A close encounter with CryptoLocker
LIVE FROM IT NATION, ORLANDO, FL—As of April 2014, CryptoLocker had infected more than 235,000 computers, with approximately half of those located in the U.S. Estimates indicate that somewhere in excess of $27 million in ransom payments were made within the first two months of Cryptolocker’s reign.
If you are an MSP you have probably encountered this CryptoLocker in one form or another and had to clean up the after effects. As a result you’re probably angry at having to repair the damage it has caused, because as an MSP you promise your customers efficient, secure systems and you work hard to deliver on that promise. The last things any one of us wants to do is have to restore data or reload a server/workstation on a weekend.
So, there was a sense of the inevitable when one of my client’s employees received the email of “CryptoLocker doom”. With more than 500 endpoints spread over 25 locations in the US and Canada, the odds this organization would remain unscathed became very long—and it happened.
Sent: Wednesday, November 12, 2014 10:27 AM
Subject: ADP Past Due Invoice#83598243
Your ADP past due invoice is ready for your review at ADP Online Invoice Management. If you have any questions regarding this invoice, please contact your ADP service team at the number provided on the invoice for assistance.
Please note that your bank account will be debited within one banking business day for the amount(s) shown on the invoice.
Review your ADP past due invoice here.
Important: Please do not respond to this message. It comes from an unattended mailbox.
A malicious PHP script on a compromised website smashed a cybercriminal exploit package into its target and after freezing the machine and forcing the user to reboot, the countdown to “data encryption key destruction” began. “Please pay ransom, click here to continue.”
As the “rented CISO”, I worked directly with this client. They were ready for this attack and executed their recovery plan swiftly, effectively and with precision. They were using most of the components needed to avoid the plague of malware out there. However, the consensus of the team is that the bad guys got a hold of this machine using one of the 17 vulnerabilities patched by MS14-065: Cumulative Security Update for Internet Explorer (3003057).
Here is an excerpt from our post infection after action report:
"1. What patches may have been missing from the machine (i.e. According to the dashboard what was it missing, I’m specifically interested in the Java version?)
There are 88 patches missing, but none of them are critical. They range from Moderate to Important.
There are four pending critical updates, but considering we patch Wednesday night, and her machine was off that is to be expected.
Java Runtime Environment is 7.0 update 7.1 – it’s up to date.
2. Also I’m sure the user feels terrible, can you ask the user if she was prompted to accept or install anything, perhaps to view the invoice?
Users response: “It took us to a page that we had to click open file to view or save. Nothing appeared when I did that. That is when I became suspicious and Googled the email address that sent it.”
3. Also can you tell me the state of the UAC, is it disabled or set to minimum on laptop images?
This didn’t happen to a laptop. Two desktops were affected. UAC is set to never notify (lowest setting on the bar).
4. Can you tell me if the Managed Web Content filtering was enabled on the machine
Doesn’t look like it was on."
The first question I asked was “did the user have local admin privileges?” the answer sadly was: “Yes”. I don’t think that would have mattered. Users can run programs they just can’t install software or change system settings. My second question was “Anti-virus up-to-date?” Answer: “Yes”.
So, the above example email (now being blocked by mail filtering software) nailed the machine because it was not patched and up to date—a day after the release of the patch. As you can plainly see this is how dangerous the situation in cyber space is. It’s quite possible the next business day this machine would have been patched and antivirus definitions may have caught the malware. The web content filtering was not activated, so we will never know if this would have saved the day, as maybe the poisonous website had already been blacklisted.
The IT team of five for this business is credible, effective, well trained and focused on a defense in depth strategy as best as a busy operational team can. At the end of the day, though, it comes down to the hero of the story.
As the security advisor to the IT Manager, a long-time friend of mine I said, “Loosing a Workstation in IT is a bad day, loosing a Server in IT is a career ending day.” We focused the team to be brilliant when it came to one core IT service: Backup.
When something like this gets past the best efforts of the team, when disaster strikes, the level of panic is offset by one thing and one thing only: the ability to get back in business. It filled my heart with joy when this sentence came through on the email chain:
“Data for the S:\ and M:\ drives can be restored from the previous night—backup is solid. We will assess and do so tomorrow AM after further analysis and to see if the server is compromised.”
Could it have been worse? Absolutely. Imagine if this was an IT department laptop that had a share to the C$ on the Primary Domain Controller. That thought almost made my heart stop.