Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

Tips to protect against CryptoWall and CryptoLocker

10/14/2021 731 People found this article helpful 103,982 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    CryptoWall and CryptoLocker are ransomwares which infect a computer usually via email. Once a computer is infected, the malware encrypts certain files stored on the computer. Thereafter, the malware will display a message demanding payment to decrypt the files. Infection usually takes place when a user clicks on an executable file attached to a spam email.

    Resolution


    Resolution for SonicOS 6.5

    This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.



    Update: A new variant of the above ransomwares is CryptoWall 3.0. It is similar to CryptoLocker and CryptoWall and uses TOR to fetch the encryption keys.

    SonicWall Gateway Anti-Virus and SonicWall IPS provide protection against this threat via the following signatures:


    CryptoWallCryptoLocker

    GAV: Crypwall.H (Trojan)
    GAV: Cryptodef.GF (Trojan)
    GAV: Cryptodef.MD (Trojan)
    GAV: Cryptodef.GK (Trojan)
    GAV: Filecoder.V (Trojan)
    GAV: Filecoder.CQ_3 (Trojan)
    GAV: Filecoder.W_20 (Trojan)

    GAV: Cryptowall.K (Trojan)
    GAV: Cryptowall.L (Trojan)

     
    CryptoWall 3.0

    GAV: Cryptowall.A (Trojan)
    IPS: Adobe Flash Player Integer Overflow 2 - SID 5671


    CryptoWall 3.0

    GAV: CryptoWall.B (Trojan)

    GAV: JSCript.Crypto.RES (Trojan)


    GAV: Filecoder.BQ (Trojan)
    GAV: Filecoder.BQ_6 - 8 (Trojan)
    GAV: Filecoder.BQ_12 (Trojan)
    GAV: Filecoder.BQ_17 (Trojan)
    GAV: Filecoder.BH_7 - 8 (Trojan)
    GAV: Filecoder.BH_11 (Trojan)
    GAV: Filecoder.W (Trojan)
    GAV: Filecoder.NAC (Trojan)
    GAV: Filecoder.NAC_4 (Trojan)
    GAV: FileCoder.A_2 - 5 (Trojan)
    GAV: FileCoder.A_11 - 12 (Trojan)
    GAV: FileCoder.A_16 (Trojan)
    GAV: FileCoder.A_24 (Trojan)



    IPS: Cryptolocker Infection Activity 1 - SID 7559      
    IPS: Cryptolocker Infection Activity 2 - SID 9728

    IPS: Cryptolocker Infection Activity 3 - SID 9737


    SonicWall Application Control can prevent I2P tunnels on your network via the following signatures:

    • 5 Encrypted Key Exchange -- Random Encryption (Skype,UltraSurf,Emule)
    • 7 Encrypted Key Exchange -- UDP Random Encryption(UltraSurf)
    • 10817 I2P -- HTTP Proxy Access 1 [Reqs SID 5 & 7]
    • 10817 I2P -- HTTP Proxy Access 2 [Reqs SID 5 & 7]
    • 10817 I2P -- HTTP Proxy Access 3 [Reqs SID 5 & 7]


    For more information on the workings of this malware, you can refer to the following SonicAlerts:

    • Cryptowall 4.0 emerges with new features (Nov 6, 2015)
    • CryptoWall 3.0: Ransomware returns with I2P Network
    • Cryptowall Ransomware uses Bitcoin and TOR exclusively (June 27, 2014)
    • Cryptolocker Ransomware holds files hostage for cash (Sep 19, 2013)


    This article describes tips to follow to be protected against this malware.

    NOTE: These Services are Optional, in order to protect may require additional Purchase and also few services like Botnet and DPI SSL are supported with selected products only.
    Recommend to check your product and its capabilities for further details and purchase options.


    1. Gateway Anti-virus (GAV)

    • Make sure GAV is updated with the latest signatures.
    • Enable GAV.
    • Enable Cloud GAV
    • Enable Inbound and Outbound inspection of HTTP, FTP, IMAP, SMTP, POP3, CIFS/Netbios and TCP Stream.

     Image

    Under the settings of each protocol (HTTP etc), enable the check boxes under

    • Restrict Transfer of password-protected ZIP files
    • Restrict Transfer of MS-Office type files containing macros (VBA 5 and above)
    • Restrict Transfer of packed executable files (UPX, FSG, etc.)

    Image

     Enable GAV on all internal and external zones under Manage | Network | Zones.

    Image


    2. Intrusion Prevention Service (IPS) 

    • Make sure IPS is updated with the latest signatures?
    • Enable Prevention of Medium and High Priority Attacks. This will automatically include the signatures for this malware
    • Enable IPS on all internal and external zones under Manage | Network | Zones.

    Image


    3. Botnet Filter

    Enabling Botnet Filter will block access to known command and control servers of this malware. 

