Creating a Ransomware Monitoring Dashboard
Creating a Ransomware Monitoring Dashboard with LANGuardian
Ransomware has really hit the headlines since WannaCry was first detected. If you want to learn more about this variant, check out our latest blog post which takes a look at how to detect the presence of WannaCry Ransomware and SMBv1 servers on your network.
We regularly send security bulletins to customers and one of the most common questions when it came to Ransomware was what would be a good set of reports to add to a Ransomware Monitoring dashboard. As WannaCrypt and its variants are very prominent at the moment, the focus is on it. However, as you can see from the video below, the dashboard can be used to monitor many other Ransomware variants.
Ransomware Monitoring Elements
This list shows the 8 elements that make up our basic Ransomware monitoring dashboard. We will publish more information at a later date as we learn more about WanaCrypt0r 2.0 and other variants. The video below explains more about how to setup each element and how to interpret the data returned.
- Filename extensions associated with WannaCry. This list may grow in time and you can add to it.
- Any activity associated with WannaCry web domains.
- A list of Windows XP clients; as these use SMBv1, they are seen as vulnerable.
- A list of servers running SMBv1.
- Graphic showing rate of file renames on network shares. High numbers of file renames is a sure sign of Ransomware.
- Top clients (you can also get usernames) renaming files on your network
- Any outbound activity on your network using TCP port 445
- Any instances of ransom note text files associated with WannaCry
The video references these variables which you can copy\paste when needed.
- WannaCry file extensions: \.wnry$|\.wcry$|\.wncry|\.wncryt$
- WannaCry web domain: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
- WannaCry ransom note text file: @Please_Read_Me@.txt
If you want to add elements for detecting XData Ransomware, use these variables
- Search for any file containing the text string XData
- Search for any file names matching HOW_CAN_I_DECRYPT_MY_FILES.txt.
We are also working on an update to LANGuardian which can trigger an alert whenever an SMB1 protocol request or response is seen. This will then enable you to use the Ransomware Monitoring dashboard and get alerts, if required.