This site uses cookies for anonymized analytics. For more information or to change your cookie settings, view our Cookie Policy.

Ransomware Detection

One of the most viable reasons for implementing LANGuardian network monitoring software is malware detection – or, more specifically in the current security environment, ransomware detection. Ransomware has overtaken all other forms of malware as the most dangerous threat to network security. According to the FBI, an average of 4,000 ransomware attacks were launched each day in 2016 and, as was seen in the WannaCry ransomware attack, not all attacks use email as a mode of delivery.

Consequently, many of the posts in our Malware Detection category are dedicated to ransomware detection – how to detect the presence of ransomware, how to set up alerts to warn of ransomware attacks and how to create a ransomware monitoring dashboard using LANGuardian. Interactive web demos and videos are included in many of our ransomware detection blogs in order to demonstrate the ease with which it is possible to add an extra layer of defense against ransomware attacks.

Malware detection and – in particular – ransomware detection goes far beyond identifying and containing a current attack. Once an attack is contained, it is essential to clean the network of any lingering malware to prevent a repeat attack. To find out more about using LANGuardian for the purposes of ransomware detection, you are invited to read our blogs, contact us with any questions you have or download your free trial of LANGuardian today.

How to Detect RYUK Ransomware on Your Network

RYUK Ransomware

What is RYUK Ransomware?

An advisory from the US based Department of Health and Human Services notes that attacks involving RYUK appear to be targeted. In fact, its encryption scheme is intentionally built for small-scale operations, so that only crucial assets and resources are infected in each targeted network by a manual distribution from the attackers.

Reduce your attack surface. Check for inbound RDP connections on your network

Search engines such as the Shodan allow cyber criminals to find networks where Remote Desktop Protocol, or RDP for short is open. A tool such as NLBrute can then be used to try a whole range of RDP passwords. Make sure you are constantly checking inbound traffic on your network for any suspicious activity.

Targeted companies are selected one at a time, either via spear-phishing emails or Internet-exposed, poorly secured RDP connections. RDP allows remote use, even of fully-graphical applications that can’t be scripted or operated via a command prompt.

RYUK uses an AES-RSA combo encryption that’s usually undecryptable, unless the RYUK team made mistakes in its implementation. The encryption method that RYUK uses is more or less identical to that of the Hermes malware.

Previous versions of the Hermes ransomware have been an on-and-off threat that surfaces at random intervals with a mass spam campaign. The new RYUK ransomware strain appears to be a new attempt from the Lazarus Group at developing a SamSam-like strain to use in precise surgical strikes against selected organizations

Monitoring File Activity on Your Network

You need to be monitoring file and folder activity before you can detect active Ransomware, like RYUK, on your network. One of the easiest ways to do this is to monitor network traffic going to and from your network file servers. Most managed switches support SPAN or mirror ports and these allow you to get a copy of the network packets going to and from your file servers.

Once you have your data source in place, you can use a tool like our own LANGuardian to extract file and folder metadata from the network packets. Metadata includes information such as filenames, actions and usernames.

As well as monitoring traffic associated with your file servers, we also recommend that you monitor all traffic at your network perimeter (just inside your firewall). Ransomware needs to communicate with the outside world, so having visibility at the network edge is important when it comes to detecting and alerting on Ransomware like RYUK.

The image below shows some of the things that you should watch out for when it comes to RYUK Ransomware.

RYUK Ransomware Monitoring Dashboard Screenshot

1. Watch out for an increase in file renames.

File renames are not a common action when it comes to activity on network file shares. Over the course of a normal day, you may end up with just a handful of renames even if you have hundreds of users on your network. When Ransomware like RYUK strikes, it will result in a massive increase in file renames as your data gets encrypted.

You can use this behavior to trigger an alert. If the number of renames exceed a certain threshold, then you have a potential Ransomware issue. Our recommendation is to base your alert on 4 or more renames per second.

2. Watch out for any files on your network with the .RYK extension.

RYUK encrypts data using a cryptography algorithm, thereby rendering files stored on a computer unusable. It appends the “.RYK” extension to each encrypted file, thus renaming all affected files. For example, “budget.xlsx” becomes “budget.xlsx.RYK”.

Use LANGuardian’s Search by File/Folder Name report to filter any file with the .RYK extension.

3. Check network shares for ransom notes

When files are encrypted on your network by RYUK Ransomware it will leave a ransom note in the format of a text file. The ransom message within “RyukReadMe.txt” is from RYUK developers who inform victims that all data has been encrypted using a strong cryptography algorithm. They state that encrypted backups and shadow copies have also been encrypted.

RYUK ransomware developers also state that only they can provide victims with a decryption tool, and no other tools are capable of decryption. In summary, they make it clear that no other party can help with RYUK infected computers. These cyber criminals also warn users that shutting down or restarting a computer might cause damage or data loss. They urge people not to delete or rename the “RyukReadMe.txt” text files.

