Friday, July 25, 2014

Everyday Powershell - Part 25 - Monitor for CryptoWall

So the bastards got us! Yup we got Cryptowalled!

We caught the infection before it did too much damage, isolated the PC, configured the firewall to block the IPs it was trying to get to and restored the pwnd files from backup. Business as usual really.

But what do we do to monitor for this in the future?

Whacked this together quickly;
$protectedpaths = "\\server1\someshare", "\\server2\someother"
$filename = "-Canary-.txt"
$foldername = "\-----AAA--TOP-----\"
$canarystring = "If this can be read everything is ok"
$logpath = "C:\scripts\cryptolockercanary.txt"
$recipients = ""
$smtpserver = "somemailserver"

$report = @()

foreach ($path in $protectedpaths){
    $temp = "" | select Time, Path, EncryptedStatus
    $pathwithfolder =  $path + $foldername
    $canarypath =  $pathwithfolder + $filename
    $temp.time = get-date
    $temp.path = $pathwithfolder
    if (test-path $canarypath){
        $test = Get-content $canarypath
        if ($test -eq $canarystring){
            $temp.EncryptedStatus = $false
            $temp.EncryptedStatus = $true
            Send-MailMessage -to $recipients -From  -Subject ("CryptoLockerCanary Has been changed! " + $temp.time) -BodyAsHtml ($temp | convertto-html | Out-String-SmtpServer $smtpserver
        mkdir $pathwithfolder
        out-file $canarypath -InputObject $canarystring
        Set-ItemProperty -Path $canarypath -Name attributes -Value ((Get-ItemProperty $canarypath).attributes -BXOR ([io.fileattributes]::Hidden))
        if (test-path $canarypath){
            Send-MailMessage -to $recipients -From  -Subject ("CryptoLockerCanary file is not present - creating new one " + $temp.time) -BodyAsHtml ($temp | convertto-html | Out-String-SmtpServer $smtpserver
            Send-MailMessage -to $recipients -From -Subject ("CryptoLockerCanary file is not present and COULD NOT CREATE new one - Recomend investigation " + $temp.time) -BodyAsHtml ($temp | convertto-html | Out-String-SmtpServer $smtpserver
    $report += $temp
$report | export-csv -Path $logpath -Append -NoTypeInformation

It'll take any folders defined in $protectedpaths and stick a "canary" file in there. If it sees a change to the canary file it'll send out emails to $recipients.

This is scheduled to run every five minutes so this way we'll get alerted really quickly if it get's through again.

No comments:

Post a Comment