NetFort Advertising

How to generate Ransomware alerts

How to generate Ransomware Alerts

Focus on file renames to generate Ransomware alerts

See Also:

How to detect the presence of WannaCry Ransomware and SMBv1 servers on your network

If you are interested in learning more about detecting Ransomware on your network, check out the blog posts below which I published recently. There is a lot of good info in these if you want to learn more about how Ransomware can get into a network.

One of the most common questions I get on the subject of Ransomware is how can you generate an alert if any variant of Ransomware gets into a network? The key thing here is being able to detect any variant which rules out things like antivirus signatures which are designed to alert on a specific Ransomware variant.

When Ransomware strikes it seeks out local and network based storage, encrypts files and leaves behind text or HTML files containing instructions on what is required to decrypt the data. You can look at setting up alerts if specific file extensions are detected on network shares but this is not reliable as some Ransomware variants use common  extension types like .HTML.

A more reliable way is to watch out for file renames on network file shares. While rename is a valid action it is not one used a lot by network users. Any sudden increase in file renames is an indication that something suspicious is happening on your network.

I am going to use our own product LANGuardian to show you how you can trend renames and create alerts when there is a sudden increase in activity. However, you may be able to setup similar alerts in other monitoring tools if they have the ability to capture file and folder actions associated with network file shares.

LANGuardian uses network traffic as a data source so you don’t need to install agents or enable logging on your file servers. It monitors and records every access to file shares, recording details of user name, client IP address, server name, event type, file name, and data volume. Just setup a SPAN or mirror port to sniff the traffic.

If you use Cisco switches on your network, we have a free Cisco SPAN Port Configurator which makes the job really easy. Just select the port or VLAN that your file server(s) are connected to and send the data to whatever port you have your LANGuardian connected to.

Create a LANGuardian trend to focus on file renames

Before you can setup Ransomware alerts, you need to create a trend of how often renames are being detected. Our support team carried out some tests on a number of Ransomware variants. From this research we recommend a good starting point when it comes to detecting Ransomware is to generate an alert when renames go above 4 per second.

To get this alerting in place, log onto your LANGuardian and click on the All Reports option top right and select Search by File/Folder Name.

Ransomware Alerts Report
File Renames

Select Rename from the action drop down and then run the report. It does not matter what date selection you use, just be sure to select the action prior to running the report.

You may or may not see results when the report completes, this does not matter. Now select Actions at the top of the report and choose Trend Report. Enter a name like File Renames and select click on the Create button.

Filename actions

Configure Ransomware Alerting

Follow these steps to configure Ransomware alerts

  1. Click on gear symbol top right and then select settings
  2. Select Trends which can be found under the Modules section
  3. Locate your renames trend and click on Alarms
  4. Give your alarm a name and enter 4 as the value. 4 is a good starting point and you can tweak this if needed
  5. Choose Send Email as the action and enter a description if needed.
  6. Click on Save and your alert is now configured. If renames go above 4 per seconds you will get an alert sent to your mailbox
Setting up Ransomware Alerts

You can also send the alert via SNMP which makes it possible to integrate with tools like SolarWinds UDT and IBM QRadar to take an action like immediately disconnecting the infected client by disabling a port on a switch.