So I had this post drafted for a while but haven’t gotten around to polishing it up before publishing – given the recent WannaCry / WannaCrypt shenanigans it’s probably the perfect time to share this.
After dealing with a nasty CryptoWall 4.0 outbreak which had a new ransom note and new filename encryption I decided to put some method of being alerted if or when an infected machine started to encrypt files on the file share.
Crypto infections are typically spread via email inside zipped attachments and once executed start to encrypt your C: drive along with any connected network drives in alphabetical order. To get your files back you have to pay a ransom fee!
This highlights the importance of prevention, detection and response…
- Email filtering
- User education
- Up-to-date antivirus
- CryptoCanary™
- Backups (that are regularly tested)
Below is the PowerShell code I used which when ran as a scheduled task on a file server will check the hash of a “CryptoTriggerDO_NOT_DELETE.DOCX” (which is just a basic Word document with a couple of lines of text) honeypot file residing on the share of the lowest alphabetically ordered drive letter and if modified or deleted will alert you. Hopefully this will give a heads up before the encryption takes hold of all the files so you can locate the source of the infection and halt it.
- Copy CryptoCanary.ps1 and CryptoTriggerDO_NOT_DELETE.docx to the server. Place the trigger file into the root of the lowest alphabetically ranked drive letter.
- Edit the following lines:
- 4 – change the mail server
- 11, 12, 13, 14 – change the email addresses and subject lines. Use your own until you’ve tested it
- 21 – if the honey pot file is renamed or edited, you’ll need to recalculate and enter the new MD5 hash here
- 22 – location of the honey pot file
3. Create a scheduled task to kick off the detector periodically, say every 5-10 mins. Do this by executing powershell.exe with the location of the .ps1 script as an argument.
function SendEmail([string]$reason)
{$smtp = new-object Net.Mail.SmtpClient(“SMTP.SERVER”)
if( $Env:SmtpUseCredentials -eq “true” ) {
$credentials = new-object Net.NetworkCredential(“username”,”password”)
$smtp.Credentials = $credentials
}
$objMailMessage = New-Object System.Net.Mail.MailMessage
$objMailMessage.From = “CryptoWarning@yourdomain.com”
$objMailMessage.To.Add(“admin@yourdomain.com”)
$objMailMessage.Subject = “Possible Crypto infection Started $reason”
$objMailMessage.Body = “Possible Crypto infection Started. Log on to confirm and find source of infection! $reason”$smtp.send($objMailMessage)
}
$HashStore = “0F80B68868C4B33AD3CD3F87903BF26E”
$HashFile = “SHARE\\CryptoTriggerDO_NOT_DELETE.docx”
IF (Test-Path $HashFile)
{$HashBaseline = Get-FileHash -Path $HashFile -Algorithm MD5
If ($HashStore -ne $HashBaseline.hash)
{
SendEmail “Hash’s do not match”
}
Else
{}
}
Else
{
SendEmail “File doesn’t exist”
}
Mike Pemberton's Blog 