{"id":1774,"date":"2016-05-25T18:39:49","date_gmt":"2016-05-25T23:39:49","guid":{"rendered":"http:\/\/swildow.darktech.org\/wp\/?p=1774"},"modified":"2016-05-25T18:42:42","modified_gmt":"2016-05-25T23:42:42","slug":"cryptolocker-canary-detect-it-early","status":"publish","type":"post","link":"http:\/\/www.wildow.com\/blog\/?p=1774","title":{"rendered":"Cryptolocker Canary – detect it early!"},"content":{"rendered":"

Cryptolocker Canary – detect it early!<\/a>
\nTHREAT WATCH & VIRUS ALERTS ANTIVIRUS
\nby JustinCredible on Nov 21, 2014 at 11:32am<\/p>\n

Cryptolocker Canary<\/a><\/p>\n

I thought I’d share with you what steps I’ve taken to alert me to a likely Cryptolocker infection.<\/p>\n

Generally, if someone gets a virus on their computer it’s a pain in the ass but it’s not threatening to the company on the whole. The computer is isolated and reinstalled or otherwise cleaned up, and you’re off again.<\/p>\n

With Cryptolocker, 9 times out of 10 the person seems to also have a link to at least one network share. Because it’s encrypting everything it can (not -infecting- everything, just encrypting), it will go out to those shares and do it’s thing.<\/p>\n

Now, if you’re familiar with this, hopefully not first hand, you’ll know they drop two files in every folder with encrypted files – INSTALL_TOR.txt and DECRYPT_INSTRUCTION.txt. You can use this to your advantage as a sort of ‘early warning system’. This works on Server 2008+, don’t know what facilities exist for this for earlier or different OS’s.<\/p>\n

EDIT: I guess I should mention it’s a good way to quickly tell who the culprit is, if it’s useful for nothing other than that.<\/p>\n

DOUBLE EDIT: Updated Jan 7\/2015 with clearer instructions and screenshots<\/p>\n

EDIT AGAIN: Updated Jan 29\/2015 to add help_decrypt*.* to the file screen, thanks go to +blefler for that!<\/p>\n

C-C-C-C-C-COMBO EDIT: March 19\/2015 With the release of new cryptolocker-like variants, they’ve taken to dropping randomly named files into the encrypted folders, making this method useless against those variants. Just FYI!<\/p>\n

KEEP ON EDITING: August 19\/2015 Added additional filenames that a new variant is using (restore_Flies*.*, *djqfu*.*, *.aaa). Thanks to +Mconn for the heads up: http:\/\/community.spiceworks.com\/topic\/1135679-new-trojan-crypto-virus<\/p>\n

NEVER STOP EDITING: November 5, 2015 Added additional filenames that Cryptowall 4.0 uses (help_your_files*.*) Thanks to +Lawrence Abrams for the heads up: http:\/\/community.spiceworks.com\/topic\/1274312-cryptowall-v4-0-released-now-encrypts-the-file-names-as-well<\/p>\n

MORE EDIT!: February 16, 2016 Added additional filenames various crypto infections use. Credit goes to quietman7 at bleepingcomputer and Jaymesned at Reddit.<\/p>\n

Steps (8 total)
\n1Open FSRM
\nExpand
\nOpen up File Server Resource Manager. (or Win key + R\u001b, fsrm.msc)<\/p>\n

2Create File Group<\/p>\n

Right click on File Groups under File Screening Management on the left and choose “Create File Group…”<\/p>\n

3Create File Group…
\nExpand
\nCall it “Cryptolocker Canary”
\nUnder files to include:
\n*.ecc
\n*.ezz
\n*.exx
\n*.zzz
\n*.xyz
\n*.aaa
\n*.abc
\n*.ccc
\n*.vvv
\n*.xxx
\n*.ttt
\n*.micro
\n*.encrypted
\n*.locked
\n*.crypto
\n_crypt
\n*.crinf
\n*.r5a
\n*.XRNT
\n*.XTBL
\n*.crypt
\n*.R16M01D05
\n*.pzdc
\n*.good
\n*.LOL!
\n*.OMG!
\n*.RDM
\n*.RRK
\n*.encryptedRSA
\n*.crjoker
\n*.EnCiPhErEd
\n*.LeChiffre
\n*.keybtc@inbox_com
\n*.0x0
\n*.bleep
\n*.1999
\n*.vault
\n*.HA3
\n*.toxcrypt
\n*.magic
\n*.SUPERCRYPT
\n*.CTBL
\n*.CTB2
\n*.locky
\nHELPDECRYPT.TXT
\nHELP_YOUR_FILES.TXT
\nHELP_TO_DECRYPT_YOUR_FILES.txt
\nRECOVERY_KEY.txt
\nHELP_RESTORE_FILES.txt
\nHELP_RECOVER_FILES.txt
\nHELP_TO_SAVE_FILES.txt
\nDecryptAllFiles.txt
\nDECRYPT_INSTRUCTIONS.TXT
\nINSTRUCCIONES_DESCIFRADO.TXT
\nHow_To_Recover_Files.txt
\nYOUR_FILES.HTML
\nYOUR_FILES.url
\nencryptor_raas_readme_liesmich.txt
\nHelp_Decrypt.txt
\nDECRYPT_INSTRUCTION.TXT
\nHOW_TO_DECRYPT_FILES.TXT
\nReadDecryptFilesHere.txt
\nCoin.Locker.txt
\n_secret_code.txt
\nAbout_Files.txt
\nRead.txt
\nReadMe.txt
\nDECRYPT_ReadMe.TXT
\nDecryptAllFiles.txt
\nFILESAREGONE.TXT
\nIAMREADYTOPAY.TXT
\nHELLOTHERE.TXT
\nREADTHISNOW!!!.TXT
\nSECRETIDHERE.KEY
\nIHAVEYOURSECRET.KEY
\nSECRET.KEY
\nHELPDECYPRT_YOUR_FILES.HTML
\nhelp_decrypt_your_files.html
\nHELP_TO_SAVE_FILES.txt
\nRECOVERY_FILES.txt
\nRECOVERY_FILE.TXT
\nRECOVERY_FILE*.txt
\nHowtoRESTORE_FILES.txt
\nHowtoRestore_FILES.txt
\nhowto_recover_file.txt
\nrestorefiles.txt
\nhowrecover+*.txt
\n_how_recover.txt
\nrecoveryfile*.txt
\nrecoverfile*.txt
\nrecoveryfile*.txt
\nHowto_Restore_FILES.TXT
\nhelp_recover_instructions+*.txt
\n_Locky_recover_instructions.txt<\/p>\n

