Jump to content

CryptoWall Monitor - Tested and Working


Recommended Posts

Okay, so we have created a monitor to deploy, delay, and detect the cryptowall virus. What it essentially does is as follows:

 

1. Creates a few directory's on the root of the C drive (1.CryptoMonitor and in that folder there is a 1.Monitor folder and a 2.EncryptionDelay along with a zip file)

2. The Monitor folder has one single file in it and the encryption delay folder has thousands of dummy text files nested in hundreds of folders (Totaling 738 MB)

3. The labtech script downloads a zip file that is 12MB and extracts it multiple times into the delay folder to achieve a higher delay (We tested it and it should be a 30 minute delay for the virus)

4. After the labtech script downloads and checks the files, it checks a box on the workstations saying that it has been onboarded. That triggers a search to install a remote monitor on the system that checks the C:\1.CryptoMonitor\1.Monitor folder monitoring how many files are in it. If there is any more than 1 file (Which the infection will put its instructions in there) then we get an email within 30 seconds of it happening. The email contains more information to double-check the virus by listing out what files are located in that folder. That way we know to act or not before even getting into the system.

 

We have deployed this to all of our clients and we have already detected and stopped the cryptowall virus on two different clients before their data could get corrupted. This also puts more value into workstation monitoring. =)

 

**It would be good to exclude this folder from your antivirus scans.

 

DISCLAIMER** By downloading this and or using these concepts you are agreeing that you are fully responsible with what happens on the networks that this was applied to. I am not responsible for any damage to your network or your clients network from you using these scripts.

CryptoMonitor Files.zip

Link to post
Share on other sites
What about the other several dozen crypto viruses besides cryptowall? Is this going to be doing anything for them? Like teslacrypt or locky?

 

If it encrypts the files on the PC then the monitor will pick it up. All it does is look for a virus that is encrypting the files on the PC. As long as it puts a instruction file in the encrypted folders or any other file for that matter then LabTech will see it.

 

If the virus does not put a instruction file in the folders that it encrypts then this will not do anything, but I haven't seen that yet.

Link to post
Share on other sites

Oh awesome, that's what it sounded like it would do, I just confused by the branding but I guess CryptoWall is the bandaid of adhesive medical strips/bandages. I do love the dummy file idea cause for most of these if you catch it before it completes encryption you can pull the key from it and decrypt everything. BRILLIANT!

Link to post
Share on other sites

First off thanks for posting this, it's been talked about on here for a while but nobody has offered a valued solution and I commend you for sharing yours! But I've imported your scripts and I'm running into my LT server but the .txt & .compress file never appeared on my LTShare directory. Any chance you can attach those to your forum post too? Thanks!!!

 

Also, I kept failing to create the CryptoMonitor folder (line 15 in Onboard & Verify script), kept getting an error about access to path was denied when attempting to create it. I was able to get around this by modifying your script slightly, here's the change to line 15. I also had to repeat this in the Repair Directory script too.

 

Function: LabTech Command

Command: 2

Partameters: cmd!!! /C @powershell -NoProfile -ExecutionPolicy unrestricted -Command "new-item C:\Windows\LTSvc\CryptoWallMonitor -itemtype directory"

Group List: leave blank

ID: %COMPUTERID%

ID Type: keep on default (Computer)

Link to post
Share on other sites
  • 4 weeks later...
  • 2 weeks later...

The monitor does not work correctly because it automatically adds a space at the end of the file directory, thus the monitor is not able to find the correct folder. Example: it should look at the folder 'C:\1.CryptoMonitor\1.Monitor' but LT automatically changes the folder to 'C:\1.CryptoMonitor\1.Monitor\ ' . If you manually create the monitor at the machine level (instead of with the group) it works correctly, but that sucks because you'll need to manually create the monitor at each machine. I talked to LT support about this today and this was their response "This is an issue that Dev is currently working to address, and unfortunately, there is no workaround at this time. I will pass your ticket to Dev so that you can be alerted once this issue has been resolved". I'm not part of LT Pilot program, so I don't know if it works correctly with LT11 or not. If any of you guys do have access to v11 please test it out and post your results here we'd appreciate it.

Link to post
Share on other sites

I was thinking about something like that but using a built-in command fsutil.exe to create a dummy files (using fsutil file) and For in BAT script, then all we need is to copy this bat file and shell to run it on target. and Remote monitor checks the folder size as well. But I was wondering where does ransomware start its encrypting process? Do all ransomware start encrypting from the same location?

