How Palo Alto Networks Can Stop CryptoLocker

Nov 18, 2013
4 minutes
... views

The emergence of CryptoLocker in the past month means we’re seeing the next iteration of ransomware. Extortion schemes involving encryption are not new, but seem to come in waves. The first ransomware known as ‘AIDS’ dates back to 1989, with resurgent waves coming in 2005/2006 (Gpcode, TROJ.RANSOM.A, ArchiveusKrotten, Cryzip, and MayArchive)  and then again more recently in 2010 when the Russian Mafia put out WinLock and other variants.

CryptoLocker is different. It uses a 2048-bit key and the RSA algorithm to encrypt specific file types on the victim’s local storage and any other network mapped drives. The user or owner is then presented with a demand for $300 to $3000 payable through BitCoin. Once CryptoLocker has successfully encrypted the data, it is computationally infeasible that even a dedicated distributed decryption effort would crack the encryption within a lifetime.

Palo Alto Networks next-generation security platform is not able to help once the data is encrypted – so far, we haven’t seen a platform that can. But the good news for Palo Alto Networks customer is that our platform is more than capable of stopping the attack from reaching its final phase.

Think of the typical network attack lifecycle: 1) recon/bait end user, 2) exploit system, 3) download backdoor, 4) establish command and control, 5) steal or damage. CryptoLocker needs to get to phase 5 before encryption begins. Where we can stop this attack is at all of the four preceding phases.

Phase 1 (recon/bait end-user):

CryptoLocker finds its targets like other attacks: phishing emails leading a user to a malicious download site and drive-by infections. CryptoLocker has been observed sending zipped PDF files which are actually just disguised .exe files.

WildFire, as well as our anti-virus and anti-spyware, is able to look inside of zip files, and analyze unknown executables. Because we are not just looking at file name and hash value, variants of core versions are easily detected and blocked by policy. As new core versions are released, those versions are detonated within WildFire, identified as malware, and shared across our WildFire subscribers in less than an hour. Consider adding the WildFire subscription to your Palo Alto Networks next-generation firewall to ensure timely receipt of intelligence on new versions.

Phases 2&3 (exploit and download backdoor):

Once the initial payload reaches your machine, it inserts a registry key which executes the encryption engine upon boot-up.

Palo Alto Networks threat research teams have several core versions of CryptoLocker identified already, named Trojan/Win32.crilock.* in our signature base, and hold hundreds of other identified cryptological ransomware signatures as well.
As new versions emerge, the first WildFire detection adds the new version to the ‘known bad’ and distributes that intelligence across our global install base. Setting WildFire policy to block will stop the payload as it attempts to traverse the firewall. URL filtering policies in combination with File Blocking policies (block all files from unknown domains) adds an additional layer of protection, keeping the payload from being delivered.

Phase 4 (establish Command and Control):

Before this attack encrypts, it communicates out to a command and control network to send the asymmetric key pair to be used to encrypt the data. This is the only way that the attackers can deliver on their promise of releasing your files once the ransom is paid.

Command and Control traffic (C2) is detected using the Spyware elements of our Threat Prevention. Setting this to block medium, high and critical severity spyware on outbound traffic will isolate this C2 call by CryptoLocker. Without encryption key delivery, the encryption process does not initiate. C2 signatures are part of WildFire’s threat intelligence feedback loop, so new C2 patterns are constantly being updated.

Administrators can gain visibility over this C2 traffic using the Application Command Center (ACC) and sorting the Threat section by ‘spyware phone home’.

The Best Offense…

CryptoLocker is a new iteration of ransomware, but should ultimately be treated like any other threat. All of the same best practices which we recommend such as SSL decryption/inspection, classification of all traffic, in-line enabled threat prevention and investigation of unknowns still very much apply.

As a final thought, patching, regular backups and user training/awareness programs are components of any good risk management strategy. These fundamentals can also be very effective in keeping CryptoLocker, or any ransomware, from affecting your organization.

Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.