies over the past year.

Good advice, above.... some additional "best practice" points:

1. Ensure you have a working backup solution in place (and that you have tested it works!).  This is a must-have against all sorts of disasters, not just crypto threats.
2. Lock down your network shares (A simple password can stop these threats cold.  It is a few seconds of inconvenience for a user to type in a password to access a mapped drive.  Without that protection, these crypto threats will sabotage everything on the local computers and then go hit the mapped drives to damage the whole company.)
3. Ensure that clients are kept up-to-date with the latest definitions.  The authors of these threats craft and test them to evade security solutions like SEP, but generally protection is available against any new strain within a matter of hours.  Symantec is continuously refining defenses (adding signatures like the recent Trojan.Cryptdef!gen4)- keep all clients up-to-date to avail of this protection!

And a fourth, specifically against these Cryptolockers:

4. Ensure your mail server is scanning inbound mail for threats.  (Most cryptolockers arrive via a malicious attachment or link to a malicious attachment.  Once the user is tricked into running that malicious program, it will do its damage.)

Finally, a request: if your company has been hit with a cryptolocker, try to trace its source back to the malicious attachment of malicious drive-by download file.  Get that submitted to Symantec for analysis, open a case with Tech Support, and ask them to get that file examined ASAP!  This will not enable SEP to decrypt your files- nothing will do that- but it will save other users and companies the grief of falling victim to this same new variant.

Symantec Insider Tip: Successful Submissions!
https://www-secure.symantec.com/connect/articles/symantec-insider-tip-successful-submissions

Hope this helps!! &: )

Mick

Like you, we were hit with CryptoDefense a few weeks ago too and it turns out that it was a new threat based on CryptoDefense - we found the file, submitted it to Symantec who uploaded a new Rapid Release to their FTP space. I then downloaded & applied to SEPM so it get to all clients.

Since then, it has been blocking any further threats from CryptoDefense. (unless a new threat has been released!)

I am also investigating IPS but not enabled yet because we use a lot of software that uses the network and do not want them to be affected so a further research is needed before tweaking & enabling it.

If there is any 'recommendations' settings for IPS that I am not aware of, please post here. :)

Thanks

Cheers for that, Tony- I definitely recommend IPS signatures.  They're very effective and blocking the communications which creates the keys and also at blocking the malicious download when attempts are made to push Cryptowall / Cryptodefense onto a computer via drive-by download.

Guide to Scary Internet Stuff: Drive-by Downloads
http://www.symantec.com/tv/news/details.jsp?vid=67036079001&subcategory=all_news_and_events

Many thanks!

Mick