Jump to content

Script to monitor for Crypto infections


Recommended Posts

Here is a simple LT script that uses only LT functions to probe a end system and look for all the common decrypt files found for the different variants of Cryptolocker. If found it will email you back what system was found to be infected.

 

I made several major changes that allow it to run as a 2013 or LT10 script, the script now loops through all current drives that are not missing and are FAT32 or NTFS and scans each one for Cryptolocker files then sends a email if files are found.

 

You can edit script to create a ticket or fire of an alarm.

 

http://www.squidworks.net/2015/04/labtech-scripts-cryptolocker-probe-script-finds-infections-fast/

 

Check script logs for probe logs:

 

 

 

Enjoy

 

Cubert :ugeek:

Capture.PNG.7a94743148b8147b88bd469ef92e1ef0.PNG

Edited by Guest
Link to post
Share on other sites

This is the full command for one client we acquired which had the leftovers, it makes a csv file of all locations of the files then can be deleted Get-ChildItem c:\ -Rec -erroraction silentlycontinue | Where {$_.Name -match 'DECRYPT_INSTRUCTION.HTML' -or $_.Name -match 'DECRYPT_INSTRUCTION.txt'} | Export-Csv C:\Windows\LTSvc\decryptfiles.csv -NoTypeInformation -force

Link to post
Share on other sites

The script is great but we do seem to be getting a lot of false positives with the following message

 

C:\>dir /s *decrypt*.txt

Volume in drive C has no label.

Volume Serial Number is D410-637B variable doesn't exit - Performing Legacy Comparison

L17 Email Parameter1: email@email.com Parameter2: System with possible CryptoLoc Parameter3: The following client Time Taken: 72169.7563052

L18 Variable Check Parameter1: MYLOOP Parameter2: 6 Parameter3: 2 Time Taken: 72170.7613627

L19 Script Goto Parameter1: Parameter2: Parameter3: Time Taken: 72170.8613684

Link to post
Share on other sites
  • 2 weeks later...

What do you mean getting false positives? The script is just doing a "dir /s" on each drive so either there are files named *decrypt*.txt or there are not. I did notice some script timing issues that were causing the script to not be able to run the batch file, I added in a couple wait lines and some extra logging to overcome this.

 

If Cubert doesn't mind I can post my script, i've also added scanning for *decrypt*.html and am using ticket creation instead of email.

Link to post
Share on other sites

Sorry I listed it in my post above. Lots of emails being generate when no files actually found. Everyone has the following message.

 

C:\>dir /s *decrypt*.txt

Volume in drive C has no label.

Volume Serial Number is D410-637B variable doesn't exit - Performing Legacy Comparison

L17 Email Parameter1: email@email.com Parameter2: System with possible CryptoLoc Parameter3: The following client Time Taken: 72169.7563052

L18 Variable Check Parameter1: MYLOOP Parameter2: 6 Parameter3: 2 Time Taken: 72170.7613627

L19 Script Goto Parameter1: Parameter2: Parameter3: Time Taken: 72170.8613684

Link to post
Share on other sites
  • 2 weeks later...

Yah false positives here too.

 

UPDATE: Lines 14 and 16 had a reference to a variable @SCANRET@ (In my image its 14 and 15). I swapped that for %shellresult% on both lines and all is working properly. I also deleted the original line 15 as it seemed redundant and then added the search option for .html as well in line 13.

crypto.jpg.acd5f25d84733394a3e8e1caeabc2133.jpg

Link to post
Share on other sites
  • 2 weeks later...
  • 2 weeks later...

I'm obviously missing something. It's calling for the CryptoProbe.bat file, and I don't see it in the install folder. What did I miss?

 

Script Engine - 'c:\windows\ltsvc\CryptoProbe.bat' is not recognized as an internal or external command,

operable program or batch file. variable doesn't exit - Performing Legacy Comparison

 

Thanks,

 

James

Link to post
Share on other sites

Hi James,

 

The script is actually 'writing' the bat file in real time when it runs. Part of the issue I had was that sometimes this file would not be created (unknown reasons) and gave me the same error, which actually hits as a false positive. I added a line to repeat the bat file creation and it has been working very well since then.

Link to post
Share on other sites
  • 3 weeks later...

 

Great posts guys. I needed to loop through the drives and remove the decrypt files just to clean everything up. I used everyone's comments and added a few lines to delete the files after finding them...seems to be working okay. Following the last line is just a confirmation email with %shellresult% in the body.

59ec94386b57f_ScreenShot2015-06-20at4_03_49PM.png.5c87a6dbb3dc45e2ea5967040436a4fb.png

59ec94386b57f_ScreenShot2015-06-20at4_03_49PM.png.5c87a6dbb3dc45e2ea5967040436a4fb.png

Link to post
Share on other sites

Here is the XML. Update your email address in Line 22 or change it to create a ticket, etc.

 

https://s3.amazonaws.com/techpleasepublic/Cryptolocker+-+loop+find+and+delete.xml

 

I have some Log entries here because I was recently troubleshooting the script...I think there are more efficient ways to write this, but this was working for me.

 

My next step is to update the original cryptoprobe script that finds the files and update a UDF field that I can than use to join computers to a search. I will add this search to a group and decide to run my "find, loop, delete" script manually or automatically.

Link to post
Share on other sites

Hi. just an idea,

script with 1 shell command:

for /D %i in (c d e f g h i j k l m n o p q r s t u v w x y z) do dir %i:\*DECRYPT*.* /s /b /a-d >>%windir%\LTSvc\Packages\Search.txt

 

%i: variable

/s: subfolders

/a-d: not directory

/b: bar format

 

it will search all available drives for any file contains word: "Decrypt" , and write the result (if found) as lines in search.txt

ie:

d:\filecoder\HELP_DECRYPT.TXT

c:\Users\rami\AppData\Roaming\Microsoft\Windows\Recent\HELP_DECRYPT.TXT.lnk

 

schedule this script, and after that , you can create a monitor to notify you if search.txt greater than 1 bytes.

with auto action if you want when detected.

 

Thanx

Link to post
Share on other sites
  • 2 weeks later...

Anyone tried creating a folder on the server named 'AAAAAAA' and sticking about 10,000 xls files in it and see if it bogs the Crypto stuffs down while your scripts detect it? Does the byte count change on an encrypted file? If so, as soon as the byte count changes on a file, or the archive bit switches, you know you have something going on. I was debating shutting down the server service as well as setting off alarms all over the place...

Link to post
Share on other sites
  • 4 weeks later...
  • 2 weeks later...

Does this script work on LT 2013? I keep getting error saying that the script is made from the newer version of LT and he script may not work. Is this script made only for LT 10? Is it possible to make this script available for 2013 version as well? Thanks !!

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...