I mean you decided to copy your folder into C:\ drive, why not "C:\Users\" ? Are you saying that Ransomewares start encrypting in C:\?

I will need to find the answer first, then I think i'm going to set this up , because putting the files in the right location will give that more effect.

Edited by Guest
Link to post
Share on other sites

I have wanted to do this manually on all of our clients file servers for a long time now as a early warning system. Anything that can reduce the time spent restoring files/data will help. Thankfully - ransomware has tested out our backups which are top notch thanks to the admin who looks after them. OP - great work for sharing this - i will definitely be trying this out.

Link to post
Share on other sites
The monitor does not work correctly because it automatically adds a space at the end of the file directory, thus the monitor is not able to find the correct folder. Example: it should look at the folder 'C:\1.CryptoMonitor\1.Monitor' but LT automatically changes the folder to 'C:\1.CryptoMonitor\1.Monitor\ ' . If you manually create the monitor at the machine level (instead of with the group) it works correctly, but that sucks because you'll need to manually create the monitor at each machine. I talked to LT support about this today and this was their response "This is an issue that Dev is currently working to address, and unfortunately, there is no workaround at this time. I will pass your ticket to Dev so that you can be alerted once this issue has been resolved". I'm not part of LT Pilot program, so I don't know if it works correctly with LT11 or not. If any of you guys do have access to v11 please test it out and post your results here we'd appreciate it.

 

Mine works completely fine and does not have this issue. Im not sure if there is something that you are doing wrong when creating the monitor or if I am just lucky that I don't have the issue.

Link to post
Share on other sites
I was thinking about something like that but using a built-in command fsutil.exe to create a dummy files (using fsutil file) and For in BAT script, then all we need is to copy this bat file and shell to run it on target. and Remote monitor checks the folder size as well. But I was wondering where does ransomware start its encrypting process? Do all ransomware start encrypting from the same location?

I mean you decided to copy your folder into C:\ drive, why not "C:\Users\" ? Are you saying that Ransomewares start encrypting in C:\?

I will need to find the answer first, then I think i'm going to set this up , because putting the files in the right location will give that more effect.

 

In all of the variants we have tested, if it does start in the appdata directory it will automatically start at the root of C:\ after that, otherwise it starts at the top of the hard drive. We have stopped a few cryptowall infections after putting this in place and saved the clients documents in time. We got a hold of copy of cryptowall and tested to see how long the delay was and where it encrypted first. Obviously this could change due to the fact that the makers of the virus are constantly evolving it, but anything that trys to monitor it is good with me. Until we see that this is not effective we will not put dummy files and monitors in places where they are not needed.

Link to post
Share on other sites

Note: I edited my replay today and deleted "%AppData%" after I found that ransomwares skip: %AppData%, Internet Temporary Files, All Users, and couple more folders.

 

Actually, i've done what I wrote in my previous replay using only those 2 commands to create hundreds of dummy folders and files instead of transferring them. And I would like to share one idea I think it is useful:

I made a loop by mounting C to "GoToJail" folder at the end of my dummy files. hopefully the ransomware will hit a recursive loop.

 

And here is the folder C:\$.AMCryptoMonitor\GoToJail\$.AMCryptoMonitor\GoToJail\$.AMCryptoMonitor\GoToJail\$.AMCryptoMonitor\GoToJail\

 

I used the command: MOUNTVOL

1.jpg.8f2682c8af9055fe810eec81692f4549.jpg

2.jpg.12a614b0d0a5a3d3f95c92d0869daad1.jpg

Link to post
Share on other sites
Note: I edited my replay today and deleted "%AppData%" after I found that ransomwares skip: %AppData%, Internet Temporary Files, All Users, and couple more folders.

 

Actually, i've done what I wrote in my previous replay using only those 2 commands to create hundreds of dummy folders and files instead of transferring them. And I would like to share one idea I think it is useful:

I made a loop by mounting C to "GoToJail" folder at the end of my dummy files. hopefully the ransomware will hit a recursive loop.

2.jpg[/attachment]

I used the command: MOUNTVOL

 

How big is that folder that delays the virus? It seems like it is a lot of data usage on the hard drive. I think the one I have is only like 100MB.

 

EDIT* I looked at your idea and I am curious to what the virus will do, maybe we will load cryptowall on a PC and test it in our test environment. It may take a while for us to get the time to do it though.

Link to post
Share on other sites
Note: I edited my replay today and deleted "%AppData%" after I found that ransomwares skip: %AppData%, Internet Temporary Files, All Users, and couple more folders.