RYUK developers offer free decryption of two files to prove decryption is possible and in an attempt to give the impression that they can be trusted. To decrypt the remaining data, users must contact them. However, it is recommended that you do not contact the RYUK developers under any circumstances.

Instead, use LANGuardian’s Search by File/Folder Name report to filter any file with the name RyukReadMe.txt

If you have any questions about how to detect RYUK Ransomware or other variants on your network, do not hesitate to contact us and speak with one of our helpful technical support team.

Crypto Mining Malware Spreading Via SMBv1 Vulnerability

Crypto Mining Malware

Ransomware Cryptocurrency Link

During 2017 we saw advances in security tools which have meant IT and network security managers have become better equipped to deal with ransomware threats. In addition, lots of standalone programs have been made by independent researchers to decrypt files. This increased awareness of ransomware prevention (backing up files) and Ransomware detection tools has really helped to reduce the Ransomware problem.

Bitcoin is frequently associated with Ransomware as it is a popular payment type demanded by ransomware authors. There are many types of crypto currency available today which you can acquire with money or goods or you can mine them using one or more computers.

The primary purpose of mining is to allow Bitcoin nodes to reach a secure, tamper-resistant consensus. Mining is also the mechanism used to introduce Bitcoins into the system: Miners are paid any transaction fees as well as a “subsidy” of newly created coins. The image below shows an example of a large bitcoin mining rig, lots of processing power and associated cooling fans to keep it operational.

Icarus Bitcoin Mining rig

One of the new trends with Malware is the move away from data encryption to a more stealthy bitcoin mining strategy. Bitcoin mining can happen in the background. No need for any splash screens or data destruction.

Crypto Mining Malware & Association With SMBv1

Many attackers now favor anonymous cryptocurrencies, with Monero being the most prominent. Crypto currencies are popular as they are both secure, private and difficult to trace. Servers are often targeted and since many of them are not updated or patched on a regular basis, attackers have a bigger chance of success.

Recently more than 526,000 Windows hosts, mostly Windows servers, have been infected by a Monero miner known as Smominru, according to researchers at Proofpoint. It spreads using the EternalBlue exploit (CVE-2017-0144) which targeted the SMBv1 protocol.

Crypto mining malware like this covertly mines for coins using the victim’s GPU horsepower without them knowing about it. It has potential for longer-term gains. When a computer is infected many people will fail to notice fans spinning up, or computers under higher load or just plain old not responding. A lot of those people may just pass it off as “one of those things my computer does.”

How to Detect SMBv1 Use on Your Network

As I mentioned earlier, the ExternalBlue exploit is being used by a lot of attackers to install Ransomware or Crypto Miners on victims PC’s. Systems are compromised when an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server

Because of this, you need to make sure you detect SMBv1 use on your network and switch off the protocol on any systems which has it enabled. SMBv1 has been superceeded by SMBv2 and SMBv3 which are far more efficient and secure.

However, sometimes reality is more difficult than the theory. I met with some of our LANGuardian customers this week. They said that when they disabled SMBv1 on some servers they had issues with a loss in connectivity to some printers. I also had issues in my home lab where certain Android devices lost connectivity to a NAS system when SMBv1 was disabled. The easy thing to do is to re-enable SMBv1 but that will increase the attack vector of your network.

Using LANGuardian to Detect SMBv1 Use

The video below shows how a traffic analysis tool like our own LANGuardian can be used to root out SMB1 clients and servers on your network. Make sure you can detect this activity by monitoring communication between clients and servers or check each network device to see if SMBv1 is enabled.

Find Out What Systems Are Using SMBv1 on Your Network

Use the deep packet inspection engine of LANGuardian to report on SMBv1 activity by IP address or Username. Real time and historical reports available. No need to install any agents or client software.

  • See what servers are allowing connections on SMBv1
  • Find out what clients are attempting to connect using SMBv1
  • Can be deployed as a virtual machine

All analysis is done passively using network traffic analysis and you will see results within minutes.

How to Detect Scarab Ransomware by Monitoring Network Traffic

Along comes another one. Scarab Ransomware

Scarab Ransomware is just another in a series of Ransomware variants that appeared in 2017. It falls into the crypto Ransomware category which typically go after user data on hard drives and network shares and encrypts it. Scarab Ransomware has the typical three stage infection process:

  1. Get a user to click on a link or open an attachment infected with Malware
  2. Connect to external websites to download the actual Ransomware
  3. Encrypt the users data and leave a ransom note

The name Scarab is also associated with a family of beetles. Scarabs are stout-bodied beetles, many with bright metallic colours, measuring between 1.5 and 160 mm. They are also known as a dung beetle.

