Mitigating Ransomware attacks using McAfee VSE Access Protection Policies

The image on the left is an awesome reminder of my first blog post. Ransomware really caught my attention to a point were, it ended up featuring as my first article. That being said, my reply to Gail’s comment really sealed the deal, to an extend were i just felt I had to revisit and unearth this post! My response read, “This is proof we are living in the “Cyber Crime Era!”. It’s sad but what makes it even more scary is, it’s happening and happening around the clock. I bet you this is just the tip of an iceberg….” Oh yes, spot on! I am no Fortune Teller, but all I can tell ya (replacement for you), is we are living in that era! Hmmm, some deadly rhymes ending with ‘aaaah!’ right?; but definitely not deadlier than the gist of the flow, Ransomware!!!! Hold on, besides my rhymes, I will not let you (Ransomware) intimidate me, because I have something to use to mitigate against you, McAfee VirusScan Enterprise (VSE) Access Protection Policies, hell yeah!!!

Okay, let me calm down a bit. I think I might be loosing the plot! Back to my story, besides being considered by the Information Security Industry as one of the deadliest threats to Internet users and Businesses across the globe, the ransomware industry is known to be the most profitable malware scam industry ever! A lucrative industry for malicious hackers as it is hard to fight against, detect, trace and stop because of the underlying technologies it integrates! Of particular interest is how ransomware integrates Encryption, Cryptocurrency, Tor and Domain Generation Algorithms (DGA) to name a few; I will dig more into the details regarding the four technologies in my next post.

Overtime ransomware has evolved; with each strain’s modus operandi (MO) escalating from aggressive to ferocious; demanding more payment in the form of Bitcoins, deleting files, encrypting entire storage drives and targeting mission critical systems and technologies, as an example – Database Servers. The ransomware family has evolved, from CryptoLocker, CryptoWall, TeslaCrypt, Locky, NanoLocker, CTB-Locker, Spora, Stampado to name a few. In a nutshell, once the computer in question has been infected, the ransomware silently runs and encrypts files on the infected computer in the background without the users consent, once done, displays a page, link or file that demands a payment in the form of Bitcoins to be made to the attached Bitcoin address from the affected user. If payment is not made, the affected user with not get the decryption key from the attacker to decrypt the encrypted files, hence the files encrypted earlier on become inaccessible. The affected user loses all their files, documents and information! So what’s the way forward?

The Information Security industry, Users and Businesses alike have not given up on the fight against ransomware. Of late, No More Ransom website was set up to give users advice on how to stay safe from ransomware and provide free decryption tools for some ransomware variants. That being said, I will be showing you some ways of mitigating ransomware attacks using McAfee VSE Access Protection Policies. McAfee systems come in two (2) setup modes (as demonstrated shortly); that is, Managed & Unmanaged mode.

  •  Managed Mode – Are systems that are centrally administered by the McAfee ePolicy Orchestrator (ePO) Server. These systems get their updates, policies and products directly from the ePO Server. They also report back to the ePO server; some of the information reported back are threats detected, current Antivirus status to name a few. Managed mode is ideal in large environments from an administration perspective, reporting is also a plus, as different reports on the various systems status / aspect can be pulled accordingly. e.g. All systems up to date, Top detected threats or machines that have not communicated in a specified number of days. Managed mode also makes it easier to deploy products (at a larger scale) to the managed systems remotely without any need to go to each individual machine.
  • Unmanaged Mode – is basically the opposite of the above mode. Systems are standalone systems and usually pull their updates directly from the McAfee update site. Policy changes are usually done at an individual system level (per machine).

That being said, McAfee constantly releases Advisory Threat guides and Links on how to mitigate against the various ransomware. Mitigation involves implementing VSE Access Protection Policies changes either via ePO (if system is managed) or VSE (if systems is not managed). Please Note: the Demo assumes your environment has either or McAfee ePolicy Orchestrator (ePO) version 5.x (5 & above) and McAfee VirusScan Enterprise (VSE) version 8.x (8 & above) and also assumes you have knowledge working with McAfee Products.

Creating an Access Protection Policy (Rule) from ePO (screenshots), assuming you are following the two links above. This demonstration gives one basic ideas on the steps one has to follow to create the Policies directly from the McAfee ePolicy Ochestrator (ePO) Server. In this case the systems are Managed!

  • Create a New Access Policy via the ePO’s Policy Catalog page;

  • I will be creating an Access Policy called Anti-Ransomware Lab and will be assigning it to the Anti-Ransomware Lab System Group later;

  • Policy created (in my case policy is called Anti-Ransomware Lab).

