How are you Detecting Ransomware?


(Chuck Kissel) #1

Hi,
I can’t seem to find a lot of specific information about how Admins detect Ransomware other than their users calling up IT asking for the company credit card so they can open their files after a they’ve been hit. I believe that detection is an important role in understanding the weak point in the environment, because typically worse case scenarios in practice are usually the ones that happen IRL.

I know that products like Alienvault and Sophos have built-in detection modules that depend on past user history and complex algorithms. But I’m sure there must be a simple method to detecting a hit. Even if there are chances of false positives.

I have a Change Management System that detects changes through several core systems including File Systems. I have setup a rule that will detect if a user or system renames more than 50 files within a span of 1 minute. That should be pretty hard for user to accomplish and would only happen if something is systematically changing files like ransomware would. Another detection I have is if a file becomes “encrypted” via the windows check mark under a file’s properties. I have not seen a sample of ransomware file up close yet but would image there would be other characteristics that would be a dead give away.


#2

Take a look at foolish it
It’s a comprehensive set of group policies. CryptoPrevent is an Anti-Virus/Security Software Supplement, originally designed to prevent infection from the CryptoLocker threat which emerged in late 2013. Since that time, CryptoPrevent has grown into a robust solution, providing protection against a wide range of ransomware and other malware.

https://www.foolishit.com/cryptoprevent-malware-prevention/


#3

We’ve implemented a couple of solutions that monitor filesystems for bulk-renames during a fairly short period. You do get some false positives, but to us it’s worth it simply to verify that the user was doing what they intended, instead of trying to scramble to stop encryption and recover some time after it’s been running.

There are also storage solutions that allow hourly snapshotting of files, which makes for easier recovery if something does occur.


(Stuart) #4

We are using an RMM toolset to monitor client machines. We have some detection scripts than run every 3-5 min and look for common crypto extensions.

its not perfect, but we’ve caught a few over the last few years.


(Daniel Beato) #5

IN our domain environment we use FSRM (File Server Resource Manager) to monitor our file shares and we are notified when a user or a systems is infected. We have also implemented scripts to turn off the computer, notify us by email and shutdown the share for that specific user. We have implemented a canary share to detect it earlier than other shares.


#6

Webroot is a fantastic ransomware solution. My company started using it in January of this year and it has already stopped several instances of ransomeware. Webroot installs in less than a minute and has a very small footprint. Here is a breakdown of how it works: https://www.webroot.com/shared/pdf/wsab-ep_ds.pdf


#7

Agreed. We’ve been using Webroot for the last couple of years and we’ve only had a couple instances (that we know of) where Poweliks and CryptoWall 3.0 got past it… eventually Webroot did detect CryptoWall, but it was a couple hours after the machine was infected and the user’s files became encrypted. Luckily our network files were untouched. Ever since then we’ve been more focused on security awareness training for our staff.

With CryptoWall 3.0 we were able to find a list of local files the ransomware encrypted, hidden in the registry, but I believe the later versions now have that list encrypted as well :frowning:

Love this topic. Detection is definitely important, and rarely do I come across articles that talk about it.


(Chuck Kissel) #8

Hi, Thank you for your response.
Can you describe your “Canary Share” a little bit? Is it like a honeypot?


(Daniel Beato) #9

Yes, it will be like a fake share that the ransomware works on (While you are notified) , I have examples of this below:

http://blog.vectranetworks.com/blog/canary-in-the-ransomware-mine http://www.freeforensics.org/2016/03/proactively-reacting-to-ransomware.html


(Daniel Beato) #10

Other resources



(Will Jeansonne) #11

Hey guys,

You might want to look into this new tool for detecting ransomware on individual machines:

Will Jeansonne
Community Manager


(Ray) #12

We’ve implemented AlienVault USM to watch over our network. It checks for known Vulnerabilities and keeps on eye on all network traffic. May not check specifically for the installation of Ransomware (I only install the “AlienVault Hids agent” on servers, not on workstations), but is great at giving us a heads-up on devices that are not acting normal - like being redirected to C&C servers or to other know bad IPs/URLs.

Love the RanSim idea, Canary Share (thanks @Daniel_Beato for the links) and will definitely look at webroot (Thanks @771M )


(Daniel Beato) #13

We use AlienVault OSSIM as open source until we can afford the USM. It works well with alerts and system logs


(Borg Xaeus) #15

You can use multiple tactics there.

  • Block known C&Cs
  • Block all unneeded extensions on e-mail system
  • Create trap documents that are monitored
  • Monitor active tasks