* [Blog](https://www.paloaltonetworks.com.au/blog)
* [Palo Alto Networks](https://www.paloaltonetworks.com.au/blog/corporate/)
* [Cybersecurity](https://www.paloaltonetworks.com.au/blog/category/cybersecurity-2/)
* Banking Security: Best Pr...

# Banking Security: Best Practices for Zeus and Cryptolocker

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2F2014%2F07%2Fbanking-security-best-practices-zeus-cryptolocker%2F)  
[](https://twitter.com/share?text=Banking+Security%3A+Best+Practices+for+Zeus+and+Cryptolocker&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2F2014%2F07%2Fbanking-security-best-practices-zeus-cryptolocker%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2F2014%2F07%2Fbanking-security-best-practices-zeus-cryptolocker%2F&title=Banking+Security%3A+Best+Practices+for+Zeus+and+Cryptolocker&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com.au/blog/2014/07/banking-security-best-practices-zeus-cryptolocker/&ts=markdown)  
\[\](mailto:?subject=Banking Security: Best Practices for Zeus and Cryptolocker)  
Link copied  
By [Palo Alto Networks](https://www.paloaltonetworks.com/blog/author/palo-alto-networks-staff/?ts=markdown "Posts by Palo Alto Networks")  
Jul 07, 2014  
5 minutes  
[Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown)  
[Financial Services](https://www.paloaltonetworks.com/blog/category/financial-services/?ts=markdown)  
[Malware](https://www.paloaltonetworks.com/blog/category/malware-2/?ts=markdown)  
[Vertical](https://www.paloaltonetworks.com/blog/category/vertical/?ts=markdown)  
[banking](https://www.paloaltonetworks.com/blog/tag/banking/?ts=markdown)  
[CryptoLocker](https://www.paloaltonetworks.com/blog/tag/cryptolocker/?ts=markdown)  
[Domain Generation Algorithms](https://www.paloaltonetworks.com/blog/tag/domain-generation-algorithms/?ts=markdown)  
[GameOver](https://www.paloaltonetworks.com/blog/tag/gameover/?ts=markdown)  
[WildFire](https://www.paloaltonetworks.com/blog/tag/wildfire/?ts=markdown)  
[Zeus](https://www.paloaltonetworks.com/blog/tag/zeus/?ts=markdown)

Over the last few weeks we had a new episode in the on-going saga between the banking system and the Zeus and Cryptolocker families of malware. The [UK National Crime Agency issued an unprecedented warning over GOZeuS and CryptoLocker PC malware](http://www.theinquirer.net/inquirer/news/2350303/nca-warns-thousands-still-at-risk-from-gameover-zeus-and-cryptolocker-malware), which has already enabled cyber criminals to steal hundreds of millions of pounds through the theft of bank login credentials. A similar alert was raised [in the US by the US-Cert](http://www.us-cert.gov/ncas/alerts/TA14-150A).

Below are some recommended best practices from John Harrison, our resident threat prevention expert, to ensure optimum and continuous protection from the "Crypto" and "Zeus" families, which respectively include Cryptolocker, CryptoDefense, or Cryptowall and P2PZeus, Zbot, GameOverZeus or GOZ, and may continue to resurface as other, as yet-undefined versions. Note that these best practices are applicable to many of malware families.

**Background on Zeus and Cryptolocker:**

GameOver Zeus (GOZ) is a bank credential-stealing malware first identified in 2011 that has plagued the banking industry since then. It's often used by cybercriminals to target Windows based personal computers and web servers and carry out command-control attacks.

Like many malware families today, Zeus and Cryptolocker utilize various Domain Generation Algorithms (DGA) to reach out to their command and control servers via DNS to establish contact and receive instructions. There are up to 1,000 domains per day that these families may reach out to. This can be one of the crucial breadcrumbs that help us detect them.

As part of the proactive takedown initiated by the FBI in 2014, Palo Alto Networks and other companies, received intelligence that included about 250,000 URLs that P2PZeus and Cryptolocker will reach out to for the next 3 years.

1. \*\*Use IPS signatures to prevent vulnerabilities from being exploited by client-side attacks that could drop Zeus or Cryptolocker.\*\*Consider inline blocking with a strict IPS policy. Prevent the client-side vulnerability from being exploited with a drive-by download that would drop the malware on the system.

2. \*\*Use Palo Alto Networks AV signature coverage for Cryptolocker and Zbot.\*\*Cryptolocker can come via social engineering through PDFs/Office documents or ZIP attachments that include malicious files. Unfortunately, names are not the best way to identify these malicious files. Our threat prevention features will automatically block known malicious files. We have added coverage for many samples under the "Virus/Win32.generic.jnxyz" type name:

* Trojan-Ransom, Ransom/Win32.crilock, Trojan/Win32.lockscreen --- to see our coverage, search under "LOCK" in the Virus Threat Vault.
* Trojan-SPY/Win32.zbot and PWS/Win32.zbot --- to see our coverage, search under Zbot in the Virus Threat Vault.

3. \*\*Ensure DNS detection is enabled!\*\*Spyware and Command and Control detection will find infected systems that may pull down additional variants.