    • On the Manage | Security Services | Botnet Filter page, enable the check box, Block connections to/from Botnet Command and Control Servers.
    • Enable the check box Enable Logging.

    Image


    4. Content Filter Service (CFS)

    Enable CFS and configure to block sites in the “Malware” and “Hacking/Proxy Avoidance Systems”


    5. App Control Advanced

    CryptoWall is known to use TOR to obtain the encryption keys used for encrypting files. Therefore, use App Control Advanced to block TOR.  By enabling the signatures for TOR, CryptoWall will not be able to obtain the keys needed to encrypt files thus mitigating further damage to the infected host computer.

    1. On the Manage | Rules | Advanced Application Control page,  select Category as PROXY-ACCESS
    2. Set Application to TOR.
    3. Click on Configure under Application with TOR selected.
    4. Set Block and Log to Enable.
    5. Click on OK to save.

     Image

    Tor will use Encrypted key exchange application,in order to block that:

    1. On the Manage | Rules | Advanced Application Control page,  select Category as PROXY-ACCESS..
    2. Set Application to encrypted key exchange
    3. Click on Configure under Application with Encrypted key exchange selected.
    4. Set Block and Log to Enable.
    5. Click on OK to save.

    Image


    6. DPI-SSL Client Inspection

    Enabling Client DPI-SSL, although not a mandatory measure, would provide additional security because 1) almost all web and email traffic is over SSL. For example, if a spam email is received over SSL, SonicWall will not be able to detect the malware contents, if any, in it. 2) initial connection to TOR gateway is over SSL. Enabling DPI-SSL will allow SonicWall to decrypt such traffic and scan it for malware. Under the Manage | Deep Packet Inspection | SSL Client deployment page, enable the check boxes under Gateway Anti-virus and Intrusion Prevention.

    Image

    Note: DPI-SSL requires a license and is supported in NSA 220 and higher appliances with SonicOS 5.6 and above firmware.

    7.CryptoWall or CryptoLocker infection may not always happen over the Internet.

    It could occur over shared files and/or drives or over shared removable media like USB thumb drives and external hard disks. Therefore, Administrators are advised to adhere to basic system level security to protect internal hosts in the network from being infected.
    Suggestions include, but not limited to:

    • Installing end-point anti-virus software and keeping it updated with the latest signatures
    • Updating host Operating Systems, Browsers and Browser plugins with the latest security patches
    • Performing regular offline (cold) system back-ups
    • Educating users on the dangers of opening unknown files received from unknown sources etc. 


    Resolution for SonicOS 6.2 and Below

    The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.



    Update: A new variant of the above ransomwares is CryptoWall 3.0. It is similar to CryptoLocker and CryptoWall and uses TOR to fetch the encryption keys.

    SonicWall Gateway Anti-Virus and SonicWall IPS provide protection against this threat via the following signatures:


    CryptoWallCryptoLocker

    GAV: Crypwall.H (Trojan)
    GAV: Cryptodef.GF (Trojan)
    GAV: Cryptodef.MD (Trojan)
    GAV: Cryptodef.GK (Trojan)
    GAV: Filecoder.V (Trojan)
    GAV: Filecoder.CQ_3 (Trojan)
    GAV: Filecoder.W_20 (Trojan)

    GAV: Cryptowall.K (Trojan)
    GAV: Cryptowall.L (Trojan)

     
    CryptoWall 3.0

    GAV: Cryptowall.A (Trojan)
    IPS: Adobe Flash Player Integer Overflow 2 - SID 5671


    CryptoWall 4.0

    GAV: CryptoWall.B (Trojan)

    GAV: JSCript.Crypto.RES (Trojan)


    GAV: Filecoder.BQ (Trojan)
    GAV: Filecoder.BQ_6 - 8 (Trojan)
    GAV: Filecoder.BQ_12 (Trojan)
    GAV: Filecoder.BQ_17 (Trojan)
    GAV: Filecoder.BH_7 - 8 (Trojan)
    GAV: Filecoder.BH_11 (Trojan)
    GAV: Filecoder.W (Trojan)
    GAV: Filecoder.NAC (Trojan)
    GAV: Filecoder.NAC_4 (Trojan)
    GAV: FileCoder.A_2 - 5 (Trojan)
    GAV: FileCoder.A_11 - 12 (Trojan)
    GAV: FileCoder.A_16 (Trojan)
    GAV: FileCoder.A_24 (Trojan)



    IPS: Cryptolocker Infection Activity 1 - SID 7559      
    IPS: Cryptolocker Infection Activity 2 - SID 9728

    IPS: Cryptolocker Infection Activity 3 - SID 9737


    SonicWall Application Control can prevent I2P tunnels on your network via the following signatures:

    • 5 Encrypted Key Exchange -- Random Encryption (Skype,UltraSurf,Emule)
    • 7 Encrypted Key Exchange -- UDP Random Encryption(UltraSurf)
    • 10817 I2P -- HTTP Proxy Access 1 [Reqs SID 5 & 7]
    • 10817 I2P -- HTTP Proxy Access 2 [Reqs SID 5 & 7]
    • 10817 I2P -- HTTP Proxy Access 3 [Reqs SID 5 & 7]


    For more information on the workings of this malware, you can refer to the following SonicAlerts:

    • Cryptowall 4.0 emerges with new features (Nov 6, 2015)
    • CryptoWall 3.0: Ransomware returns with I2P Network
    • Cryptowall Ransomware uses Bitcoin and TOR exclusively (June 27, 2014)
    • Cryptolocker Ransomware holds files hostage for cash (Sep 19, 2013)


    This article describes tips to follow to be protected against this malware.

