Network shares, files changed

Dieselboy · January 04, 2016, 09:49:00 PM

One of the HR girls informed me that a lot of files have gone missing and there's all these weird looking files in their places on a couple of network drives.

I took a look and eventually found this attached image file, which is named HELP_YOUR_FILES. I've blanked out the letters which may make this identifiable to the attackers.

We have an end of day backup from the day previous to this happening.
The owner of these weird files is the other HR girl so when she is back in I'll take action. If this was done from her laptop then I'll wipe it and re-image.

Not all files in the share are affected. How does this malware work? Does it go and scan drives for files to encrypt or does it only impact the ones the user opens and saves?

ChestHair · January 04, 2016, 10:34:13 PM

Last time that I saw it, the program started working on local folders on the user's hard drive, then went out to mapped drives. It only affected/encrypted specific file types such as word and excel, pdf files, etc that are common. There's several versions of it out in the wild, and each is a little different. Some versions can be manually unencrypted using utilities from antivirus/antimalware vendors. Others need to be restored from backup.

Sent from my SCH-I605 using Tapatalk

SimonV · January 05, 2016, 02:09:56 AM

It will encrypt as much as it can. Palo Alto has an indepth article about its workings: http://researchcenter.paloaltonetworks.com/2015/11/cryptowall-v4-emerges-days-after-cyber-threat-alliance-report/

For one of its predecessors Kaspersky had obtained the private keys somehow, or found a flaw, but I'm afraid it won't work on the new incarnations: https://noransom.kaspersky.com/

Dieselboy · January 05, 2016, 02:21:48 AM

Cheers guys

I'll have a proper read.
Luckily I think we're okay because we have backups of all the data.

Although, I hope the program was run only on the users laptop and that it's no longer there as active.

wintermute000 · January 05, 2016, 05:01:16 AM

This stuff is nasty and constantly evolving. Your only semi-reasonable chance of stopping it cold (short of user education) is cloud based sandboxing NGFW/IPS that's smarter than whatever's scanning your email attachments/endpoint AV, and pray that someone else gets hit before you and you get pushed the sigs in your 15 minute update interval

I thought most of this stuff auto scanned for mapped drives, I think the more sophisticated ones can hit shares via just name, basically anything CIFs is fair game

When I was in managed services with a large MSP we had around 30 large enterprise customers and every month one of them would get hit, like clockwork. I'm not even sure why they even bothered with all the high severity incident management hoopla etc. as 95% of the time it seemed like they just ended up restoring from backup, and WTF are the security guys going to do AFTER its already encrypted half your files anyway. This is large enterprises with checkpoints, bluecoats, insert-email-scanning-vendor-here, endpoint protection etc. and stuff would still get through. I guess the attack vector when you have thousands of employees opening email attachments/links is that much larger

icecream-guy · January 05, 2016, 07:17:19 AM

yep cryptoware, btw, was reading about a new javascript version of ransomware on SANS ISC today. make's it all the more fun.

Nerm · January 05, 2016, 08:38:47 AM

Yes this stuff can be nasty. I have ran into it a few times with different clients. One of them a couple months before they got hit had refused in writing my recommendation for a new backup solution. The backup they were doing was to a couple USB drives mapped to the network. Guess what? lol

The variants I have seen only attacked certain file types as some others already mentioned. Goes to show good user level file permissions and backups can go a long way.

deanwebb · January 05, 2016, 09:44:56 AM

Get it off your network before you restore those files, unless you want to restore them again. Also be sure to mark backups of any client devices from this time - restoring from those could re-introduce the ransomware.

Get an IPS, a good one. Plug it in and turn it on. We had a big slam of ransomware last year, and it ripped through a part of the company that ran their IPS as an IDS. The guys running the IPS weren't touched. There are certain patterns of code that mean trouble, and they can't always be masked sufficiently to evade the IPS.

Running a javascript blocker won't solve the JS cryptowall, as most pages are so overwhelmed with scripts from different sources that folks wind up turning off script blockers or permit all on every page they visit. Proxies can help, but only if they know about the issue. Again, IPS is going to be the best card to play for most shops.

Dieselboy · January 06, 2016, 09:47:47 PM

We have a pair of ASA5515-X's that I've been trying to get firepower onto but there's some difficulties from our distributor

. I have Cisco involved as well but not heard from them this side of the Christmas and NY.

Am I right in thinking that IPS (protecting the perimeter) wouldn't detect this attack because it would come from the users laptop (inside the office) and hit one of the shared drives (shared drive hosted on a Windows 2012 server). Again, if the application which run the attack was brought into the office already on the laptop then I don't think IPS would pick it up.

wintermute000 · January 06, 2016, 11:04:59 PM

IPS SHOULD have picked it up if it was downloaded onto the user's PC whilst they were on your LAN assuming the traffic was not encrypted.
As for bringing laptop in already infected, yeah, that's why its best practice to have an internal FW (and I understand completely the reality of most small/mid-market customers!).

YMMV of course (0 days etc. though stuff with cloud sandboxing subscription are a lot better with 0-days, obviously e.g. Palo has 15 minute updates so theoretically if someone else in the world gets hit, yo should get the sig within 15 minutes of rdetection or so they claim)

deanwebb · January 07, 2016, 08:51:48 AM

True... if you only buy one IPS, get one for your perimeter and another for your data center.

Dieselboy · January 07, 2016, 07:35:47 PM

We only have the one site... we don't have a DC.

deanwebb · January 07, 2016, 08:07:54 PM

Quote from: Dieselboy on January 07, 2016, 07:35:47 PM
We only have the one site... we don't have a DC.

You could have the IPS running inline on traffic from the web and then use a second set of interfaces on the IPS to handle the traffic going to the switch that handles the servers. One device, three segments: DMZ, main corp network, servers.