|
Bravo CryptoWall
SIR* Guidelines
Published:
Nov. 5, 2014
Notable Revision: Feb 5, 2015 (incorporated 2.0 & 3.0 info)
Last Revised: Jul 2, 2017
Based
on my original analysis. This is a checkist to convey the subtle but critical
conceptual points. It is also a field-tested strategic- &
tactical-level guideline. Not a tutorial! See also multiple
addenda at the
end
Why is "crypto" malware historic
& notable?
- it targets data...
including backup, rather than just system
(now much higher stake, and in many cases, no feasible recovery!)
- it renders previous tactic of LUA ineffectual!
(applicable to all document files,
but not databases,
if properly administered)
Data Recovery: Prospect of Permanent
Data Loss
- restore from backup (ideal)
- geographic proximity of backup media, or
bandwidth from backup server
- age & physical condition of media
- restore point range: retention period
- restore point granularity
- restore time + verification/review
- selective repopulation of most recent
"journal" to be nearly seamless
- other advanced "surgical" techniques
- triage: phased restores
- forensically recover & reconstruct
deleted files (not assured)
- massive quantity and duplicated versions to
wade thru
- must create custom signature (file header
area) for unusual file formats
- partial recover, as some will be perm lost
- concern over risk of corrupted data
(misconstruted cluster chains)
- pay ransom (last resort): successful restore hinges upon...
- able to complete the payment process via
Bitcoin
- actually obtaining the correct PKI private
key (RSA 2048-bit)
- encrypted copy was successfully
generated and written by attacker
- all your attempts to repair/clean/recover
thus far have not harmed those preserved encrypted copies
- finally, payment will not
gurrantee issuance of usable decryption key:
many logistical mishaps would preclude that. Moreover, there's now a
new crop of Crypto-Wipe malware, which purport to encrypt, but in
fact destructively wipe
the data files.
Mitigation Strategies
-
Proactive
approach is mandatory, as after-the-fact recourse is extremely limited
- Pertaining general Data
Resilency
- direct local storage
areas isolation
- "disconnect" mapped drives
(CryptoWall scans drive
letters, not UNC)
- disconnect external drives
- isolation via advanced ACL:
- dropbox-style simplex
write-only
- mutual hold but untouchable: double
simplex access
- for QB, which manages rotation: use
secondary simplex copy to final destination
- off-host (but not necessarily
off-site, as it's irrelevant) backup
- multi-generational
versioning scheme
- extend retention period before
rotation, to guard against future case with latent discovery
- already past proof-of-concept
stage, in-the-wild for targeted attacks
- likely implemented in 4.0 or later
versions, especially
- when pay-thru ratio wans, as more
victims have backup
- stop cloud sync, which assists spread
of droppers
- do
not attach any
external HD/USB thumb drive
- until AFTER
ALL affected stations are declared clean
- --even if the missing data is
urgently needed!
- if emergency backup is performed during
SIR,
- never use any
Sync
process
- certified non-destructive
unconditional copying ONLY.
- LUA
- prevents VSS copy sabotage
- no system-level cross-profile infection
- severely hampers dropper stage
penetration and propagation
-
Threat-Specific
Countermeasures
- implement Software Restriction
Policies (SRP)
←most effective
Group Policy/Local Security Policy
(gpedit.msc/secpol.msc)
- ban executables in certain known
locations
- must cover multiple temp folders in
user profile
- requires custom whitelisting,
and on-going maintenance
- block known IP of C&C hosts (brute
force)
- host-level application-/folder-based
outbound control
- perimeter destination-based outbound
control
- feign Virtualization to foil attempt at
Dropper stage
- GHOST or Windows System Image
- all the usual end-user best practices
Incident Handling Stages
- assess
- contain
(perimeter, NIC
cables, usr-acct,
fw, ACL, shares, ext dev, NAS)
- preserve
- investigate
- repair
- verify
& certify clean
- restore
- debriefing
- follow-up
& planning
NOTE:
Over time, the value of being able to
distinguish the latest amendments deminishes. Multiple addenda
have since been integrated into original document, to improve
readability.
*SIR: security
incident response |