Author Topic: Cryptolocker Detection  (Read 3466 times)

clutts

  • Newbie
  • *
  • Posts: 2
    • View Profile
Cryptolocker Detection
« on: October 20, 2015, 01:12:12 PM »
Hi Guys,

Sorry for the email spam, forgot to sign up for this one.

Iím looking at setting up a Cryptolocker policy that can detect files as they are being encrypted and take required steps once an infection is found (disconnect network drive, disconnect network, create tickets, etc.).

Before I begin I thought I would check if anyone already has something like this in place and could share their scripts and monitors?
I was discussing this with a few people last week and would like to get something in place.

Atif

  • Newbie
  • *
  • Posts: 7
  • Atif Rana
    • View Profile
Re: Cryptolocker Detection
« Reply #1 on: October 20, 2015, 04:04:57 PM »
That would be a great tool. Keep us posted

JB

  • Administrator
  • Newbie
  • *****
  • Posts: 3
    • View Profile
Re: Cryptolocker Detection
« Reply #2 on: October 21, 2015, 08:38:03 AM »
The thought that I had on this was that the Crypto infections always seem to encrypt alphabetically, it might be possible to have a dummy folder on the c drive of a machine with a bunch of blank files in it which could have change monitoring over the top and possibly script a lockdown or kill of any process attempting to modify them.

Atif

  • Newbie
  • *
  • Posts: 7
  • Atif Rana
    • View Profile
Re: Cryptolocker Detection
« Reply #3 on: October 22, 2015, 11:54:47 AM »
One way I was thinking to achieve this is by using Everything software (http://www.voidtools.com)

Everything creates a real-time index of complete filesystem

Then schedule a script every five or so minutes that would find the file name containing *.encrypted in the index file created by Everything and raise alert

The only problem I see is that the index file created by Everything is rather a .db file (SQLite file) and not plaintext which again can be overcome by using SQLite Export application (http://www.speqmath.com/tutorials/sqlite_export/) to export the .db to .txt/.csv

Summary:
  • Run Everything as a Service on a computer
  • Schedule a script to export Everything index file .db to .txt/.csv after every 5 minutes (using SQLite Export command line tool)
  • Once step 2 is done, add another script action in the end to find *.encrypted within the exported .txt/.csv
  • Raise alert
« Last Edit: October 22, 2015, 12:12:04 PM by Atif »

dheathorn

  • Newbie
  • *
  • Posts: 2
    • View Profile
Re: Cryptolocker Detection
« Reply #4 on: October 22, 2015, 12:15:32 PM »
Summary:
  • Run Everything as a Service on a computer
  • Schedule a script to export Everything index file .db to .txt/.csv after every 5 minutes
  • Once step 2 is done, add another script action in the end to find *.encrypted within the exported .txt/.csv
  • Raise alert
You wouldn't need to do step 2 and 3 as seperate scripts. You could use the 'shell' command in LabTech scripting to run the export.

Atif

  • Newbie
  • *
  • Posts: 7
  • Atif Rana
    • View Profile
Re: Cryptolocker Detection
« Reply #5 on: October 22, 2015, 12:18:07 PM »
Quote
You wouldn't need to do step 2 and 3 as seperate scripts. You could use the 'shell' command in LabTech scripting to run the export.

That's exactly right. That's why I used script action - I meant a Shell command

Amit

  • Guest
Re: Cryptolocker Detection
« Reply #6 on: October 22, 2015, 12:19:27 PM »
Atif, Have you tried this yet!


Atif

  • Newbie
  • *
  • Posts: 7
  • Atif Rana
    • View Profile
Re: Cryptolocker Detection
« Reply #7 on: October 22, 2015, 12:21:51 PM »
Atif, Have you tried this yet!

Not yet. Just putting down a possible way to achieve it.

Worth trying though for a POC.