Kaseya Community

URGENT: When will KES detect and prevent Cryptolocker?

This question is answered

We are still having incidents, where Crytolocker is getting through to our KES clients and putting us at great risk, when will this be dealt with?

The latest official version of AVG doesn't appear to have this problem:

Anthony Vincent Green

AVG is protecting you against all known variants of this threat. We recommend updating your operating system as well as other apps including AVG regularly to make sure you have the highest level of protection.

Thanks,

Anthony 
AVG Customer Care

Verified Answer
  • We've seen a lot of success with the Hitman Pro product cryptoguard: www.surfright.nl/.../cryptoguard

    Also, where ever possible, setup your networks to only accept DNS from trusted servers. Crytpolocker relies on its own dns servers.

All Replies
  • Hi Jake,

    I second this. Our organisation is constantly under threat of this ransomware and AVG seems powerless to detect it when distributing it via KES.

    Please advise.

    Thanks

  • In this case, AVG may not be the problem.  Unfortunately, I have spent a decent amount of time looking into Cyrptolocker prevention recently.

    I have checked the support forums of many different AV products, and folks are having trouble with it everywhere.  The problem seems to be keeping up with the variants.  I am not sure if there are more frequent variants of Cryptolocker released, or the impact of infections is so large, but  it doesn't seem like anyone has a bullet proof AV solution.  

    The best solution seems to be locking down the folder it runs from, but that breaks a lot of legitimate apps and you have to spend time correcting that.  

    There are some traffic filtering services that promise to block the traffic so that even if you get infected, you files shouldn't be encrypted.  I am just starting to look into that option, so I am not sure how reliable it is.

    In my personal experience, most effective solution has been to pay the ransom after the infection.  I hate doing it, but it does seem to work.

  • We have ~600 endpoints behind OpenDNS.  So far, no infections.

    blog.opendns.com/.../wrap-containing-cryptolocker-webcast

    blog.opendns.com/.../umbrella-msps-protects-networks-cryptolocker

  • Mike,

    Have you gotten any infections that were reported by AV, but didn't encrypt because OpenDNS blocked the traffic?

  • I don't have an answer to that.  I'll check.

  • I don't see anything that shows AV detected CrytpoLocker.  

    All I had time to check was the KAV report.  It does list some generic Malware, etc., but I don't know if those categories cover CryptoLocker.

  • "In my personal experience, most effective solution has been to pay the ransom after the infection.  I hate doing it, but it does seem to work."

    Not serious?

  • After a computer's been encrypted, there's nothing else you can do if you don't have backups.

  • Ah, I see the confusion, I meant to say after it's been infected.

    Although, depending on how many infections you get, $300 once every few months might be a lot less than the expense and time of implementing additional layers of prevention just for CryptoLocker.  I use a non-Kaseya AV solution.  I have seen about 5 infections out of several thousand computers in the last few months.  Maybe 2 didn't have backups. At that rate the paying the "extortion" after the fact may be less than buying and implementing additional solutions prior.

  • What are you using these days as an AV management solution?

  • My clients use multiple AV solutions, but primarily they use KAV and KES.  We had two bad cases of CryptoLocker, a non-critical (terminal server) outbreak and a new variant CryptoDefender (that machine didn't have AV).  

    I have hard coded items in group policy for about 70 clients that prevent workstations from executing applications from the effected locations.  It was a pain in the but to set up, but it seems to have worked.  The largest type of application is updaters.  Java updater, firefox updater, and the like.  I have the following software restriction policies in the "User Configuration" section of group policy:

    %AppData%\*.exe - Restricted

    %AppData%\*\*.exe - Restricted

    %AppData%\join.me\join.me.exe - Unrestricted

    %AppData%\Local\Foxit Updater.exe - Unrestricted

    %AppData%\Local\Google\Update\GoogleUpdate.exe - Unrestricted

    %AppData%\Local\Temp\ose00000.exe - Unrestricted

    %AppData%\Microsoft Firefox\firefox.exe - Unrestricted

    %AppData%\Spotify\Spotify.exe - Unrestricted

    %AppData%\Spotify\SpotifyLauncher.exe - Unrestricted

    %AppData%\Temp\jre-*.exe - Unrestricted

    %localAppData%\*.exe - Restricted

    %localAppData%\*\*.exe - Restricted

    %Temp%\7z*\*.exe - Restricted

    %Temp%\Rar*\*.exe - Restricted

    %Temp%\wz*\*.exe - Restricted

    Exceptions are very easy to hard code in because event viewer will give you the executable location so all you have to do is add it in as unrestricted.  It's also helpful to remove Domain/Enterprise administrators from the scope of this GPO.



    Changed wording.
    [edited by: mjmacka at 10:51 AM (GMT -7) on Apr 11, 2014]
  • Any one use this: www.foolishit.com/.../cryptoprevent

    Might save some time, if it works.

  • Mikey,

    I used the foolishIT kit on a few non-domain PC's and it works.  That being said, there isn't the ability to roll it out to domain computers.  FoolishIT makes reference and hyperlinks to the: Cryptolocker Prevention Kit.  That's the kit I built the exceptions I am using.  There is (maybe was) a desktop shortcut in that to a 3rd party blog, so make sure to cut that out of  your GPO prior to implementation.

  • We've seen a lot of success with the Hitman Pro product cryptoguard: www.surfright.nl/.../cryptoguard

    Also, where ever possible, setup your networks to only accept DNS from trusted servers. Crytpolocker relies on its own dns servers.

  • Nice find Norman! I think that's the best suggestion so far, I've tested it on several machines with success :)

    Shame there isn't a silent install switch for it...



    Tarded
    [edited by: Jake Jones at 3:19 AM (GMT -7) on Apr 24, 2014]