Friday, October 30, 2015

Cryptowall 3 defense and mitigation tactics

This seems to be a popular subject lately. Especially with the latest report on how cryptowall is possibly tied to one threat actor group. The first defense you need to take on not becoming a victim of cryptowall is understand the methods of infection that leads to the compromise.

Below is one of the most common ways a cryptowall infection starts. It starts with a zip file.
When working with email it's important to understand that you should never open attachments from people you don't know. More importantly you should be cautious opening attachments from people you do know.

Common files attachments you should avoid in email.

If you receive an email from anyone with the following extensions immediately delete it and do not open.

Angler is probably the number one crime kit to distribute cryptowall 3. Angler works by injecting its payload directly in memory and doesn't write malware to the disk. In memory exploits are very tricky in terms of detection but they can also be prevented. If you have a vulnerable browser that is not patched and running third party plugins such as Java, Silverlight, or flash. It can lead to compromise very quickly. Infected ads using flash are a pretty popular method to distribute.

So how should you prevent? If you are running Windows 7, 8 or 10. Uninstall Silverlight and Java. So what about flash? You can uninstall on Win7. Unfortunately Win 8 and 10 it's baked into the OS. However there is an easy setting change to prevent running flash content in IE. It's called Active X filtering and one day it may save you from a serious compromise:

1. Open Internet Explorer by clicking the Start button Picture of the Start button. In the search box, type Internet Explorer, and then, in the list of results, click Internet Explorer.

2. Click the Tools button Tools button, point to Safety, and then click ActiveX Filtering.

What else should you do on top of these simple countermeasures?
Run a Microsoft tool called EMET. You can download it here.

EMET is an enhanced mitigation utility designed to hook into processes and prevent to exploitation. Most of the time the defaults will work out ok for everyone. You may have to manually tweak depending what all types of add-ins you are running in IE.

Another countermeasure to do is limit your browsing activity to an unprivileged account. You should be browsing under an account that does not have administrator privileges.

Always...always make backups of your data. Offsite...... Cloud storage often gets a bad name. Cloud storage is not a bad thing if you know how to protect your data before you send to a cloud storage location. I use Microsoft's One Drive. It's baked into Windows 8.1 and Windows 10. I used pkware product called viivo to encrypt my data before it gets sent to the microsoft cloud. I also two factor my Microsoft account for added protection. I don't really browse to websites or do much with my windows box. I store data and bounce it to the cloud. That's about it.

I do stuff mostly on Linux virtual machines or Chrome OS. Chrome OS on a chromebook has been my go to choice lately for about everything.

1 comment:

  1. windows 7 home premium upgrade key free download , buy windows 10 activation key , office 2016 professional plus product key , buy office pro 2013 key , window 7 ulitmate product key , windows 7 prouct kay , key window 7 oem free , window 7 home product key free , sqaK8x