CTB-Locker in Respect to Eset End Point Security

CTB-Locker in respect to Eset End Point Security

Crypto-type malware is particularly nasty to deal with because it encrypts files. While an infected file has had code added to it which antivirus can remove, an encrypted file isn’t repairable without the unique encryption key that was used. The criminals using crypto-type malware intend to sell you the unique key, giving you access to your files for a price. For this reason, crypto-type malware is also frequently called Ransomware.

The key to dealing with crypto-type malware is prevention and planning. While it is assumed you have antivirus and IPS protection in place, the criminals using crypto-malware are constantly updating code to avoid detection by these systems. Since the damage these threats do is often irreversible, taking additional steps to protect yourself is advised.

Preventive Measures

·  Do not follow unsolicited web links in email messages or submit any information to webpages in links.

·  Use caution when opening email attachments.

·  Keep operating systems and software, including anti-virus, up-to-date with the latest patches.

·  Perform regular backups of all systems/data to avoid serious consequences should your system fall under attack

Typically, we see crypto-type malware delivered by exploit kits on compromised web pages. Exploit kits actively scan a visiting machine and deliver threats through any exploitable vulnerability it was able to detect. For this reason we advise that along with IPS, the operating systems, web browsers, Java installations, and all other software be kept up to date with the latest patches.

Currently we are seeing an increase in reports of a crypto-malware called “CTB-Locker”. Diagnosing a specific variant from a picture is difficult as the criminals frequently re-use the digital “ransom note”, but for the spam campaign currently underway, we have detection of the final payload as Trojan.Cryptolocker.E

The current malicious spam campaign has one additional detail which can be used to control outbreaks. The initial attack vector is an email with a ZIP attachment claiming to be a FAX or invoice. The ZIP contains a threat we identify as Downloader.Ponik, and this is what downloads the crypto malware attachment. The file is typically a .SCR which gives you two additional tools to prevent an infection.

·  Block SCR attachments at the mail gateway

·  Implement an Application and Device Control policy in SEP or via a GPO that prevents SCR files from executing across the network.

How to block users fromdownloadingfiles with specific extensions,using HIPS in Eset Endpoint Security.

1. Login to Eset Server via Console.
2. Got to Tools -> Policy Manager.
3. Select the policy -> edit the Policy.
4. Select ESET Endpoint Security from Product Filter.
5. Expand Windows desktop v5 -> HIPS -> Settings.
6. Select Rules and advanced options -> click on edit on right pane.
7. Click New -> Give a name for the rule -> Select Block in the Action box.
8. On the other settings on the right hand side check on Log and Notify User.
9. Under Source application tab select Add -> In the value field type the applications ex.firefox.exe,chrome.exe,IEXPLORER>EXE, etc….
10. Select Target files Tab -> check Use for all applications -> Click Add -> In the value field type- *.exe,*.scr,exe,scr…
11. Select Target applications tab -> check Use for all operations -> Click Add -> In the value field type - *.exe,*.scr,exe,scr….
12. Click OK.
13. Click OK again.Click Console to save.