Detecting and Protecting against CryptoLocker.Botnet and CryptoWall.Botnet ransomware

Description

Solution
FortiOS Application Control and Antivirus Profile sensors can be used to analyze network  traffic to detect   "Cryptolocker.Botnet"  and "CryptoWall.Botnet."

Antivirus scanning examines files for "Cryptolocker.Botnet"  and "CryptoWall.Botnet"  variants and families of  viruses, worms, trojans, and malware. The antivirus scan engine has a database of virus signatures it uses to identify infected files. If the scanner finds a signature in a file, it determines that the file is infected and takes the appropriate action.

 If you discover these unwanted applications in your network and wish to block, follow the following steps below:

1.Verify that the Application Control and Antivirus feature(s) are enabled:

        a. In the FortiOS Dashboard, Go to System  | Config
        b. Application Control should be ON, if not enable
        c. Antivirus should be ON, if not enable
        d. Select Show More and enable Multiple Security Profiles
        e. Apply the changes.



2. Verify that your FortiGuard Subscription Services is running the latest IPS and Antivirus definitions:

  For the latest Antivirus DB: http://www.fortiguard.com/updates/antivirus.html
 For the latest Intrusion Prevention and Application DB: http://www.fortiguard.com/updates/applications.html

    a. In the FortiOS Dashboard, Go to System  | Config | FortiGuard
        

The current  AV detections for CryptoLocker as W32/Blocker.CJEA!tr, W32/Filecoder.BQ, and W32/Zbot.AAU!tr. Other known aliases:

    Trojan-Ransom.Win32.Blocker.cjea
    TROJ_CRILOCK.AB
    Win32/Filecoder.BQ
    Trojan:Win32/Crilock.A
    CryptoLocker
    KryptoLocker
    W32/Agent.ABI!tr
    W32/Bublik.AEBW!tr
    W32/Kryptik.FA!tr
    W32/KRYPTIK.PDA!tr
    W32/Mdrop.AAB!tr

See: http://www.fortiguard.com/encyclopedia/virus/#id=5584765

CryptoWall 1.0 available with our W32/Foreign.KVIE!tr signature.
CrytoWall 2.0 available as W32/CRYPDEF.POP!tr.

We also have an article  written that explains  CryptoWall (1.0) located here: http://blog.fortinet.com/post/cryptowall-another-ransomware-menace

3. Steps to enable Antivirus Profile:
   a. In the FortiOS graphical user interface (GUI) go to > Security Profiles > AntiVirus > Profiles
   b. you can select default or create a new AntiVirus Profile, in this case we will use the "default" profile
   c. Set Inspection Mode > Proxy
   d. Enable "Block Connections to Botnet Server"
   e. Select the Protocols to be inspected
   f. Select Apply

   4. Verify the Antivirus Profile configuration has the correct option(s) enabled from the FortiOS CLI: 

     config antivirus profile
     edit "default"
        set comment " "
        set replacemsg-group ''
        set inspection-mode proxy
        set block-botnet-connections enable
        set extended-utm-log enable
            config http
                set options scan (Scan will scan files and block infected based on the current AVDB signatures)
                end
            config ftp
                set options scan
                end
           config imap
               set options scan
                end
            config pop3
               set options scan
                end
            config smtp
               set options scan
                end
            config nntp
              set options scan
                end
            config im
               set options scan
                end
            config smb
               set options scan
                end
            av-virus-log        : enable
            av-block-log        : enable

5. Steps to enable blocking with the Application Control Sensor:

   a. In the FortiOS graphical user interface (GUI) go to > Security Profiles > Application Sensors
   b. select the default or create a new Application Sensor name, in this case we will use the "default" profile
   c. Select Create New > under Category > Select Botnet as the only Category to filter
   d. For the Columns : Popularity | Technology | Risk, make sure all options are selected
   e. For Action: select "Block"
   f. Select OK

6. Verify the Application Control Profile configuration has the correct option(s) enabled from the FortiOS CLI: 
 conf application list
(list) # edit default

(default) # sho full
config application list
    edit "default"
        set comment "monitor all applications"
        set replacemsg-group ''
        set other-application-action pass
        set extended-utm-log enable
        set other-application-log enable
        set log enable
        set unknown-application-action pass
        set unknown-application-log enable
        unset p2p-black-list
        set options allow-dns allow-icmp allow-http allow-ssl
            config entries
                edit 2
                    set action block
                    set behavior all
                    set category 19
                    set log enable
                    set log-packet enable
                    set popularity 1 2 3 4 5
                    set protocols all
                    set session-ttl 0
                    set technology all
                    set vendor all
                next
                edit 1
                    set action pass
                    set behavior all
                    set log enable
                    set log-packet disable
                    set per-ip-shaper ''
                    set popularity 1 2 3 4 5
                    set protocols all
                    set session-ttl 0
                    set shaper ''
                    set shaper-reverse ''
                    set technology all
                    set vendor all
                next
            end
    next
end

7. Add the appropriate blocking profile to the firewall policy as needed: