CryptoWall infection – Verifying that there are no other infected PC’s active
Using LANGuardian to manage a CryptoWall infection
One of the most important tasks when dealing with a CryptoWall infection is to locate the PC(s) on your network that introduced the malware. If you don’t locate this system your files will keep getting encrypted after you restore them or pay the ransom.
In a recent blog post I looked at Auditing File Access on File Servers. One method for auditing file activity involves deep packet inspection and this is ideal for cleaning up after a CryptoWall infection. Malware like CryptoWall leaves certain traces behind and you just need to watch out for these to trace the clients responsible.
Check file share activity for certain text strings
When CryptoWall infections target file shares it creates text and/or HTML files within folders where data has been encrypted. Typically the file names are HOWDECRYPT.txt and HOWDECRYPT.html. These files contain instructions on how to get the data decrypted. What you need to do is find the clients which created the files as they are the ones infected with the Ransomware.
You need to check for the presence of these files through network traffic analysis or log files. There is no point in searching for them through applications like Windows explorer. You may find the files but you won’t be able to see what clients created them.
You can use the LANGuardian search feature to track activity associated with suspicious file names. It uses deep packet inspection to capture file names, IP addresses, actions and user names from network packets. You just need to setup a SPAN\mirror port or use a network TAP to get a copy of the network traffic going to and from your file servers. Once you have LANGuardian installed you need to follow these steps to track down CryptoWall infections.
- Click on the down arrow beside the search field
- Enter DECRYPT into the File Name
- Modify the time range so that includes the date and time of when the CryptoWall infection was reported
Once you click on the search option you should see a report like the one below. This reveals what IP address is associated with the CyrptoWall infection. In my case the suspicious IP address is 10.1.1.151
Find out what users are responsible for CryptoWall infections
Tracking down the network clients associated with CryptoWall infections may be all you need. However, if you use DHCP you may need to find out what usernames are associated with the Ransomware.
Once you have an IP address you can either cross reference your Windows domain controller security log files or use the LANGuardian user reports to identify the usernames. You do need to make sure you are auditing domain logons to get this data.
To reveal usernames in LANGuardian you should click on the arrow symbol in the top right panel of either of the reports shown above. This will return all results. Then click on the View by: User Name option in the top right hand side and you will see what users names are associated with the file share activity.