Our mission is to help enterprises realize

value from their unstructured data.

CryptoLocker Remediation

VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL

About Varonis
Started operations in 2005

Over 3000 Customers

(as of September, 2014)

Software Solutions for

Human Generated Data

VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL

A Story About Trees

Focus on Frequency

VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL

The Crypto Locker

5

VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL

Crypto Locker
Cryptolocker is a well know Trojan/virus that is spread all over
the internet.
Usually enters the company by email.
Latest variant was not detected by any anti-virus nor firewall.
If a user clicks on executable it starts immediately scanning
network drives, renames all the files & folders and encrypts
them.

Most effective counter-measure to identify & limit the damage,

is to use DatAdvantage & DatAlert.

VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL

Actions and behavior

file.docx +
file.docx

Encryption

.encrypted
OR
.cryptolocker

Add extension

Actions

Notes

Events on files

Encrypt files

Uses a RSA 2048bits key to encrypt the files

OPEN then MODIFY

Encryption cypher seems to be symmetrical (depending on the

CryptoLocker variant).

7
7

Add file
extensions
(next to
existing ones)

Adds one of these new extension to the end of the files

(depending on CryptoLocker variant) :
- .encrypted
OR
- .cryptolocker
OR
- .<RANDOM 7 characters>

RENAME

Instruction
files written in
each directory

Writes a file containing a link to a web page to get instructions to

decrypt the files (require the user to pay some bitcoins)

CREATE

The file names are :

- DECRYPT_INSTRUCTION.txt
OR
- DECRYPT_INSTRUCTIONS.html

VARONIS
VARONIS SYSTEMS.
SYSTEMS.PROPRIETARY
PROPRIETARY&&CONFIDENTIAL
CONFIDENTIAL

Filetypes affected
*.zip ; *.rar ; *.7z ; *.tar ; *.gzip ; *.jpg ; *.jpeg ; *.tif ; *.psd
; *.cdr ; *.dwg ; *.max ; *.bmp ; *.gif ; *.png ; *.doc ; *.docx
; *.xls ; *.xlsx ; *.ppt ; *.pptx ; *.txt ; *.pdf ; *.djvu ; *.htm ;
*.html ; *.mdb ; *.cer ; *.p12 ; *.pfx ; *.kwm ; *.pwm ; *.1cd
; *.md ; *.mdf ; *.dbf ; *.odt ; *.vob ; *.iso ; *.ifo ; *.csv ;
*.torrent ; *.mov ; *.m2v ; *.3gp ; *.mpeg ; *.mpg ; *.flv ;
*.avi ; *.mp4 ; *.wmv ; *.divx ; *.mkv ; *.mp3 ; *.wav ; *.flac
; *.ape ; *.wma ; *.ac3 ; *.epub ; *.eps ; *.ai ; *.pps ; *.pptm
; *.accdb ; *.pst ; *.dwg ; *.dxf ; *.dxg ; *.wpd ; *.dcr ; *.kdc
; *.p7b ; *.p7c ; *.raw ; *.cdr ; *.qbb ; *.indd ; *.qbw

8
8

VARONIS
VARONIS SYSTEMS.
SYSTEMS.PROPRIETARY
PROPRIETARY&&CONFIDENTIAL
CONFIDENTIAL

Identification of the impacted files

AFTER INFECTION : DatAdvantage
Check for high number of OPEN, RENAME and CREATE events
generated by a user account, filtering on file extensions
Report 01.A.01 - User Access Log
Check for statistically significant deviation on access events from
(infected) user/computer
Alerts Daily deviation
DURING INFECTION (DETECT & ARREST): DatAlert
Configure a threshold alert on file server OPEN, RENAME and
CREATE events
Configure an automatic action to disable the user account in
directory service to arrest file encryption before it propagates

9
9

VARONIS
VARONIS SYSTEMS.
SYSTEMS.PROPRIETARY
PROPRIETARY&&CONFIDENTIAL
CONFIDENTIAL

Theyre innow what?

6 Mitigation Tips
1. Eliminate Global Access

2. Eliminate Excessive Permissions

3. Alert on Privilege Escalations
4. Alert on Behavioral Deviations
5. Setup Honeypots
6. Closely Monitor High-Risk People and Data

11

VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL

Tip #1: Eliminate Global Access

Locate groups like Everyone and Authenticated Users

and replace them with tighter security groups

How do I avoid cutting off legitimate access?

12

VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL

Tip #2: Eliminate Excessive Permissions

People and software!

Figure out what people have access to but shouldnt

Amazon-like recommendations

Auto-expire temporary access

Periodically review entitlements

13

VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL

Tip #3: Alert on Privilege Escalations

Do you know when someone gets root access?

14

VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL

Tip #4: Alert on Behavioral Deviations

Behavioral activity spikes (email, files, access denied)

Monitor activity outside of normal business hours

15

VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL

Tip #5: Setup Honeypots

Setup a shared folder that is open to everyone
X:\Share\Payroll
X:\Share\Confidential
X:\Share\CEO

See who abuses it

16

VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL

Tip #6: Monitor High Risk People and Data

Alert or auto-quarantine sensitive data when it shows up

in a public place
Watch what root/domain admins are doing
Watch what contractors are doing

17

VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL

Detecting CryptoLocker
Alert on more than 100 file modify events from a

single user in under a minute

Alert triggers an action to:
Notify IT admins

Grab the username and machine

Check the machines registry for key/value that
CryptoLocker creates
Get-Item HKCU:\Software\CryptoLocker\Files).GetValueNames()

If value exists, disable user automatically:

Disable-ADAccount -Identity $actingObject

18

VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL

Detecting CryptoLocker - DataLert configuration

19
19

VARONIS
VARONIS SYSTEMS.
SYSTEMS.PROPRIETARY
PROPRIETARY&&CONFIDENTIAL
CONFIDENTIAL

Cleaning your filers using DatAdvantage Report

Identify infected files
Create a report to
identify all modified
files over the last 30
days
XML template
containing predefined
filters for DA
(v6.0.52)

20
20

VARONIS
VARONIS SYSTEMS.
SYSTEMS.PROPRIETARY
PROPRIETARY&&CONFIDENTIAL
CONFIDENTIAL

Remediating File Servers

Restoring the files, using a backup or Volume Shadow Copies
(Windows Servers ; if enabled), after identification of
infected/encrypted files
Another solution: Encryption seems to be reversible
Using a real-time disassembler on the PE (Portable Executable)
that infected the files through the computer/user session, it is
possible to skip the code part where the encryption mechanisms

occurs, and activate a code part that decrypts the files, without
the need of getting the decryption key.
Depends on CryptoLocker variant that infected the files.

21
21

VARONIS
VARONIS SYSTEMS.
SYSTEMS.PROPRIETARY
PROPRIETARY&&CONFIDENTIAL
CONFIDENTIAL

For More Information

Join the Varonis Connect Community Developer Forum:
https://connect.varonis.com/community/developercom
munity/blog/2014/10/16/powershell-tools-for-

cryptolocker

22
22

VARONIS
VARONIS SYSTEMS.
SYSTEMS.PROPRIETARY
PROPRIETARY&&CONFIDENTIAL
CONFIDENTIAL

Free Threat Assessment

http://bit.ly/threatcheck

23

VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL

Thank you!

VARONIS SYSTEMS. PROPRIETARY & CONFIDENTIAL