Hello Paessler,
It seems cryptolockers are more and more active. We were hit in august 2014 and we were lucky we could stop the malware early and we only had to restore a small portion of all files. However we have implemented a three-step system since then, that I would like to share with you. If we can help even one sysadmin to quickly detect cryptolocker, it's a victory writing this down.
1. In the root folder of all file shares we have a couple of files called _DONT_CHANGE.TXT (and .JPG, .DOC). They contain a short explanation of what cryptolocker does and why these files should not be changed. The JPG is actually a screenshot of the textfile. All have the same date.
2. In PRTG we have added a basic file check called "Static File Change [Share] Share JPG (VIRUS?)" that basically checks on change notification of the File Time Stamp. Since cryptolocker encrypts the file and changes the file date in the process, the file check will be down for 24 hours. In the notifications section you can implemented e-mail/SMS alerting on these notifications.
3. Then in the comments we have written the procedure for stopping more damage by cryptolocker: making all file shares read-only. This can be done by logging in on the file server, Open the Server Manager, Go to Roles, then File Services, then Share and Storage Management. Here can you check per share in the properties > Permissions > Share Permissions and then remove for group "everyone" the write permission. This way, nobody can write, not even Cryptolocker.
Then the final step is discovering the source (the owner of the encrypted files) and restoring files from the file backup.
Add comment