Académique Documents
Professionnel Documents
Culture Documents
CryptoLocker Remediation
About Varonis
Started operations in 2005
Focus on Frequency
Crypto Locker
Cryptolocker is a well know Trojan/virus that is spread all over
the internet.
Usually enters the company by email.
Latest variant was not detected by any anti-virus nor firewall.
If a user clicks on executable it starts immediately scanning
network drives, renames all the files & folders and encrypts
them.
Encryption
.encrypted
OR
.cryptolocker
Add extension
Actions
Notes
Events on files
Encrypt files
7
7
Add file
extensions
(next to
existing ones)
RENAME
Instruction
files written in
each directory
CREATE
VARONIS
VARONIS SYSTEMS.
SYSTEMS.PROPRIETARY
PROPRIETARY&&CONFIDENTIAL
CONFIDENTIAL
Filetypes affected
*.zip ; *.rar ; *.7z ; *.tar ; *.gzip ; *.jpg ; *.jpeg ; *.tif ; *.psd
; *.cdr ; *.dwg ; *.max ; *.bmp ; *.gif ; *.png ; *.doc ; *.docx
; *.xls ; *.xlsx ; *.ppt ; *.pptx ; *.txt ; *.pdf ; *.djvu ; *.htm ;
*.html ; *.mdb ; *.cer ; *.p12 ; *.pfx ; *.kwm ; *.pwm ; *.1cd
; *.md ; *.mdf ; *.dbf ; *.odt ; *.vob ; *.iso ; *.ifo ; *.csv ;
*.torrent ; *.mov ; *.m2v ; *.3gp ; *.mpeg ; *.mpg ; *.flv ;
*.avi ; *.mp4 ; *.wmv ; *.divx ; *.mkv ; *.mp3 ; *.wav ; *.flac
; *.ape ; *.wma ; *.ac3 ; *.epub ; *.eps ; *.ai ; *.pps ; *.pptm
; *.accdb ; *.pst ; *.dwg ; *.dxf ; *.dxg ; *.wpd ; *.dcr ; *.kdc
; *.p7b ; *.p7c ; *.raw ; *.cdr ; *.qbb ; *.indd ; *.qbw
8
8
VARONIS
VARONIS SYSTEMS.
SYSTEMS.PROPRIETARY
PROPRIETARY&&CONFIDENTIAL
CONFIDENTIAL
9
9
VARONIS
VARONIS SYSTEMS.
SYSTEMS.PROPRIETARY
PROPRIETARY&&CONFIDENTIAL
CONFIDENTIAL
6 Mitigation Tips
1. Eliminate Global Access
11
12
13
14
15
16
in a public place
Watch what root/domain admins are doing
Watch what contractors are doing
17
Detecting CryptoLocker
Alert on more than 100 file modify events from a
18
19
19
VARONIS
VARONIS SYSTEMS.
SYSTEMS.PROPRIETARY
PROPRIETARY&&CONFIDENTIAL
CONFIDENTIAL
20
20
VARONIS
VARONIS SYSTEMS.
SYSTEMS.PROPRIETARY
PROPRIETARY&&CONFIDENTIAL
CONFIDENTIAL
occurs, and activate a code part that decrypts the files, without
the need of getting the decryption key.
Depends on CryptoLocker variant that infected the files.
21
21
VARONIS
VARONIS SYSTEMS.
SYSTEMS.PROPRIETARY
PROPRIETARY&&CONFIDENTIAL
CONFIDENTIAL
cryptolocker
22
22
VARONIS
VARONIS SYSTEMS.
SYSTEMS.PROPRIETARY
PROPRIETARY&&CONFIDENTIAL
CONFIDENTIAL
http://bit.ly/threatcheck
23
Thank you!