Can EventSentry help me detect cryptolocker and take action when cryptolocker starts infecting a network share?

Article ID: 279
Category: File Access Tracking
Applies to: 2.90 and higher
Updated: 2016-03-03

Yes. There are four components necessary to configure in order to detect CryptoLocker or other Ransomware software and send an alert or cut off access to the network shares to stop the unwanted activity.

1) An action must be configured in EventSentry. You can use a Service action type to stop the LanmanServer service, which will cut off access to all file shares on a server. Or, you can use an Email/SMS, Pager, or Jabber action to send a notification to a recipient or list of recipients.
2) The Windows Security Auditing must be turned on to audit Success for Advanced Audit Policy > Object Access > Audit File System (Windows Server 2008 and newer),
3) The top-level folder of the network share must be configured for auditing successful "Create Files/Write Data" activity, with the auditing applied to "This folder, subfolders, and files",
4) There must be an include filter configured in EventSentry to detect the high rate of file changes caused by cryptolocker and then execute the desired Service, Email/SMS, Pager, or Jabber action.

1. Create an action:
In the EventSentry console, in the toolbar, click Actions > Add. If you would like to cut off access to the network shares on a server when CryptoLocker is detected, choose Service as the action type and then choose "LanmanServer" as the service name and Stop as the action to perform. If you would like to send a notification when CryptoLocker is detected, you would choose either Email (which can send SMS as well), pager or jabber as the action type, and configure the Email/Pager/Jabber server and message recipient list. As an example, we will refer to the action as CryptoAlarm for the rest of this article.

2. Review or Configure Windows Security Auditing:
The first place to check is Group Policies in Active Directory. Make sure auditing is not listed as "disabled" or "no auditing" (a setting of "not configured" may be OK) under Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Object Access > Audit File System. You can double-click Audit File System and put a check in the "Configure the following audit events" box as well as the "Success" and "Failure" boxes. This won't actually generate any events on any of your servers, so it is generally safe to turn this auditing on if it is not turned on already.

If you have servers that aren't on a domain, or if you are hesitant to use Group Policy to enable auditing then you can also turn on auditing for each individual server. Log onto the server as an administrator and launch mmc.exe, choose File > Add/Remove Snap-In, then choose Group Policy Object Editor, select Local Computer as the object, and click OK. Then you can go to Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Object Access > Audit File System, and put a check in the "Configure the following audit events" box as well as the "Success" and "Failure" boxes. Just like Group Policy in Active Directory, this doesn't actually generate any events yet.

3. Enable or Configure the Top-Level Folder Auditing:
In Windows, right-click the top-level folder that contains your file shares. For example, if your shares are all subfolders of D:\Home you would want to right-click D:\Home. Go to the Security tab of the folder properties, and click Advanced. Go to the Auditing tab and click Add. Type "everyone" (without quotes) and click OK. Put a check in the "Success" box of the "Create Files/Write Data" entry, and make sure the "Apply onto" drop-down box at the top of the window says "This folder, subfolders, and files". Keep clicking OK until all of the settings and properties windows are closed, and then open an existing file, make a change, and save the file. If everything is configured correctly, you will find event 4663 in the Windows Event Viewer, in the Security log, and the 4663 event details will show the name and directory of the file that you changed, and your account name will be displayed as the person who changed the file.

4. Create an include filter to detect the high rate or changes caused by CryptoLocker:
In the left pane of the EventSentry console, go to Packages > Event Logs, and right-click Event Logs and choose Add Package. Name your package, right-click it and choose Global. Instead of making the package global (which applies to all computers), you can also select "Assign" from the context menu and assign the package to any hosts and/or groups it should apply to. Then right-click your package again and choose Add Filter. Name your filter and then press Enter for the filter settings to appear.

Click Add and select the previously created action (CryptoAlarm) from the drop-down list. For the Log section, the only box you need to have checked is Security, and for the Severity section the only box you need to have checked is Audit Success. For the Event Source, you would locate Microsoft-Windows-Security-Auditing in the drop-down list, or copy it from this article and then paste it into the box. For Event ID use 4663. The next step is to set up a threshold so that your CryptoAlarm action is only executed when a suspiciously high number of file modifications occur in a very short amount of time. If you do not configure a threshold, you will end up being alerted multiple times per day or having your file shares become inaccessible multiple times per day.

Click the Threshold tab at the top of the filter settings and make sure the "Enable Threshold" box is checked. You would want to set the Threshold Interval to something that would indicate something unreasonably fast like 15 modifications in 10 seconds, since no user could modify files that quickly, and legitimate programs like antivirus would not be making modifications to the files at all. In the Event Processing section you would want to have the "Forward events after threshold has been met" and "Forward first event only" boxes checked. The rest of the sections can be left at the default values. Your cryptolocker defense can begin soon!

5. Deploying the defenses:
In the EventSentry toolbar, click Groups > Push Configuration > Go. Once the configuration is successfully updated on your remote hosts, Your CryptoLocker defenses are now enabled and ready to act when CryptoLocker or similar activity is detected.