click OK<\/p>\n

4Create File Screen Template<\/p>\n

Right click on File Screen Templates on the left and choose “Create File Screen Template…”<\/p>\n

5Create File Screen Template…
\nExpand
\nCall it “Cryptolocker Canary”<\/p>\n

Set it up as PASSIVE screening. You want the file to be saved – it’s a harmless txt file, and it allows you to search for all instances of it and know which folders have been affected.<\/p>\n

Under File groups, choose Cryptolocker Canary.<\/p>\n

Under the E-mail Message tab, check the option to send a message and enter your email. Also check the option to send an email to the user who generated the violation.<\/p>\n

For my Subject, I wrote: “POSSIBLE VIRUS INFECTION DETECTED”
\nFor the body I wrote:<\/p>\n

“User [Source Io Owner] attempted to save [Source File Path] to [File Screen Path] on the [Server] server.<\/p>\n

This file indicates that the file server is in the process of being encrypted by a virus. If you are [Source Io Owner] please shut down any computers you are using IMMEDIATELY and notify IT at 123-456-7890 or helpdesk@domain.com”<\/p>\n

6Create File Screen<\/p>\n

Right click on File Screens on the left and choose “Create File Screen…”<\/p>\n

7Create File Screen…
\nExpand
\nChoose the path you want to ‘protect’, and choose “Derive properties from this file screen template” and select your Cryptolocker Canary template from the list and click Create.<\/p>\n

8Remediation
\nOnce their system is offline it can’t harm anything and it’s time for remediation.<\/p>\n

Wipe the infected machines and reinstall. No two ways about it. You don’t want Cryptolocker lingering at all.<\/p>\n

To figure out what’s encrypted, do a search of your file server for the files and extensions mentioned in Step 3, make note of the resulting folders. You’ll want to restore those.<\/p>\n

If you have Shadow Copies turned on for your file server (I highly recommend it), it can make restoring your data that much faster – choose the latest point and click Restore.<\/p>\n

I should note, we were able to identify the user that was infected because their personal network share was encrypted – nobody else’s. That’s a dead giveaway.<\/p>\n

If you don’t have Shadow Copies set up, then it’s off to your backups – you do have those, right?<\/p>\n

Conclusion<\/p>\n

In the end, it’s not going to stop the infection, but it will warn you hopefully early enough that you have to restore very little data to your network shares. The infected machine is most likely completely encrypted at this point, but it’s a great way to “protect the herd” from one bad apple.<\/p>\n

Thanks Ian S for the link to configuring Exchange
\nThanks to +Mconn for the heads up on the latest variant at http:\/\/community.spiceworks.com\/topic\/1135679-new-trojan-crypto-virus<\/p>\n

Big thanks to Jaymesned over at reddit for his compilation https:\/\/www.reddit.com\/r\/sysadmin\/comments\/46361k\/list_of_ransomware_extensions_and_known_ransom\/ which was copied from quietman7 at bleepingcomputer http:\/\/www.bleepingcomputer.com\/forums\/t\/605116\/im-hit-with-a-cryptolocker-virus\/<\/p>\n

References
\nReddit
\nBleeping Computer
\nNew Trojan Crypto Virus
\nConfigure E-Mail Notifications for FSRM
\nConfiguring Exchange to accept FSRM E-Mails<\/p>\n","protected":false},"excerpt":{"rendered":"

Cryptolocker Canary – detect it early! THREAT WATCH & VIRUS ALERTS ANTIVIRUS by JustinCredible on Nov 21, 2014 at 11:32am Cryptolocker Canary I thought I’d share with you what steps I’ve taken to alert me to a likely Cryptolocker infection. … Read More »<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"_links":{"self":[{"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1774"}],"collection":[{"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1774"}],"version-history":[{"count":3,"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1774\/revisions"}],"predecessor-version":[{"id":1780,"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1774\/revisions\/1780"}],"wp:attachment":[{"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1774"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1774"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1774"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}