Support Team Stories – Detecting the Source of Ransomware
Locating the source of Ransomware on a network
The following case study is from an actual client network and as such some information is masked in the screen shots. The methods used to locate the source of Ransomware can be used on networks of any size.
We were contacted by a client to help with their incident response in tracking down an infection on a clients machine with the new CTB-Locker ransomware (Curve-Tor-Bitcoin Locker) aka Critroni which had no signatures available at the time of infection for this variant.
LANGuardian includes a file share activity monitoring module which provided a very detailed forensic analysis of the ransomware and the paths it had taken in order to encrypt the clients system and also the fileserver in which it was connected to, the initial infection came from the opening of an attachment in an e-mail.
What type of Ransomware were we dealing with?
CTB-Locker is usually delivered through SPAM e-mail, there is no way to get the data back except by restoring from backup or paying the ransom as per this analysis.
“CTB Locker and Network Shares – CTB Locker will encrypt data files on network shares only if that network share is mapped as a drive letter on the infected computer. If it is not mapped as a drive letter, then CTB Locker will not encrypt any files on a network share.
It is strongly suggested that you secure all open shares by only allowing writable access to the necessary user groups or authenticated users. This is an important security principle that should be used at all times regardless of infections like CTB Locker.”
How we found the source of the Ransomware
Using the LANGuardian forensic dashboard to focus on the specific IP address given (X.X.81.61) for investigation we detected some strange fileshare traffic. If you have a LANGuardian you can do this yourself by following these steps:
Go to the LANGuardian search page (search button top left in GUI). Enter the IP address (X.X.81.61) in the Forensics search panel.
Once the next page has loaded change the time and date to the correct date and time of the incident.
Looking a bit closer random files can be seen named “laaaaaaa.tmp” so we decided to dive a bit further and see what was lurking beneath the surface and discovered that it was then contacting X.X.1.182 which was the fileserver, this can also be seen on the dashboard above.
- Looking up “laaaaa.tmp” online at the time lead to 1 hit on Google in Russian.
- The infection name is “Win32/Filecoder.DA.Gen”
A bit of a closer look at what is happening shows us that the files on the fileshare have been infected and are then encrypted:
In order to check on the network for any other systems that may have been infected we went back to the search page again and used the file search to track down any further infections on the network.
Looking closer and using the search field for specific file names it appeared that only the machine in question “X.X.81.61” was infected but this also infected a high number of files on the fileserver which had to be restored from backup prior to the infection and encryption process.
It is critical to continuously monitor and alert on suspicious fileshare activity, for example on the creation of filenames associated with malware or renaming of large numbers of files in a short time. If something gets into your network you need a fast way of locating and disconnecting the source or it will continue to encrypt files as you restore them.
If you need any help with detecting Ransomware on your network, please don’t hesitate to contact us.
NetFort Support Team