How to detect the presence of Gryphon Ransomware on your network
Gryphon Ransomware is actually a variant of the BTCWare ransomware. This family of Ransomware typically uses RDP (remote desktop protocol) brute force attacks to spread within computer networks. Once the hacker gains access to a computer, they will install the ransomware and encrypt the victim’s files.
What you need to watch out for
1. Inbound RDP connections
RDP can be a useful IT tool for managing user systems remotely. However, it is not a protocol that you should leave open at your network edge. Watch out for inbound RDP connections from external clients. RDP typically uses TCP port 3389 for connections. The screen shot below shows an example of what you should be capturing with your network traffic monitoring tool. In my case, the connections are local to my LAN.
2. Increase in file renames on network shares
When Ransomware strikes it often seeks out network file shares as that is where the most valuable data is. One way to detect if Ransomware has become active on your network is to monitor the rate of file renames. When Ransomware encrypts data it renames files with a new extension.
File rename rates can be captured by monitoring the network traffic going to and from your network file servers. A tool such as our own LANGuardian can then use this data source to create an audit trail of file and folder activity.
The image below is an example of what you should be watching out for. The graph shows an increase in file renames and the client responsible for this is also shown. An alert can also be triggered when this activity is detected.
3. Crypton file extensions
When Gryphon Ransomware strikes a network it appends the .Crypton extension to encrypted files. Any client that is renaming files with this extension, need to be taken off the network immediately. The image below shows an example of what you should be watching out for; in this example, a database file was renamed with the .Crypton file extension.
Worried about Ransomware? Download a free trial of LANGuardian today
If you want to audit your network for signs of Ransomware activity; download a 30-day free trial of LANGuardian here. This includes a pre-configured Ransomware dashboard, so you get instant visibility of any suspicious activity.