     NOTE: These Services are Optional, in order to protect may require additional Purchase and also few services like Botnet and DPI SSL are supported with selected products only.
    Recommend to check your product and its capabilities for further details and purchase options.


    1. Gateway Anti-virus (GAV)

    • Make sure GAV is updated with the latest signatures.
    • Enable GAV.
    • Enable Cloud GAV
    • Enable Inbound and Outbound inspection of HTTP, FTP, IMAP, SMTP, POP3, CIFS/Netbios and TCP Stream.


    Security services



    Under the settings of each protocol (HTTP etc), enable the check boxes under

    • Restrict Transfer of password-protected ZIP files
    • Restrict Transfer of MS-Office type files containing macros (VBA 5 and above)
    • Restrict Transfer of packed executable files (UPX, FSG, etc.)

    HTTP Settings


    • Enable GAV on all internal and external zones under Network | Zones.


    2. Intrusion Prevention Service (IPS) 

    • Make sure IPS is updated with the latest signatures?
    • Enable Prevention of Medium and High Priority Attacks. This will automatically include the signatures for this malware
    • Enable IPS on all internal and external zones under Network | Zones.

    3. Botnet Filter

    Enabling Botnet Filter will block access to known command and control servers of this malware. 

    • On the Security Services | Botnet Filter page, enable the check box, Block connections to/from Botnet Command and Control Servers.
    • Enable the check box Enable Logging.



    4. Content Filter Service (CFS)

    Enable CFS and configure to block sites in the “Malware” and “Hacking/Proxy Avoidance Systems”


    5. App Control Advanced

    CryptoWall is known to use TOR to obtain the encryption keys used for encrypting files. Therefore, use App Control Advanced to block TOR.  By enabling the signatures for TOR, CryptoWall will not be able to obtain the keys needed to encrypt files thus mitigating further damage to the infected host computer.

    1. On the Firewall | App Control Advanced page,  select Category as PROXY-ACCESS
    2. Set Application to TOR.
    3. Click on Configure under Application with TOR selected.
    4. Set Block and Log to Enable.
    5. Click on OK to save.


    Tor will use Encrypted key exchange application,in order to block that:

    1. On the Firewall | App Control Advanced page,  select Category as PROXY-ACCESS..
    2. Set Application to encrypted key exchange
    3. Click on Configure under Application with Encrypted key exchange selected.
    4. Set Block and Log to Enable.
    5. Click on OK to save.




    6. DPI-SSL Client Inspection

    Enabling Client DPI-SSL, although not a mandatory measure, would provide additional security because 1) almost all web and email traffic is over SSL. For example, if a spam email is received over SSL, SonicWall will not be able to detect the malware contents, if any, in it. 2) initial connection to TOR gateway is over SSL. Enabling DPI-SSL will allow SonicWall to decrypt such traffic and scan it for malware. Under the DPI-SSL | Enable SSL Client Inspection page, enable the check boxes under Gateway Anti-virus and Intrusion Prevention.

    Note: DPI-SSL requires a license and is supported in NSA 220 and higher appliances with SonicOS 5.6 and above firmware.


    7.CryptoWall or CryptoLocker infection may not always happen over the Internet.

    It could occur over shared files and/or drives or over shared removable media like USB thumb drives and external hard disks. Therefore, Administrators are advised to adhere to basic system level security to protect internal hosts in the network from being infected.

    Suggestions include, but not limited to:

    • Installing end-point anti-virus software and keeping it updated with the latest signatures
    • Updating host Operating Systems, Browsers and Browser plugins with the latest security patches
    • Performing regular offline (cold) system back-ups
    • Educating users on the dangers of opening unknown files received from unknown sources etc. 

    Related Articles

    • App Control fails by schema error when editing VPN category
    • How to remove 2FA for admin using CLI
    • 2FA authentication error using TOTP "Please try again later"

    Categories

    • Firewalls > SonicWall NSA Series
    • Firewalls > SonicWall SuperMassive 9000 Series
    • Firewalls > SonicWall SuperMassive E10000 Series
    • Firewalls > TZ Series

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2022 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
    Scroll to top
    Trace:d62c1600f02b62e6dd5d68769b847134-94