NetFort Advertising

5 Methods For Detecting Ransomware Activity

Ransomware attacks on the rise

See Also:

How to detect the presence of WannaCry Ransomware and SMBv1 servers on your network


According to a new report from McAfee Labs, Ransomware will remain a major and rapidly growing threat in 2016. New variants of Ransomware are appearing on a daily basis and traditional security tools like antivirus are struggling to keep up. New variants have also changed the way they encrypt files and what happens your data once it is encrypted. This includes:

  • Ransomware-Locky removes the volume shadow copies from the compromised system, thereby preventing the user from restoring the encrypted files.
  • Filecoder.Jigsaw is really aggressive and deletes some of the encrypted files every hour. Newer variants of Jigsaw are branded CryptoHitman and displays a series of pornographic images on the victim’s computer.
  • Latest variant of the TeslaCrypt ransomware no longer uses an extension for encrypted files, making it more difficult for victims to identify the threat. However, a master decryption key for TeslaCrypt was released in May 2016 that unlocks files encrypted by the malware.
  • Master boot record killers like Petya have the ability to install a second file-encrypting program. However, if you can extract some data from the disk you may be able to get your data back without paying the ransom.
  • The authors of the CryptMix Ransomware are offering to donate ransom fees to a children’s charity but this is belived to be another scam to dupe victims into paying the ransom.
  • Tech support scammers have begun using Ransomware tools to increase their chances of extracting money from victims. New variants warn the user that they cannot access their computer due to an expired license key.

Previously, we have looked at many ways of preventing Ransomware attacks on our blog. The #1 tip is to backup your data and make sure you do a test restore. However, even with the latest generation firewalls and antivirus on all desktops, Ransomware can still get into a network. The most common attacks use email phishing with dodgy attachments but we have also seen attacks using remote desktop services and infected data storage devices.

How you can detect the presence of Ransomware on your network

The first variants of Ransomware used a small number of very specific file extensions like .crypt. However, each new variant seems to use different extensions and some even keep the file name intact. Because of this, you need to watch out for multiple symptoms of an attack; here, we take a look at 5 of them:

1. Watch out for known file extensions

Even though the list of known Ransomware file extensions is growing rapidly, it is still a useful method for detecting suspicious activity. Before you do anything you need to get file activity monitoring in place so that you have both a real time and historical record of all file and folder activity on your network file shares.

There is an interesting discussion on this Reddit post which has a link to a number of resources including this spreadsheet which has a comprehensive list of all known Ransomware variants. We currently work off this list and you can use this on your LANGuardian to create a custom report. As the list is in Regex format, you may be able to use it on other monitoring systems. The video further down in this blog post shows you how you can use this list on LANGuardian.

\.enc|\.R5A|\.R4A|\.encrypt|\.locky|\.clf|\.lock|\.cerber|\.crypt|\.txt|\.coverton|\.enigma|\.czvxce|\.{CRYPTENDBLACKDC}|\.scl|\.crinf|\.crjoker|\.encrypted|\.code|\.CryptoTorLocker2015!|\.crypt|\.ctbl|\.html|\.locked| \.ha3|\.enigma|\.html|\.cry|\.crime|\.btc|\.kkk|\.fun|\.gws|\.keybtc@inbox_com| \.kimcilware.LeChiffre|\.crime|\.oor|\.magic|\.fucked|\.KEYZ|\.KEYH0LES|\.crypted|\.LOL!|\.OMG!|\.EXE|\.porno|\.RDM|\.RRK| \.RADAMANT|\.kraken|\.darkness|\.nochance|\.oshit|\.oplata@qq_com|\.relock@qq_com|\.crypto|\.helpdecrypt@ukr|\.net|\.pizda@qq_com| \.dyatel@qq_com_ryp|\.nalog@qq_com| \.chifrator@qq_com|\.gruzin@qq_com|\.troyancoder@qq_com|\.encrypted|\.cry| \.AES256|\.enc|\.hb15|\.vscrypt|\.infected|\.bloc|\.korrektor|\.remind|\.rokku|\.encryptedAES|\.encryptedRSA| \.encedRSA|\.justbtcwillhelpyou|\.btcbtcbtc|\.btc-help-you| \.only-we_can-help_you|\.sanction|\.sport|\.surprise|\.vvv|\.ecc|\.exx|\.ezz|\.abc|\.aaa|\.zzz|\.xyz|\.biz|\.micro|\.xxx|\.ttt|\.mp3|\.Encrypted| \.better_call_saul|\.xtbl|\.enc|\.vault|\.xort|\.trun|\.CrySiS|\.EnCiPhErEd|\.73i87A|\.p5tkjw|\.PoAr2w|\.xrtn|\.vault|\.PORNO

2. Watch out for an increase in file renames

File renames are not a common action when it comes to activity on network file shares. Over the course of a normal day, you may end up with just a handful of renames even if you have hundreds of users on your network. When Ransomware strikes, it will result in a massive increase in file renames as your data gets encrypted.