 

Actually, i've done what I wrote in my previous replay using only those 2 commands to create hundreds of dummy folders and files instead of transferring them. And I would like to share one idea I think it is useful:

I made a loop by mounting C to "GoToJail" folder at the end of my dummy files. hopefully the ransomware will hit a recursive loop.

2.jpg[/attachment]

I used the command: MOUNTVOL

 

Here is a powershell command I have in the script that creates the folder/file structure.

 

Push-Location; 1..7 | % { Set-Location -Path (New-Item -ItemType directory -path "C:\1.CryptoMonitor\2.EncryptionDelay\$_.Folder").fullname -ErrorAction SilentlyContinue; ForEach($i in 1..14000 ){fsutil file createnew ([string]$i + ".File.txt") 5120}};Pop-Location 

Link to post
Share on other sites
The monitor does not work correctly because it automatically adds a space at the end of the file directory, thus the monitor is not able to find the correct folder. Example: it should look at the folder 'C:\1.CryptoMonitor\1.Monitor' but LT automatically changes the folder to 'C:\1.CryptoMonitor\1.Monitor\ ' . If you manually create the monitor at the machine level (instead of with the group) it works correctly, but that sucks because you'll need to manually create the monitor at each machine. I talked to LT support about this today and this was their response "This is an issue that Dev is currently working to address, and unfortunately, there is no workaround at this time. I will pass your ticket to Dev so that you can be alerted once this issue has been resolved". I'm not part of LT Pilot program, so I don't know if it works correctly with LT11 or not. If any of you guys do have access to v11 please test it out and post your results here we'd appreciate it.

 

Mine works completely fine and does not have this issue. Im not sure if there is something that you are doing wrong when creating the monitor or if I am just lucky that I don't have the issue.

 

 

I have issues with spaces at end of monitors and this has helped a ton.

 

http://labtechconsulting.com/monitors-trailing-spaces/

Link to post
Share on other sites
It is without size, I mean it is mount point to C

[attachment=1]1.jpg[/attachment]

[attachment=0]2.jpg[/attachment]

The idea of it is to trap the ransomware, ransomware iterates from the top of the volume, this infinite loop of folders

 

if it is a mount point to C: won't it just encrypt as per normal then?

Link to post
Share on other sites

@Datacomm

I use BAT , not powershell. but it is the same process (FOR %%i in (1,1,50) DO FSUTIL)

 

 

if it is a mount point to C: won't it just encrypt as per normal then?

It is a loop, takes you to the C , and since you have your folder starts with "$" it makes it on the top of the list.

you could create multiple sinkholes (GoToJail) in anywhere you want, it won't take any size from your hard drive, but it will take the ransomware to recursive loop

Edited by Guest
Link to post
Share on other sites

EDIT* I looked at your idea and I am curious to what the virus will do, maybe we will load cryptowall on a PC and test it in our test environment. It may take a while for us to get the time to do it though.

 

Please, keep me updated when you load ransomware on test PC.

I'm going to push (ROCKY) as soon as i have time as well. and will write the results

Link to post
Share on other sites

It is a loop, takes you to the C , and since you have your folder starts with "$" it makes it on the top of the list.

you could create multiple sinkholes (GoToJail) in anywhere you want, it won't take any size from your hard drive, but it will take the ransomware to recursive loop

 

Ok, this could get risky though. So let's say your alert didn't work and your backups were for some reason no good. This has the potential of possible over encrypting data multiple times. What if it starts at the end of the file structure....now it encrypts everything and when it gets to your gotojail mountpoint it does it again...and again...and again. Makes for a possible pay to restore impossible. Kind of risky wouldn't you say?

 

Also on another note. In my testing some of the new variants don't actually place instructions in each folder. They place instructions in %appdata% and setup a run key to run it on startup. This makes the monitor ineffective. We need to find some second method of determining if encryption has occurred.

Link to post
Share on other sites
What if it starts at the end of the file structure

Makes sense

I don't even know where do they start their encryption process, and that what I asked in my 1st replay in this post.

I also don't know the encryption speed, if anyone knows please share.

 

This has the potential of possible over encrypting data multiple times
Makes for a possible pay to restore impossible

I think the payment will be the same, it is for one code for all encrypted files on the infected PC, even if the ransomware doesn't skip the already encrypted file and encrypt them again and again.

 

Anyways, it needs test and test and test with different type of encryption viruses.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...