We caught the infection before it did too much damage, isolated the PC, configured the firewall to block the IPs it was trying to get to and restored the pwnd files from backup. Business as usual really.
But what do we do to monitor for this in the future?
Whacked this together quickly;
$protectedpaths = "\\server1\someshare", "\\server2\someother"
$filename = "-Canary-.txt" $foldername = "\-----AAA--TOP-----\" $canarystring = "If this can be read everything is ok" $logpath = "C:\scripts\cryptolockercanary.txt" $recipients = "someadmin@mail.com" $smtpserver = "somemailserver" $report = @() foreach ($path in $protectedpaths){ $temp = "" | select Time, Path, EncryptedStatus $pathwithfolder = $path + $foldername $canarypath = $pathwithfolder + $filename $temp.time = get-date $temp.path = $pathwithfolder if (test-path $canarypath){ $test = Get-content $canarypath if ($test -eq $canarystring){ $temp.EncryptedStatus = $false } else{ $temp.EncryptedStatus = $true Send-MailMessage -to $recipients -From some@email.com -Subject ("CryptoLockerCanary Has been changed! " + $temp.time) -BodyAsHtml ($temp | convertto-html | Out-String) -SmtpServer $smtpserver } } else{ mkdir $pathwithfolder out-file $canarypath -InputObject $canarystring Set-ItemProperty -Path $canarypath -Name attributes -Value ((Get-ItemProperty $canarypath).attributes -BXOR ([io.fileattributes]::Hidden)) if (test-path $canarypath){ Send-MailMessage -to $recipients -From some@email.com -Subject ("CryptoLockerCanary file is not present - creating new one " + $temp.time) -BodyAsHtml ($temp | convertto-html | Out-String) -SmtpServer $smtpserver } else{ Send-MailMessage -to $recipients -From some@email.com -Subject ("CryptoLockerCanary file is not present and COULD NOT CREATE new one - Recomend investigation " + $temp.time) -BodyAsHtml ($temp | convertto-html | Out-String) -SmtpServer $smtpserver } } $report += $temp } $report | export-csv -Path $logpath -Append -NoTypeInformation $report |
It'll take any folders defined in $protectedpaths and stick a "canary" file in there. If it sees a change to the canary file it'll send out emails to $recipients.
This is scheduled to run every five minutes so this way we'll get alerted really quickly if it get's through again.
No comments:
Post a Comment