Christmas Ransomware?

Anyone else being hit by 0-day previously-undetectable ransomware this holiday season?

No. Have you been hit?

Wish these articles would point out how to defend yourself.

I don’t run Flash, Java, or Silverlight.

Everything (and I mean everything) is as up to date as possible on my systems, from software to the firmware on my damn keyboard.

Triple layers of security. AV software. Malwarebytes Premium. Malwarebytes Anti-Exploit premium.

Last year I signed up for a free month of Anti-Exploit, but I just couldn’t get it to work for me. It was flagging nearly everyplace I went and not letting me browse even the normal stuff I browse every day. At work it wasn’t letting me go to our work email through godaddy and use my normal workflow. So I just ended up disabling it. Did you install it and then on a daily basis keep whitelisting a lot of stuff?

I’ve been using it for two years and have never whitelisted anything.

I tried hitmanpro.alert and it seemed pretty good, but it was a bit… overly restrictive. I remember having to completely disable it for some games and other stuff.

Most of this infuriating time wasting shit is delivered via email to unsuspecting inept users. We haven’t been hit by crypto at work for a few months now but every time it’s a pain the arse to restore every single file that user had access to from backup. Actually, always it’s delivered email. Every time.

"Here your invoice is, please read


Jim - UPS Manger"

User opens PDF that says “click here to read invoice” (WHOEVER SAW A GENUINE EMAIL THAT LOOKED LIKE THIS??) and it installs the fucker and encrypts every file they had access to on the server.

Fuck sake.


Yeah it came in through a 0-day Flash exploit, as a drive-by through browsing we think. The affected employee didn’t recall actively clicking or opening anything. This is with fancy, super expensive Next Generation firewalls from CheckPoint, Cisco, Palo Alto etc. They didn’t get signatures through their fancy cloudsourced threat intelligence until half a week later. This workstation had the latest available Flash player as well.

It’s time that we’re going to revisit taking away/disabling Flash entirely as well as locking down Internet and social media usage at work.

Unfortunately a lot of the inhouse legacy and business applications conflict with the anti-exploit/threat protection of MBAM/MBAE and Palo Alto Traps or Sophos Intercept X (HitManPro Alert tech) so we end up disabling it until we can figure out how to workaround it.

For some reason, we were super lucky and the ransomware infection didn’t spread or else our file servers might have been hooped.

eeesh, via flash? fun :(

Yeah, my sister’s laptop was hit by this Goldeneye ransomware via flash vulnerability. Malwarebytes antiransomware and Bitdefender antivirus were active…

  • Click To Play / Whitelisting should help with a lot of browser based issues (i.e. locking down the plugins for ONLY the verified sites (and not 3rd parties) that require them
  • Blocking font downloads should help against some in the past 0-days
  • Javascript whitelisting through browser plugins (like uMatrix)
  • Domain blocking on firewall for some sites

But as someone stated, most crypto ransomware comes through email and outside of teaching the users ‘safe’ behaviour you’ll probably have to take some drastic tech measures:

  • Accept no attachments or verified senders or sandboxed PDF reader
  • txt only email

Minimise impact?

  • Least privileges on users
  • Thin Clients that can be ‘scrubbed’
  • “Intelligent” defenses that will monitor user behaviour and lock down / disconnect computer from network if they sudddenly see the user opening 100+ files on network shares. (Forgot what this one was called…)

Suppose the cheapest is to just realize you will get hit and instead of spending $$ on preventive tech that wont do shit, get really good at backups/restore (with Veeam for example), course it wouldn’t cost you much to remind users every week for the rest of their lives not to ‘click shit’ just because the email tell them to.

Hey, Just reading your post rei, but don’t feel bad. We’ve had a number of folks hit with it at work, and in one case, a pretty massive restore effort afterward do to it. The knee jerk reaction so far has been pretty heavy handed, but in all honesty, similar to what @instant0 mentioned, we’re pretty sure our infections have been via email. It doesn’t matter how much you train people not to open attachments that seem fishy, if it’s from an address that looks like someone they know, they will continue to do so. In some cases, even if it isn’t someone they know.

Sandboxing? I.E. some method of either automatically holding on any actions for a specified time to see if it’s kosher, or dropping a client into said posture if the payload or origination is in question. Multiple vendors have solutions for that. One issue is that there are already workarounds for some of them by newer malware. :(

EDIT: Unless you meant some sort of network monitoring to do the same. I’m aware of those too, though we don’t employ one, sadly. I’d love to hear from someone that does though. Shit, anything is worth it once you have a major data loss.

Yea, was thinking from the network side. Sandboxing on the client side would of course also be mandated.

There should be solutions already that you run for a while to get a footprint of the network then after that, anything else will be flagged as suspect and I would assume that depending on “how” suspect you could have automatic reactions to run scripts etc, one such could drop the network connection the client is using for example. So maybe it will only have time to encrypt 50 files instead of 40.000.

Course, the software you’re defending against will improve in time, but … progress, I guess.

We have a number of things to try to stop the most recent versions of ransomware, and to be honest, they have all failed at some point. Zero-day outbreaks are sometimes just impossible to stop.

I was just on a meeting today where we are trying to once again find new ways to prevent it, and it’s like listening to the audio version of people throwing spaghetti on the wall.

What you described is heuristic network monitoring/blocking. I worked on a team that did that at a previous company. The biggest issue was that unfortunately, it is really hard to map everything people do on the internet, so something was always missed or marked as safe, when the actual rules should not have been. I took it more as a failure for the company to properly monitor what traffic they had, so you can’t really blame the solution not working well if it is set up using bad info.

I am not familiar with any that do that for ransomware but if they are out there, we certainly need it.

Well, the concept should be the same for ransomware no? the software would look for “out of ordinary” behaviour and block it.

Normal an office user would open one document at a time, and not modifying several (outside of programmers, artists etc, but then you’ll probably be looking at source repository pushes/pulls etc so they would already be somewhat “backed up” and out of scope).

When a ransom-ware appears it will normally start modifying every file it can get access to, local and on any network shares, so you’d see a spike in activity that would be considered an anomaly -> quarantine.

Yea, a bad configuration would undermine the solution and I guess it is a time/money/people issue which I suspect in most cases results in a non-optimal implementation that fails when it matters the most, which is a shame.

I had a discussion about 0-days that you have no patch against a while back, and my point was that in many cases they would have been avoidable through configuration/hardening already, it just takes a hell of a lot of configuration and hardening. I guess the time spent on this will in all likelihood be more expensive than just having a ‘plan b’ solution that can be deployed very quickly.

How much is one BTC these days anyway?

The last company I worked at (working in the health sector) deployed .exe whitelisting (without hashes…) to prevent users executing ransomware as executables, but with stuff coming in as the ye old’e Excel/Word macro I don’t think it would stop it.

Flash has been blocked except for internal traffic (e-learning modules made with Adobe Captivate)

Does anyone have a sane way to deal with macro-enabled Office docs?

Active Directory group policy if you can.

There are also other vendors who can do this at the edge as email comes into your server, and from what I understand, even some networking gear that may be able to block it if it can see it. I know we are doing this with Symantec, but I’m sure there are other vendors that can do the same. The problem with the group policy is always the limited number of users who actually DO use macros within documents.

Tell users to copy the macro enabled doc onto a floppy, then have them use a stand-alone PC that runs VMWare Workstaion on a single-run VM per “document”, in a faraday cage, maybe that will get them to stop using Macros in Word/Excel.