Free delivery

McAfee SECURE sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Dynamic search > > >
UK Sales: 0330 1340 230
• SonicWall Specialist
• Expert Advice
• Free next working day delivery if ordered before 4.00pm (Mon-Fri)*
• Live Stock Feed
• Secure Ordering
• Established 2006

Best Practices to protect against CryptoWall and CryptoLocker

This following information is taken from SonicWalls Knowledge Base article SW12434 - click here for the official document

Firmware/Software Version: All versions.
Services: GAV, IPS, App Control Advanced, Botnet Filter, CFS, DPI-SSL
Keywords: cryptowall, cryptolocker, cryptowall 2.0,
CryptoWall 3.0, crypto wall, crypto locker, ransomware, ransom ware, Ransomware returns with I2P Network


CryptoWall and CryptoLocker are ransomwares which infect a computer usually via email. Once a computer is infected, the malware encrypts certain files stored on the computer. Thereafter, the malware will display a message demanding payment to decrypt the files. Infection usually takes place when a user clicks on an executable file attached to a spam email.

Update: A new variant of the above ransomwares is CryptoWall 3.0. It is similar to CryptoLocker and CryptoWall and uses TOR to fetch the encryption keys.

SonicWALL Gateway Anti-Virus and SonicWALL IPS provide protection against this threat via the following signatures:

CryptoWall CryptoLocker
GAV: Crypwall.H (Trojan)
GAV: Cryptodef.GF (Trojan)
GAV: Cryptodef.MD (Trojan)
GAV: Cryptodef.GK (Trojan)
GAV: Filecoder.V (Trojan)
GAV: Filecoder.CQ_3 (Trojan)
GAV: Filecoder.W_20 (Trojan)

GAV: Cryptowall.K (Trojan)
GAV: Cryptowall.L (Trojan)


CryptoWall 3.0

GAV: Cryptowall.A (Trojan)
IPS: Adobe Flash Player Integer Overflow 2 - SID 5671
GAV: Filecoder.BQ (Trojan)
GAV: Filecoder.BQ_6 - 8 (Trojan)
GAV: Filecoder.BQ_12 (Trojan)
GAV: Filecoder.BQ_17 (Trojan)
GAV: Filecoder.BH_7 - 8 (Trojan)
GAV: Filecoder.BH_11 (Trojan)
GAV: Filecoder.W (Trojan)
GAV: Filecoder.NAC (Trojan)
GAV: Filecoder.NAC_4 (Trojan)
GAV: FileCoder.A_2 - 5 (Trojan)
GAV: FileCoder.A_11 - 12 (Trojan)
GAV: FileCoder.A_16 (Trojan)
GAV: FileCoder.A_24 (Trojan)

IPS:
Cryptolocker Infection Activity 1 - SID 7559
IPS:
Cryptolocker Infection Activity 2 - SID 9728
IPS: Cryptolocker Infection Activity 3 - SID 9737

Note:

SonicWALL Application Control can prevent I2P tunnels on your network via the following signatures:

  • 5 Encrypted Key Exchange -- Random Encryption (Skype,UltraSurf,Emule)
  • 7 Encrypted Key Exchange -- UDP Random Encryption(UltraSurf)
  • 10817 I2P -- HTTP Proxy Access 1 [Reqs SID 5 & 7]
  • 10817 I2P -- HTTP Proxy Access 2 [Reqs SID 5 & 7]
  • 10817 I2P -- HTTP Proxy Access 3 [Reqs SID 5 & 7]


For more information on the workings of this malware, refer these links:

https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=601
https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=695
https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=776



This KB article describes the best practices to follow to be protected against this malware.

Note: These Services are Optional, in order to protect may require additional Purchase and also few services like Botnet and DPI SSL are supported with selected products only.
Recommend to check your product and its capabilities for further details and purchase options.

1. Gateway Anti-virus (GAV)

  • Make sure GAV is updated with the latest signatures.
  • Enable GAV.
  • Enable Cloud GAV
  • Enable Inbound and Outbound inspection of HTTP, FTP, IMAP, SMTP, POP3, CIFS/Netbios and TCP Stream.

  • Under the settings of each protocol (HTTP etc), enable the check boxes under
    • Restrict Transfer of password-protected ZIP files
    • Restrict Transfer of MS-Office type files containing macros (VBA 5 and above)
    • Restrict Transfer of packed executable files (UPX, FSG, etc.)

  • Enable GAV on all internal and external zones under Network > Zones.

2. Intrusion Prevention Service (IPS)

  • Make sure IPS is updated with the latest signatures.
  • Enable prevention of Medium and High Priority Attacks. This will automatically include the signatures for this malware
  • Enable IPS on all internal and external zones under Network > Zones.

3. Botnet Filter

Enabling Botnet Filter will block access to known command and control servers of this malware.

  • On the Security Services > Botnet Filter page, enable the check box, Block connections to/from Botnet Command and Control Servers
  • Enable the check box Enable Logging

4. Content Filter Service (CFS)

Enable CFS and configure to block sites in the “Malware” and “Hacking/Proxy Avoidance Systems”


5. App Control Advanced

CryptoWall is known to use TOR to obtain the encryption keys used for encrypting files. Therefore, use App Control Advanced to block TOR. By enabling the signatures for TOR, CryptoWall will not be able to obtain the keys needed to encrypt files thus mitigating further damage to the infected host computer.

  • On the Firewall > App Control Advanced page, select Category as PROXY-ACCESS
  • Set Application to TOR.
  • Click on Configure under Application with TOR selected.
  • Set Block and Log to Enable.
  • Click on OK to save.

Tor will use Encrypted key exchange application,inorder to block that,
  • On the Firewall > App Control Advanced page, select Category as PROXY-ACCESS
  • Set Application to encrypted key exchange
  • Click on Configure under Application with Encrypted key exchange selected.
  • Set Block and Log to Enable.
  • Click on OK to save.






*** We would also do a similar block within App Control for I2P traffic. This is within the same PROXY-ACCESS category under the I2P Application. We would also recommend block all P2P traffic within App Control by changing the 'Viewed By' to Category and blocking the entire P2P application group ***

6. DPI-SSL Client Inspection

Enabling Client DPI-SSL, although not a mandatory measure, would provide additional security because 1) almost all web and email traffic is over SSL. For example, if a spam email is received over SSL, SonicWALL will not be able to detect the malware contents, if any, in it. 2) initial connection to TOR gateway is over SSL. Enabling DPI-SSL will allow SonicWALL to decrypt such traffic and scan it for malware. Under the DPI-SSL > Enable SSL Client Inspection page, enable the check boxes under Gateway Anti-virus and Intrusion Prevention. Note: DPI-SSL requires a license and is supported in NSA 220 and higher appliances with SonicOS 5.6 and above firmware.

7. CryptoWall or CryptoLocker infection may not always happen over the Internet. It could occur over shared files and/or drives or over shared removable media like USB thumb drives and external hard disks. Therefore, Administrators are advised to adhere to basic system level security best practices to protect internal hosts in the network from being infected.

Such best practices may include, but not limited to:

  • Installing end-point anti-virus software and keeping it updated with the latest signatures
  • Updating host Operating Systems, Browsers and Browser plugins with the latest security patches
  • Performing regular offline (cold) system back-ups
  • Educating users on the dangers of opening unknown files received from unknown sources etc.