This is a hard answer to give here... I guess I may provide more rabbit holes than anything but I hope this is useful.
We use Security Center Endpoint Protection from MS, and it seems to block this really well on the client, especially if they are off network since we are not pushing PAC files to the hosts. That is host level and does not answer the proxy question...
For the proxy, you can look into enabling more detection's for your Gateway Anti-Malware engine. Make sure you have all the settings you can think of that can deter these attacks enabled there. Also, we have a global block rule chain and have had some success blocking some of the Exploit Kits (EK) stuffs using regex (which I think I need to open a ticket because it is not working completely as expected), but the rule is written like this:
If Geo.IP is not US (most of the EKs redirects end up in a country outside of the US, lowers the false positives) AND
if url.host is not in our whitelist (google and others that the url path matches against) AND
url.path matches \/topic\/[0-9]*\-[a-zA-Z-]*
I bring up EKs because these malicious actors are using these mechanisms more and more to distribute this ransomware. I hope that helps.
jimmylawlz thank you for sharing your thought and comments here.
So based on your sharing, does that means your whitelist will be very-very big to list all different possible website that the users allowed to open ?
Now we are not a global company, primarily, so I think that Geo filter really helped out to make that whitelist small for this rule. Since most of the forums or blog topics that our people go to are in the US and the malicious redirects that we have seen with these exploit kits end up in a GeoIP location outside of the US. Now that could change...
I just checked and we only have 3 domains in the url.domain whitelist.
You may want to run in audit mode for a short period when dealing with GeoIP and Regex filters. That depends of course on your environment and how much users might tolerate any disruptions. What I mean by audit mode is just create a separate log file and write to that with the rule set to continue. We use a large list of regex filters and I typically toss any new RegEx into a testing rule for a day just to see what it's going to catch. You could also run the regex against your logs.
Google I had to add since it matched on topics. Spiceworks and one more that I can't remember....
I had that whitelist before I did the GeoIP lookup and have not had to add any since.... So that really helped I think.
I've got the list of IP address to be blocked:
220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124
How do you enter those IP address to be blocked by the proxy ?