MSP Spot

LabTech => Script Exchange => Topic started by: clutts on October 20, 2015, 01:12:12 PM

Title: Cryptolocker Detection
Post by: clutts on October 20, 2015, 01:12:12 PM
Hi Guys,

Sorry for the email spam, forgot to sign up for this one.

Iím looking at setting up a Cryptolocker policy that can detect files as they are being encrypted and take required steps once an infection is found (disconnect network drive, disconnect network, create tickets, etc.).

Before I begin I thought I would check if anyone already has something like this in place and could share their scripts and monitors?
I was discussing this with a few people last week and would like to get something in place.
Title: Re: Cryptolocker Detection
Post by: Atif on October 20, 2015, 04:04:57 PM
That would be a great tool. Keep us posted
Title: Re: Cryptolocker Detection
Post by: JB on October 21, 2015, 08:38:03 AM
The thought that I had on this was that the Crypto infections always seem to encrypt alphabetically, it might be possible to have a dummy folder on the c drive of a machine with a bunch of blank files in it which could have change monitoring over the top and possibly script a lockdown or kill of any process attempting to modify them.
Title: Re: Cryptolocker Detection
Post by: Atif on October 22, 2015, 11:54:47 AM
One way I was thinking to achieve this is by using Everything software (http://www.voidtools.com)

Everything creates a real-time index of complete filesystem

Then schedule a script every five or so minutes that would find the file name containing *.encrypted in the index file created by Everything and raise alert

The only problem I see is that the index file created by Everything is rather a .db file (SQLite file) and not plaintext which again can be overcome by using SQLite Export application (http://www.speqmath.com/tutorials/sqlite_export/) to export the .db to .txt/.csv

Summary:
Title: Re: Cryptolocker Detection
Post by: dheathorn on October 22, 2015, 12:15:32 PM
Summary:
  • Run Everything as a Service on a computer
  • Schedule a script to export Everything index file .db to .txt/.csv after every 5 minutes
  • Once step 2 is done, add another script action in the end to find *.encrypted within the exported .txt/.csv
  • Raise alert
You wouldn't need to do step 2 and 3 as seperate scripts. You could use the 'shell' command in LabTech scripting to run the export.
Title: Re: Cryptolocker Detection
Post by: Atif on October 22, 2015, 12:18:07 PM
Quote
You wouldn't need to do step 2 and 3 as seperate scripts. You could use the 'shell' command in LabTech scripting to run the export.

That's exactly right. That's why I used script action - I meant a Shell command
Title: Re: Cryptolocker Detection
Post by: Amit on October 22, 2015, 12:19:27 PM
Atif, Have you tried this yet!

Title: Re: Cryptolocker Detection
Post by: Atif on October 22, 2015, 12:21:51 PM
Atif, Have you tried this yet!

Not yet. Just putting down a possible way to achieve it.

Worth trying though for a POC.