You can use this behavior to trigger an alert. However, if the number of renames go above a certain threshold, then you have a potential Ransomware issue. Our recommendation is to base your alert on anything above 4 renames per second.

Our video (opposite) shows how you can setup a LANGuardian trend graph which you can then use to create an alert. It also demonstrates how you can setup a file activity monitoring report which shows any filenames with extensions known to be associated with Ransomware.

3. Create a sacrificial network share

When Ransomware strikes, it typically looks for local files first and then moves onto network shares. Most of the variants that I have looked at, go through the network shares in alphabetical order G: drive then H: drive etc…

A sacrificial network share can act as an early warning system and also delay the Ransomware from getting to your critical data. Use an early drive letter like E:, something that comes before your proper drive mappings. The network share should be setup on old slow disks and contain thousands of small random files.

When doing small random files, there’s no easy way to get the list of files in the right order to avoid lots of seeking around the disk. Depending on how it is implemented, the cipher might need to be re-initialized for each file and thus slowing down the encryption process.

The slower the disk the better. You could go to the extreme and put it behind a router and limit data throughput to this network share. It may add a slight delay to the logon process but this honeypot may give you enough time to shut client machines down if they get infected with Ransomware.

You could also setup an alert which would trigger if a specific file was accessed somewhere within the network share. This would be a sure sign that something was going through your file shares. You just need to educate your users to stay away from this network share.

Sacrifical network share

4. Update your IDS systems with exploit kit detection rules

Many IDS, IPS and firewall systems come with exploit detection features. Exploit kits are used as a way to get Ransomware onto a client through malspam or via compromised websites.

The two most common exploit kits (EK) associated with Ransomware are the Neutrino EK and the Angler EK. Check if your network security monitoring systems are up to date and see if they have the capability to detect exploit kits.

LANGuardian includes the Snort IDS system which supports the detection of exploit kits. Watch out for any activity in the Top Network Events report.

5. Use client based anti-ransomware agents

Over the past few months companies like Malwarebytes have released anti-ransomware software applications. These are designed to run in the background and block attempts by Ransomware to encrypt data. They also monitor the Windows registry for text strings known to be associated with Ransomware. The problem with this approach is that you will need to install client software on every network device.

Researchers are also looking at ways to ‘crash’ computer systems when droppers are detected. Droppers are small applications that first infect target machines in preparation for downloading the main malware payloads. This will likely mean that the system is sent to IT where the attack should be discovered.

You should also inform your network users to avoid installing agents themselves. There is too much of a risk that they will install the wrong agent or they end up install more malware on their systems.

Getting your data decrypted

In 2016 the infosec industry rallied around a common goal to combat ransomware under the No More Ransom initiative. Whilst the public face of this initiative is the portal where almost 100 decryption tools are provided freely to anyone who may have the misfortune of being a victim of ransomware, the initiative is a true collective of organizations and law enforcement agencies combating ransomware and those behind such cowardly attacks.

Find out what variant of Ransomware you are dealing with by reviewing any splash screens or by checking for information within ransom note text files. You can then search for a decryption tool on the website.

If you are dealing with a Ransomware attack you can download our LANGuardian product trial to find the source of the infection. Trial version has all relevant reports available.

Will Ransomware go away?

The simple answer to this is no! All of the indicators suggest that Ransomware will remain a major and rapidly growing threat, fueled by anonymizing networks and payment methods.

Expect to see an increase in Ransomware variants which target websites instead of file stores. Linux.Encoder.1 is an example of this threat. When a website is attacked the Ransomware will hold the site’s files, pages and images for ransom.

There are two key lessons here:

  1. Ensure you are backing up your website
  2. Keep the website operating system and CMS fully patched

Ransomware is also a growing problem for users of mobile devices. Lock-screen types and file-encrypting variants: lock screen Ransomware will stop you from accessing anything on your mobile device and file encrypting variants will encrypt data stored on the device. You can decrease you chances of an attack, by avoiding unofficial app stores and by keeping your mobile device and apps updated.

I’ll finish by repeating the advice: ensure you backup all of your personal and work data. Educate users on the risks and disconnect problematic users from sensitive data.