{"id":4596,"date":"2016-03-31T12:34:55","date_gmt":"2016-03-31T17:34:55","guid":{"rendered":"https:\/\/www.poweradmin.com\/blog\/?p=4596"},"modified":"2016-08-01T14:54:31","modified_gmt":"2016-08-01T19:54:31","slug":"early-detection-and-prevention-of-crypto-locker-the-scripts","status":"publish","type":"post","link":"https:\/\/www.poweradmin.com\/blog\/early-detection-and-prevention-of-crypto-locker-the-scripts\/","title":{"rendered":"Early Detection and Prevention of CryptoLocker – The Response Scripts"},"content":{"rendered":"

In the\u00a0previous post<\/a>, I mentioned a couple of ways customers\u00a0are working on detecting CryptoLocker attacks. \u00a0In this post, I\u2019ll share a few scripts they use in response.<\/span><\/p>\n

\u00a0<\/p>\n

Ideally, you could quarantine the user\u2019s computer from where the attack is coming from. \u00a0In practice, that can be tricky.<\/span><\/p>\n

\u00a0<\/p>\n

Note that these responses could be used whether a computer is changing honeypot\/canary files, or over activity thresholds that you have set.<\/span><\/p>\n

Offense: Disconnect the User<\/span><\/h2>\n

The following Execute Script<\/a> action will disconnect a user from a share. \u00a0It is watching for an alert about a user writing too many files (\u201cOVERLIMIT_WRITE\u201d). \u00a0You could also look for other conditions like\u00a0OVERLIMIT_READ, or even just READ.<\/span><\/p>\n

\u00a0<\/p>\n

Dim objShell<\/span>
\nDim returnCode<\/span>
\nDim operation<\/span><\/p>\n

For i = 1 to Item.Count <\/span>
\n\u00a0 \u00a0 operation = CurrentValue(i)<\/span>
\n\u00a0 \u00a0 If operation = \u201cOVERLIMIT_WRITE\u201d Then<\/span><\/p>\n

\u00a0 \u00a0 \u00a0 \u00a0 user = Item(i)<\/span>
\n\u00a0 \u00a0 \u00a0 \u00a0 ipAddr = LimitValue(i)<\/span>
\n\u00a0 \u00a0 \u00a0 \u00a0 reason = user & \u201d from \u201d & ipAddr & \u201d \u201d & operation<\/span><\/p>\n

\u00a0 \u00a0 \u00a0 \u00a0Set objShell = CreateObject( \u201cWScript.Shell\u201d )<\/span>
\n\u00a0 \u00a0 \u00a0 \u00a0returnCode = objShell.Run(\u201cnet session \\\\\u201d & ipAddr & \u201d \/delete \/y\u201d)<\/span>
\n\u00a0 \u00a0 \u00a0 \u00a0Set objShell = Nothing<\/span><\/p>\n

\u00a0 \u00a0 \u00a0 \u00a0ToLog(\u201cDisconnecting \u201d & user & \u201d from \u201d & ipAddr & \u201d with result \u201d & returnCode & \u201d because \u201d & reason)<\/span><\/p>\n

\u00a0 \u00a0 End if<\/span>
\nNext<\/span><\/p>\n

(note if copy\/pasting \u2013 WordPress is changing the quote mark \u201d \u2014 it will need to be turned back into a normal simple quote mark)<\/p>\n

\u00a0<\/p>\n

Code<\/span><\/h4>\n

The For loop is necessary because a single alert can contain information about a variety of users and files, so you want to respond to just the appropriate users and files.<\/span><\/p>\n

\u00a0<\/p>\n

The Variables button on the action will show what variables are available and what they mean. \u00a0That is where you\u2019ll find other options for OVERLIMIT_WRITE, OVERLIMIT_READ, etc.<\/span><\/p>\n

\u00a0<\/p>\n

\"disconnect-crypto-attacker-with-file-sight\"<\/a><\/span><\/p>\n

\u00a0<\/p>\n

One important caveat: If you are using\u00a0remote Satellite monitoring services<\/a>, make sure the script is set to run at that Satellite, otherwise the Central Service will run it and possibly not be able to reach the intended client to disconnect them.<\/span><\/p>\n

Caveats<\/span><\/h3>\n

Reconnects<\/span><\/h4>\n

Now for the bad news. \u00a0In my testing, the NET SESSION \/DELETE command does disconnect the user. \u00a0But the client Windows OS has cached credentials, and it seems to reconnect immediately so further access can continue. \u00a0Disconnecting at the router might be better but of course that would need to be a different command. \u00a0If you have other disconnect ideas, please share them and I\u2019ll add them here.<\/span><\/p>\n

Older Windows Clients and Servers<\/span><\/h4>\n

Windows XP, 2003, Vista and 2008 versions of Windows do NOT send the IP Address of the requesting computer to the server. \u00a0That means we have the user account to work with, but not an IP Address that can be targeted. \u00a0If your server is 2003 or 2008, then it\u00a0cannot receive the IP Address of the requesting computer. \u00a0Sending that IP Address was part of the change to the SMB protocol that came with Windows 7 and Windows 2008 R2.<\/span><\/p>\n

\u00a0File Sight Version<\/span><\/h4>\n

We made an update to PA File Sight to give you the IP Address (if available) via the LimitValue variable in the row variables. \u00a0You\u2019ll need to use version 6.2.0.162<\/strong> (the Preview build today) or newer.<\/span><\/p>\n

