What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

Cryptolocker detection with PRTG

Votes:

14

Hello Paessler,

It seems cryptolockers are more and more active. We were hit in august 2014 and we were lucky we could stop the malware early and we only had to restore a small portion of all files. However we have implemented a three-step system since then, that I would like to share with you. If we can help even one sysadmin to quickly detect cryptolocker, it's a victory writing this down.

1. In the root folder of all file shares we have a couple of files called _DONT_CHANGE.TXT (and .JPG, .DOC). They contain a short explanation of what cryptolocker does and why these files should not be changed. The JPG is actually a screenshot of the textfile. All have the same date.

2. In PRTG we have added a basic file check called "Static File Change [Share] Share JPG (VIRUS?)" that basically checks on change notification of the File Time Stamp. Since cryptolocker encrypts the file and changes the file date in the process, the file check will be down for 24 hours. In the notifications section you can implemented e-mail/SMS alerting on these notifications.

3. Then in the comments we have written the procedure for stopping more damage by cryptolocker: making all file shares read-only. This can be done by logging in on the file server, Open the Server Manager, Go to Roles, then File Services, then Share and Storage Management. Here can you check per share in the properties > Permissions > Share Permissions and then remove for group "everyone" the write permission. This way, nobody can write, not even Cryptolocker.

Then the final step is discovering the source (the owner of the encrypted files) and restoring files from the file backup.

cryptolocker detecting prtg

Created on Mar 31, 2016 12:32:20 PM

Last change on Apr 1, 2016 11:24:13 AM by Luciano Lingnau [Paessler]



5 Replies

Votes:

0

Hello Rene,
thank you very much for your feedback and sharing this.

It's clever solution, it's great to see that PRTG can help you with it.

Best Regards,

Created on Apr 1, 2016 11:20:02 AM by Luciano Lingnau [Paessler]



Votes:

0

Hi ReneD

That's a damn fine idea to monitor this.

Many thanks for me as well. I will implement it immediately.

thanks Thomas

Created on May 17, 2016 3:25:43 PM



Votes:

0

Interesting and simple idea. Hope it saves us from a tedious rebuild.

Rob

Created on Jun 28, 2016 6:26:42 PM



Votes:

0

The cryptolocker PRTG detection proved itself last week when a variant of Locky infected one of our systems. I'm interested if PRTG can take actions like shutdown a server of execute a script and will research this.

Created on Jun 30, 2016 12:04:55 PM



Votes:

0

PRTG can indeed execute a script or EXE that will shutdown the target host. Please have a look at executing applications using notifications :)

Created on Jun 30, 2016 12:20:55 PM by Stephan Linke [Paessler Support]

Last change on Jun 30, 2016 12:21:00 PM by Stephan Linke [Paessler Support]




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.