From the desk of: Sam C. Chan

Bravo CryptoWall SIR* Guidelines

Published:   Nov. 5, 2014
Notable Revision:   Feb 5, 2015 (incorporated 2.0 & 3.0 info)
Last Revised:  Jul 2, 2017

Based on my original analysis. This is a checkist to convey the subtle but critical conceptual points. It is also a field-tested strategic- & tactical-level guideline. Not a tutorial!  See also multiple addenda at the end

Why is "crypto" malware historic & notable?

  1. it targets data... including backup, rather than just system
    (now much higher stake, and in many cases, no feasible recovery!)
  2. it renders previous tactic of LUA ineffectual!
    (applicable to all document files, but not databases, if properly administered)

Data Recovery: Prospect of Permanent Data Loss

  • restore from backup (ideal)
    • geographic proximity of backup media, or bandwidth from backup server
    • age & physical condition of media
    • restore point range: retention period
    • restore point granularity
    • restore time + verification/review
    • selective repopulation of most recent "journal" to be nearly seamless
    • other advanced "surgical" techniques
    • triage: phased restores
  • forensically recover & reconstruct deleted files (not assured)
    • massive quantity and duplicated versions to wade thru
    • must create custom signature (file header area) for unusual file formats
    • partial recover, as some will be perm lost
    • concern over risk of corrupted data (misconstruted cluster chains)
  • pay ransom (last resort): successful restore hinges upon...
    • able to complete the payment process via Bitcoin
    • actually obtaining the correct PKI private key (RSA 2048-bit)
    • encrypted copy was successfully generated and written by attacker
    • all your attempts to repair/clean/recover thus far have not harmed those preserved encrypted copies
    • finally, payment will not gurrantee issuance of usable decryption key:
      many logistical mishaps would preclude that. Moreover, there's now a new crop of Crypto-Wipe malware, which purport to encrypt, but in fact destructively wipe the data files.

Mitigation Strategies

  • Proactive approach is mandatory, as after-the-fact recourse is extremely limited

  • Pertaining general Data Resilency
    • direct local storage areas isolation
      • "disconnect" mapped drives (CryptoWall scans drive letters, not UNC)
      • disconnect external drives
      • isolation via advanced ACL:
        • dropbox-style simplex write-only
        • mutual hold but untouchable: double simplex access
        • for QB, which manages rotation: use secondary simplex copy to final  destination
        • off-host (but not necessarily off-site, as it's irrelevant) backup
      • multi-generational versioning scheme
        • extend retention period before rotation, to guard against future case with latent discovery
        • already past proof-of-concept stage, in-the-wild for targeted attacks
        • likely implemented in 4.0 or later versions, especially
        • when pay-thru ratio wans, as more victims have backup
      • stop cloud sync, which assists spread of droppers
      • do not attach any external HD/USB thumb drive
        • until AFTER ALL affected stations are declared clean
        • --even if the missing data is urgently needed!
      • if emergency backup is performed during SIR,
        • never use any Sync process
        • certified non-destructive unconditional copying ONLY.
    • LUA
      • prevents VSS copy sabotage
      • no system-level cross-profile infection
      • severely hampers dropper stage penetration and propagation
  • Threat-Specific Countermeasures

    • implement Software Restriction Policies (SRP)  most effective
      Group Policy/Local Security Policy (gpedit.msc/secpol.msc)
      • ban executables in certain known locations
      • must cover multiple temp folders in user profile
      • requires custom whitelisting, and on-going maintenance
    • block known IP of C&C hosts (brute force)
      • host-level application-/folder-based outbound control
      • perimeter destination-based outbound control
    • feign Virtualization to foil attempt at Dropper stage
    • GHOST or Windows System Image
    • all the usual end-user best practices

Incident Handling Stages

  1. assess
  2. contain (perimeter, NIC cables, usr-acct, fw, ACL, shares, ext dev, NAS)
  3. preserve
  4. investigate
  5. repair
  6. verify & certify clean
  7. restore
  8. debriefing
  9. follow-up & planning

NOTE:  Over time, the value of being able to distinguish the latest amendments deminishes.  Multiple addenda have since been integrated into original document, to improve readability.

*SIR: security incident response

Copyright @2005-2017   Bravo Technology Center  *  Bravo:GO  *  Contact Us