Offense: Shutdown the User\u2019s Computer<\/span><\/h2>\n

Another option is to shut down the attacking computer. \u00a0Similar to the caveats above, the computer will need to be Windows, and Windows 7 or Server 2008 R2 or newer. \u00a0Assuming this is the case, the following script will work:<\/span><\/p>\n

\u00a0<\/p>\n

Dim objShell<\/span>
\nDim returnCode<\/span>
\nDim user<\/span>
\nDim ipAddr<\/span>
\nDim reason<\/span>
\nDim operation<\/span><\/p>\n

For i = 1 to Item.Count <\/span>
\n\u00a0 \u00a0 operation = CurrentValue(i)<\/span>
\n\u00a0 \u00a0 If operation = \u201cOVERLIMIT_WRITE\u201d Then<\/span><\/p>\n

\u00a0 \u00a0 \u00a0 \u00a0 user = Item(i)<\/span>
\n\u00a0 \u00a0 \u00a0 \u00a0 ipAddr = LimitValue(i)<\/span>
\n\u00a0 \u00a0 \u00a0 \u00a0 reason = user & \u201d from \u201d & ipAddr & \u201d \u201d & operation<\/span><\/p>\n

\u00a0 \u00a0 \u00a0 \u00a0 Set objShell = CreateObject( \u201cWScript.Shell\u201d )<\/span>
\n\u00a0 \u00a0 \u00a0 \u00a0 returnCode = objShell.Run(\u201cshutdown \/s \/m \\\\\u201d & ipAddr & \u201d \/c \u201d & Chr(34) & reason & Chr(34))<\/span>
\n\u00a0 \u00a0 \u00a0 \u00a0 Set objShell = Nothing<\/span><\/p>\n

\u00a0 \u00a0 \u00a0 \u00a0 ToLog(\u201cShut down \u201d & user & \u201d from \u201d & ipAddr & \u201d with result \u201d & returnCode & \u201d because \u201d & reason)<\/span><\/p>\n

\u00a0 \u00a0 End if<\/span>
\nNext<\/span><\/p>\n

\u00a0(note if copy\/pasting \u2013 WordPress is changing the quote mark \u201d \u2014 it will need to be turned back into a normal simple quote mark)<\/p>\n

<\/h3>\n

Caveats<\/span><\/h3>\n

Windows only<\/span><\/h4>\n

This only works if the attacking\u00a0operating system is Windows (the shutdown command is Windows specific), and PA File Sight has to have received the IP Address, which means it has to be Windows 7 or 2008 R2 or newer.<\/span><\/p>\n

Older Windows Clients and Servers<\/span><\/h4>\n

Windows XP, 2003, Vista and 2008 versions of Windows do NOT send the IP Address of the requesting computer to the server. \u00a0That means we have the user account to work with, but not an IP Address that can be targeted. \u00a0If your server is 2003 or 2008, then it\u00a0cannot receive the IP Address of the requesting computer. \u00a0Sending that IP Address was part of the change to the SMB protocol that came with Windows 7 and Windows 2008 R2.<\/span><\/p>\n

Account rights<\/span><\/h4>\n

The SHUTDOWN\u00a0command will get run using the account that the PA File Sight service is running as. \u00a0For it to successfully\u00a0force a remote computer to shutdown, it needs administrator access to that computer. \u00a0That implies that the PA File Sight service should run as a domain administrator account.<\/span><\/p>\n

\u00a0File Sight Version<\/span><\/h4>\n

We made an update to PA File Sight to give you the IP Address (if available) via the LimitValue variable in the row variables. \u00a0You\u2019ll need to use version 6.2.0.162<\/strong> (the Preview build today) or newer.<\/span><\/p>\n

\u00a0<\/p>\n

Defense: Shutdown the Server<\/span><\/h2>\n

The Reboot Server<\/a>\u00a0action could \u00a0be used to simply shutdown the server to protect it from attack. \u00a0No caveats to this one, except that the server is down and users can\u2019t access their files. \u00a0But if the CryptoLocker virus has it\u2019s way, they won\u2019t be accessing them for long anyway.<\/span><\/p>\n

\u00a0<\/p>\n

Other Ideas?<\/span><\/h2>\n

If you have other ideas that have worked for you, please share them by sending us an email and we\u2019ll add them here.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

In the\u00a0previous post, I mentioned a couple of ways customers\u00a0are working on detecting CryptoLocker attacks. \u00a0In this post, I\u2019ll share a few scripts they use in response. \u00a0 Ideally, you could quarantine the user\u2019s computer from where the attack is coming from. \u00a0In practice, that can be tricky. \u00a0 Note that these responses could be […]<\/p>\n","protected":false},"author":3,"featured_media":4597,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[15,13,10,6,8],"tags":[],"class_list":["post-4596","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cryptolocker","category-pc-security","category-power-admin","category-tech","category-windows"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/4596","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/comments?post=4596"}],"version-history":[{"count":5,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/4596\/revisions"}],"predecessor-version":[{"id":4838,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/4596\/revisions\/4838"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/media\/4597"}],"wp:attachment":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/media?parent=4596"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/categories?post=4596"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/tags?post=4596"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}