* Suspicious DNS - Investigate and remediate ALL suspicious DNS queries. These are most likely infected systems!
* Spyware command and control signatures - Search "zbot" or Cryptolocker in Threat Vault under spyware for latest coverage including ID # 13433 "CryptoLocker Command and Control Traffic", 13131, Spyware-Zbot.p2p, 13050, Zbot.Gen Command and Control Traffic

4. **Subscribe to our URL Filtering to prevent threats from being downloaded from malicious domains.**

* Block on Malware domains, as well as proxy avoidance, and peer2peer.
* Use a "Continue page" on unknown category websites

5. **Turn-on Wildfire as it can detect unknown and zero-day malware or dropper related to Cryptolocker or Zeus.**

* Wildfire will automatically flag the malicious behavior and will create and push out AV, DNS and Command and Control signatures to deployed Palo Alto Networks firewalls to prevent additional employees from being infected.
* As a general rule, all Microsoft office, PDF and Java, and Portable Executable (PE) files should be going to Wildfire for behavior inspection.

6. \*\*Leverage file blocking:\*\*Consider blocking all PE files or use a 'continue page' as an explicit warning to employees if they are allowed to download executable.

7. **Decrypt from webmail:** If an employee downloads a Fedex.ZIP that turns out to be Cryptolocker, make sure it gets inspected with our threat prevention.

8. \*\*Track down and identify already infected systems:\*\*Leverage the Botnet report provided by Palo Alto Networks to ensure that you haven't missed already infected systems.

9. \*\*Create a Sinkhole to systematical find infected systems: Beyond the Botnet report,\*\*use this PAN-OS 6.0 feature to ensure that you are finding already infected systems easily.

10. **Leverage our firewall alert system:** Investigate ALL TCP-unknown and UDP --- unknown alerts. These could be the Command and Control vector for the malware or remote access trojan beaconing out.

11. \*\*Control your software update process:\*\*Malware authors prey on social engineering tactics to get your employees to install fake Reader, Flash and Java updates -- but these can be part of the infection vector. It's important that you recommend that employees do not install Adobe Reader, Flash and Java updates from unofficial sources if these pop-up. You might consider having all update installs controlled by the IT group or to explicitly direct users to visit the official software vendor website for updates.

For more technical details on how to implement the above, [join the Palo Alto Networks technical community](https://live.paloaltonetworks.com/welcome) at and download our most recent [Threat Prevention Deployment Tech Note](https://live.paloaltonetworks.com/docs/DOC-3094).

*** ** * ** ***

## Related Blogs

### [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### When Scripts Attack, WildFire Protects](https://www.paloaltonetworks.com.au/blog/2019/01/scripts-attack-wildfire-protects/)

### [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown)

[#### Machine Learning: Your Unfair Advantage Against Attackers](https://www.paloaltonetworks.com.au/blog/2018/10/machine-learning-unfair-advantage-attackers/)

### [Customer Spotlight](https://www.paloaltonetworks.com/blog/category/customer-spotlight/?ts=markdown), [Financial Services](https://www.paloaltonetworks.com/blog/category/financial-services/?ts=markdown), [Security Platform](https://www.paloaltonetworks.com/blog/category/security-platform/?ts=markdown)

[#### Customer Spotlight: Bank OCBC NISP Cuts Management Time in Half With Palo Alto Networks Next-Generation Security Platform](https://www.paloaltonetworks.com.au/blog/2017/08/customer-spotlight-bank-ocbc-nisp-cuts-management-time-half-palo-alto-networks-next-generation-security-platform/)

### [Endpoint](https://www.paloaltonetworks.com/blog/category/endpoint-2/?ts=markdown), [Malware](https://www.paloaltonetworks.com/blog/category/malware-2/?ts=markdown)

[#### Malware Can't Bear Traps With Bare Metal Analysis](https://www.paloaltonetworks.com.au/blog/2017/04/malware-cant-bear-traps-bare-metal-analysis/)

### [Customer Spotlight](https://www.paloaltonetworks.com/blog/category/customer-spotlight/?ts=markdown), [Real Estate](https://www.paloaltonetworks.com/blog/category/real-estate/?ts=markdown), [Retail](https://www.paloaltonetworks.com/blog/category/retail/?ts=markdown), [Security Platform](https://www.paloaltonetworks.com/blog/category/security-platform/?ts=markdown)

[#### Customer Spotlight: Delta Holding Prevents Ransomware by Upgrading Security Posture](https://www.paloaltonetworks.com.au/blog/2016/10/customer-spotlight-delta-holding-prevents-ransomware-upgrading-security-posture/)

### [Malware](https://www.paloaltonetworks.com/blog/category/malware-2/?ts=markdown), [Unit 42](https://www.paloaltonetworks.com/blog/category/unit42/?ts=markdown)

[#### Pythons and Unicorns and Hancitor...Oh My! Decoding Binaries Through Emulation](https://www.paloaltonetworks.com.au/blog/2016/08/unit42-pythons-and-unicorns-and-hancitoroh-my-decoding-binaries-through-emulation/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com.au/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language