cancel
Showing results for 
Search instead for 
Did you mean: 
mekafir
Level 7

What's the best practice steps to block page suspected with Cryptolocker virus ?

Jump to solution

Hi All,

Can anyone please assist me in what is the steps & procedure in McAfee Web Gateway appliance to prevent cryptolocker virus encrypting the file server content from users PC ?

Over the weekend, one of the user in my company got infected by this nasty Cryptolocker virus from either PC or through terminal server. The file server mapped network drive is now encrypted.

There is AVG antivirus running already but it doesn't do anything to keep it safe.

Thanks.

0 Kudos
1 Solution

Accepted Solutions
jimmylawlz
Level 8

Re: What's the best practice steps to block page suspected with Cryptolocker virus ?

Jump to solution

This is a hard answer to give here...  I guess I may provide more rabbit holes than anything but I hope this is useful.

We use Security Center Endpoint Protection from MS, and it seems to block this really well on the client, especially if they are off network since we are not pushing PAC files to the hosts.  That is host level and does not answer the proxy question...

For the proxy, you can look into enabling more detection's for your Gateway Anti-Malware engine.  Make sure you have all the settings you can think of that can deter these attacks enabled there.  Also, we have a global block rule chain and have had some success blocking some of the Exploit Kits (EK) stuffs using regex (which I think I need to open a ticket because it is not working completely as expected), but the rule is written like this:

If Geo.IP is not US (most of the EKs redirects end up in a country outside of the US, lowers the false positives) AND

if url.host is not in our whitelist (google and others that the url path matches against) AND

url.path matches \/topic\/[0-9]*\-[a-zA-Z-]*

I bring up EKs because these malicious actors are using these mechanisms more and more to distribute this ransomware.  I hope that helps.

8 Replies
jimmylawlz
Level 8

Re: What's the best practice steps to block page suspected with Cryptolocker virus ?

Jump to solution

This is a hard answer to give here...  I guess I may provide more rabbit holes than anything but I hope this is useful.

We use Security Center Endpoint Protection from MS, and it seems to block this really well on the client, especially if they are off network since we are not pushing PAC files to the hosts.  That is host level and does not answer the proxy question...

For the proxy, you can look into enabling more detection's for your Gateway Anti-Malware engine.  Make sure you have all the settings you can think of that can deter these attacks enabled there.  Also, we have a global block rule chain and have had some success blocking some of the Exploit Kits (EK) stuffs using regex (which I think I need to open a ticket because it is not working completely as expected), but the rule is written like this:

If Geo.IP is not US (most of the EKs redirects end up in a country outside of the US, lowers the false positives) AND

if url.host is not in our whitelist (google and others that the url path matches against) AND

url.path matches \/topic\/[0-9]*\-[a-zA-Z-]*

I bring up EKs because these malicious actors are using these mechanisms more and more to distribute this ransomware.  I hope that helps.

mekafir
Level 7

Re: What's the best practice steps to block page suspected with Cryptolocker virus ?

Jump to solution

thank you for sharing your thought and comments here.

So based on your sharing, does that means your whitelist will be very-very big to list all different possible website that the users allowed to open ?

0 Kudos
jimmylawlz
Level 8

Re: What's the best practice steps to block page suspected with Cryptolocker virus ?

Jump to solution

Now we are not a global company, primarily, so I think that Geo filter really helped out to make that whitelist small for this rule.  Since most of the forums or blog topics that our people go to are in the US and the malicious redirects that we have seen with these exploit kits end up in a GeoIP location outside of the US.  Now that could change... 

I just checked and we only have 3 domains in the url.domain whitelist.

trevorw2000
Level 10

Re: What's the best practice steps to block page suspected with Cryptolocker virus ?

Jump to solution

You may want to run in audit mode for a short period when dealing with GeoIP and Regex filters.  That depends of course on your environment and how much users might tolerate any disruptions.  What I mean by audit mode is just create a separate log file and write to that with the rule set to continue.  We use a large list of regex filters and I typically toss any new RegEx into a testing rule for a day just to see what it's going to catch.  You could also run the regex against your logs.

mekafir
Level 7

Re: What's the best practice steps to block page suspected with Cryptolocker virus ?

Jump to solution

Ah I see,

would it be possible to share your RegexFilter for example ?

0 Kudos
mekafir
Level 7

Re: What's the best practice steps to block page suspected with Cryptolocker virus ?

Jump to solution

what could be in those three lines of white list ?

0 Kudos
jimmylawlz
Level 8

Re: What's the best practice steps to block page suspected with Cryptolocker virus ?

Jump to solution

Google I had to add since it matched on topics.  Spiceworks and one more that I can't remember....

I had that whitelist before I did the GeoIP lookup and have not had to add any since....  So that really helped I think.

mekafir
Level 7

Re: What's the best practice steps to block page suspected with Cryptolocker virus ?

Jump to solution

Hi All,

I've got the list of IP address to be blocked:

 

114.44.192.128
118.170.130.207
176.31.223.167 
178.32.173.180
185.129.148.19
185.158.152.195 
188.118.2.26
194.67.210.183
199.27.134.55
218.1.125.205 
30.40.50.60
46.109.168.179
60.205.18.212 
81.183.56.217
87.222.67.194

How do you enter those IP address to be blocked by the proxy ?

0 Kudos