  • We click on the newly created Policy and add the relevant entries as per the Advisory Threat documentation. In our case we are adding entries that block the Locky Ransomware to all systems that fall under the Workstation Tag. There are two system settings, so if one has servers also tagged, one should select server and create another policy & assign it to the server Group ;

  • Entry looks like this (basically the entry blocks / prevents the creation of malicious registry entries by the Locky ransomware);

  • After saving the Policy we assign it to the relevant Group (group consists of the systems we want to mitigate the Locky Ransomware against);

  • In our case, the Policy has been assigned to the Anti-Ransomware Lab Group;

  • Anti-Ransomware Lab Group as shown under System Tree;

  • The policies created will eventually be pushed down automatically to the affected systems after the relevant configured Agent to Server Communication Interval (ASCI) which is usually Six (60) minutes; alternatively, can also be done manually by running the ‘Check new Policies’ button via the affected systems McAfee Agent Monitor console;

 

Creating Access Protection Policies (Rules) from VSE (screenshots). This demonstration gives one a basic idea on the steps one has to follow to create the Policies directly from the McAfee VirusScan Enterprise (VSE) on the standalone system. In this case the systems are Unmanaged!

  • Create a New Access Policy on the standalone system (right click McAfee icon in system tray, select ‘Manage Features’ & click VirusScan Enterprise;

  • Click on the Access Protection window;

  • Add entries accordingly, based on what needs to be blocked;

  • Manually apply latest Policy changes by clicking the ‘Check new Policies’ button via the affected systems McAfee Agent Monitor console;

Once the above has been achieved, we can actually test the effectiveness of our Access Policies, which I will demonstrate shortly. Before proceeding; we can also integrate McAfee Host Intrusion Prevention System (HIPS) to compliment our configuration. In order to have optimal protection of the affected environment it is critical that all Anti-Virus products and components are running on the latest versions; that is, McAfee Agent, VirusScan Enterprise (VSE) and Host Intrusion Prevention System (HIPS). The process recommends one to deploy the latest McAfee Agent, VSE & HIPS to PCs that have an outdated version running. Assuming one has gone through the above steps & Advisory Threats documentation, we will realise the implementation will achieve the following (actions usually triggered / attack vectors usually taken by ransomware);

  • Prevention of files from being created or executed in the Users AppData.
  • Prevention of process(es) triggered by executables running from User AppData Roaming profile, from creating file containing the *.tmp.*
  • Prevention of malicious processes (usually triggered by Ransomware) from writing or creating keys or values in the Registry.
  • Prevention of files with specific extensions from being created or executed. e.g. Files that contain keywords like *decrypt_instructions.*
  • Prevention of processes other than (rundll.exe, winlogon.exe, FrameworkService.exe, McShield.exe & Scan*.exe) from creating files with *.scr *.scr is usually an extension used for scripts or screen savers.
  • Double File Execution prevention.
  • Blocking of suspicious Port Scans.

 

Testing the effectiveness of our New Access Policies;

1.) Prevention of files from being created or executed in the Users AppData folder. Click on images for a detailed explanation!
The Path for Windows 7 & above is; **\Users\*\AppData\*.exe
Windows XP; *\Documents and Settings\*\Application Data\*.exe

2.) Prevention of files with specific extensions or keywords from being created or executed. E.g. Files that contain keywords like *decrypt_instructions*

3.) Prevent processes other than (rundll.exe, winlogon.exe, FrameworkService.exe, McShield.exe & Scan*.exe) from creating files with *.scr extension. *.scr is usually an extension used for scripts or screen savers;

4.) Suspicious Double File Extension Execution prevention;

5.) Block suspicious Port Scans (we run a Port Scan from a PC with an I.P Address: 10.221.200.121 to determine services & Applications running on PC below with the I.P Address: 10.221.200.126 (so as to try and exploit system);

The implementation above is done to reduce the risks of Home Users, Internets users & Business users alike from getting infected by the Ransomware(s) doing the rounds, as it aims at providing another layer of defense against this cryptomalware industry that is constantly innovating and trying to either circumvent known security measures or exploit unsecured or outdated systems. The Access Policies need to be updated constantly to cater for any new variants (Ransomware).

That being said, Mitigating Ransomware attacks using McAfee VirusScan Enterprise (VSE) Access Protection Policies alone does not stop Ransomware; other complimentary solutions like Perimeter Firewalls, Email Filtering solutions also need to be put in place. Of major concern is what turns to be the weakest link in the information security chain, that is; (Home Users, Internets users & Business users alike); serious prioritisation and investing in, and regularly attending I.T Security Awareness & Training Programs is a must; these programs help keep system users updated on the current threats and latest attack vectors used by Cyber criminals. If you think I.T Security Awareness & Training Programs are expensive or useless, try ignorance!

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.