{"id":4558,"date":"2016-04-02T11:25:29","date_gmt":"2016-04-02T16:25:29","guid":{"rendered":"https:\/\/www.poweradmin.com\/blog\/?p=4558"},"modified":"2016-09-27T08:27:46","modified_gmt":"2016-09-27T13:27:46","slug":"crypto-locker-early-detection-and-prevention","status":"publish","type":"post","link":"https:\/\/www.poweradmin.com\/blog\/crypto-locker-early-detection-and-prevention\/","title":{"rendered":"Early Detection and Prevention of CryptoLocker"},"content":{"rendered":"

\"crypt-locker-ransom-message\"<\/a>In case you haven\u2019t heard, CryptoLocker is a popular form of the ransomware malware that encrypts your files and then holds them hostage. Generally you have to pay to get them decrypted. \u00a0If you have a backup of all of your data, you might be able to avoid the payment. If you have a backup\u2026<\/span><\/p>\n

\u00a0<\/p>\n

What makes it worse is that CryptoLocker will lock any files that an infected computer can access, including files on the network. \u00a0That means businesses with networks and shared folders (virtually all businesses) are at great risk. Do you have important shared folders\u00a0with files that are accessed by many users? It just takes one user\u2019s computer to get infected and all of those files could get encrytped \ud83d\ude41<\/span><\/p>\n

Clever Detection\u00a0Solution<\/span><\/h2>\n

\"power-admin-file-sight-product-logo\"<\/a>We have brilliant customers. One of them, Eric, works at a large real estate management firm. His network has been hit a few times by CryptoLocker so he devised a clever means of detecting it quickly before it could do much damage. To do this, he uses PA File Sight<\/a>.<\/span><\/p>\n

CryptoLocker Honeypot aka CryptoLocker Canary<\/span><\/h3>\n

\"honey-pot-folder\"<\/a>PA File Sight alerts you when files are accessed, which means written to, read from, created or deleted. Eric used this to his advantage by creating a \u2018honeypot\u2019 folder in his shared folders that people wouldn\u2019t normally access, but which everyone had full access to. He loaded it up with typical files that might be in a folder like Word and Excel documents, PDFs, etc. Then, since some CryptoLocker\u00a0applications will scan directories in alphabetical order, he named it so it would be at the front of the list. \u00a0Employees were instructed not to touch any files in that folder.<\/span><\/p>\n

\u00a0<\/p>\n

Next he installed PA File Sight and had it watch the\u00a0honey<\/span>pot folder. If any\u00a0writes (such as writing a newly encrypted file to disk) happened in that folder, PA File Sight would send an alert. \u00a0Eric also mentioned writing an Execute Script<\/a> action that would disconnect the share to protect the files.<\/span><\/p>\n

\u00a0<\/p>\n

Ransomware Behavior Analysis<\/span><\/h3>\n

This was a great start, but Eric didn\u2019t stop there. \u00a0He used PA File Sight\u2019s unique ability to alert when a user reads, writes or deletes more than a certain number of files within a set timeframe<\/a>.<\/span><\/p>\n

\u00a0<\/p>\n

\"file-sight-monitors-server-file-access\"<\/a>He set his threshold differently\u00a0than the screenshot here \u2014 something like 50 file writes in 2 minutes. \u00a0No normal user is going to be saving\u00a050 files in 2 minutes! But CryptoLocker probably will \u2014 once it starts causing trouble, it needs to get as much done as quickly as it can. So when this file access behavior is\u00a0detected, he had PA File Sight alert, and then run his script to disconnect the share. \u00a0This allows him to watch the full share for those instances where CryptoLocker\u00a0doesn\u2019t read folders in alphabetical order.<\/span><\/p>\n

\u00a0<\/p>\n

Eric reported that there were occasionally some false-positives when a user was doing something unexpected, but those few were well worth the time\u00a0and money they saved preventing an all out CryptoLocker\u00a0attack. \u00a0In fact, just recently he was back purchasing more licenses so he could protect additional servers \ud83d\ude42<\/span><\/p>\n

\u00a0<\/p>\n

Part two of this post<\/a> will show some example scripts that could be used when a CryptoLocker attack is detected.\u00a0<\/span><\/p>\n

Another post<\/a> lists file extensions that some people are using to detect current CryptLocker variants.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

In case you haven\u2019t heard, CryptoLocker is a popular form of the ransomware malware that encrypts your files and then holds them hostage. Generally you have to pay to get them decrypted. \u00a0If you have a backup of all of your data, you might be able to avoid the payment. If you have a backup\u2026 […]<\/p>\n","protected":false},"author":3,"featured_media":4559,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[15,4,5,13,10,9,8],"tags":[],"class_list":["post-4558","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cryptolocker","category-general-it","category-how-to","category-pc-security","category-power-admin","category-technical","category-windows"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/4558","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/comments?post=4558"}],"version-history":[{"count":5,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/4558\/revisions"}],"predecessor-version":[{"id":4874,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/4558\/revisions\/4874"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/media\/4559"}],"wp:attachment":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/media?parent=4558"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/categories?post=4558"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/tags?post=4558"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}