NetFort Advertising

Building Your Own Cryptolocker Monitoring Dashboard

CryptoWall Monitoring Dashboard

Cryptolocker Monitoring – How to Build Your Own Dashboard

Last Friday, one of our public sector customers got hit by Cryptolocker Ransomware. Because their LANGuardian is continuously monitoring the network, it proved to be a crucial ‘go to system’ for quickly investigating the attack, for forensics. It had all the detail to really understand what happened. Within a very short time frame they were able to track down infected hosts and get the associated username so that the outbreak was contained very quickly.

This blog post looks at what you need to do to setup your own Cryptolocker Monitoring Dashboard. The examples shown here use the LANGuardian system but you can adopt a similar approach if you are collecting file and network activity through other means.

A sample of this Cryptolocker monitoring dashboard is shown below. This is from a network which is not under Ransomware attack. Most reports are not showing results and only small numbers of file renames are being reported which would be seen as normal network activity.

Cryptolocker Monitoring Dashboard

Step 1 – Watch out for .micro file extensions

The first report we created checks for any files with the .Micro extension.These are known to be associated with TeslaCrypt Ransomware and thousands of these will appear on your network when you get hit with this Malware. The report should remain blank. If results are shown then you should check any client machines listed for a Cryptolocker infection.

LANGuardian Report – Use Search By Filename from the Windows File Shares report section. Use the filename filter to show any files with the .micro extension.

micro file extensions

Step 2 – Track down clients renaming large numbers of files.

When Cryptolocker strikes it encrypts files and at the same time it renames the files so that they have different file extensions.

You should create a report to focus in on top clients based on the number of file renames. In normal operation you should not see thousands of renames over a 1 hour period. The report will normally show results but you are watching out for clients associated with hundreds\thousands or renames

LANGuardian Report – Use Top Clients :: by Num of Events from the Windows File Shares report section. Use the action filter to only show renames.

Step 3 – Cryptolocker Canary.

Ransomware infections can result in the creation of files like INSTALL_TOR.txt and DECRYPT_INSTRUCTION.txt.  TOR (the onion router) is free software for enabling anonymous communication and is used by the cyber criminals to communicate with you.

A Cryptolocker Canary can be created by alerting if any of these files are detected on network shares. You just need to create a report to look for these files. In normal operation the report should remain blank. If results are shown then you should check the client machine for a Cryptolocker infection.

LANGuardian Report – Use Search By Filename from the Windows File Shares report section. Use the filename filter to show any files called INSTALL_TOR.txt or DECRYPT_INSTRUCTION.txt. 

Step 4 – Root out filenames associated with other Crypto variants.

New Cryptolocker variants are appearing on a daily basis. Applications like Tox require very little technical skills to use and are designed to let almost anyone deploy Ransomware in three easy steps.

File types known to be associated with other Cyrpto variants include restore_Files*.*, *djqfu*.* or *.aaa

LANGuardian Report – Use Search By Filename from the Windows File Shares report section. Use the filename filter to show any files called restore_Files*.*, *djqfu*.* or ones ending with *.aaa

The report should remain blank. If results are shown then you should check the client machine for a Cryptolocker infection.

Cryptolocker variants

Step 5 – Focus in on Cryptowall 4.0 infections.

Cryptowall 4.0 infections can result in the creation of files like help_your_files*.* or  help_decrypt

Look at setting up alerting if any of these files are detected on network shares. You can start by setting up a report to look for these files. In normal operation the report should remain blank. If results are shown then you should check the client machine for a Cryptolocker infection.

LANGuardian Report – Use Search By Filename from the Windows File Shares report section. Use the filename filter to show any files called help_your_files*.* or help_decrypt

LANGuardian Online Demo
Download LANGuardian Trial