Detecting the presence of Scarab Ransomware

First spotted on November 23, the Scarab ransomware is being sent primarily to .com addresses, followed by inboxes. It was sent to millions of email addresses in the first four hours alone, according to Forcepoint. The emails are originating from hosts within the Necurs Botnet.

The unsolicited emails in question come with the well-worn “Scanned from {printer company name}” subject line and contain a 7zip attachment with a VBScript downloader. Use SMTP traffic monitoring or check the logs on your email server for any subject lines which start with “Scanned from”.

Another key indicator of Scarab Ransomware is the presence of these types of files on network shares:

  • Files with the extension “.[].scarab”
  • Ransom notes which are saved as text files with the name “IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT”

The image below shows how our LANGuardian product detected suspicious activity on a network share by monitoring network traffic going to and from the file servers. When you monitor network traffic like this you can passively generate a list of all file and folder activity without the need for logging or agents.

Scarab Ransomware detected on a network

Watch out for an increase in file renames. A sure sign of Scarab Ransomware activity

File renames are not a common action when it comes to activity on network file shares. Over the course of a normal day, you may end up with just a handful of renames even if you have hundreds of users on your network. When Scarab Ransomware strikes, it will result in a massive increase in file renames as your data gets encrypted.

You can use this behavior to trigger an alert. If the number of renames go above a certain threshold, then you have a potential Ransomware issue. Our recommendation is to base your alert on 4 or more renames per second.

The video below shows how you can setup a LANGuardian trend graph which you can then use to create an alert. It also demonstrates how you can setup a file activity monitoring report which shows any filenames with extensions known to be associated with Ransomware. You just need to change the file extensions to the ones mentioned earlier in this blog post.

How to Detect Badrabbit Ransomware on Your Network

Badrabbit Ransomware

What is Badrabbit Ransomware?

A new strain of ransomware nicknamed “Bad Rabbit” has been found spreading in Russia, Ukraine and Germany. The outbreak bears similarities to the WannaCry and Petya ransomware outbreaks that spread around the world causing widespread disruption earlier this year. This Ransomware encrypts data on infected machines or on network file shares before demanding a payment of 0.05 bitcoin (£250) for the decryption key.

They main way Bad Rabbit spreads has been identified as drive-by downloads on hacked websites. No exploits are used, rather visitors to compromised websites – some of which have been compromised since June – are told that they need to install a Flash update. Of course, this is no Flash update, but a dropper for the malicious install.

Once a user facilitates the initial infection the malware leverages existing methods to propagate around a network without user interaction. This involves leveraging an exploit in the SMB protocol and a hacking tool known as Mimikatz, which is able to obtain passwords from memory on the infected system,

Monitoring File Activity on Your Network

You need to be monitoring file and folder activity before you can detect Ransomware like Badrabbit active on your network. One of the easiest ways to do this is to monitor the network traffic going to and from your network file servers. Most managed switches support SPAN or mirror ports and these allow you to get a copy of the network packets going to and from your file servers.

Once you have your data source in place you can use a tool like our own LANGuardian to extract file and folder metadata from the network packets. Metadata includes things like filenames, actions and usernames. As well as monitoring traffic associated with your file servers we also recommend that you monitor all traffic at your network perimeter. Ransomware needs to communicate with the outside world so having visibility at the network edge is important when it comes to detecting and alerting on Ransomware like Badrabbit. There are specific domains that you need to watch out for which are listed below.

How to detect the presence of Badrabbit Ransomware

  1. Check your IDS for specific Badrabbit events
  2. Generate a list of clients accessing suspicious web domains
  3. An increase in file renames is a sure sign of Ransomware

Checking your IDS

An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Most look for certain data strings within network packets which will then trigger an alert. In the case of Badrabbit you need to be watching out for the following emerging treats rules.

  • emerging-trojan ET TROJAN BadRabbit Ransomware Activity Via WebDAV (cscc)
  • emerging-trojan ET TROJAN BadRabbit Ransomware Activity Via WebDAV (infpub)
  • emerging-trojan ET TROJAN BadRabbit Ransomware Payment Onion Domain

If you are using our LANGuardian product, check the report Top Network Events. This is also available in the trial version.

Suspicious Domains

Badrabbit uses a number of domains for command and control services. Check your DNS traffic and/or your web activity logs for any activity associated with these domains. If you detect any activity, remove the client which issued the DNS query or tried to access the domain from your network.

If you are using our LANGuardian product, check the report Network Events (DNS Lookups). This is also available in the trial version.

Watch out for an increase in file renames.

File renames are not a common action when it comes to activity on network file shares. Over the course of a normal day, you may end up with just a handful of renames even if you have hundreds of users on your network. When Ransomware like Badrabbit strikes, it will result in a massive increase in file renames as your data gets encrypted. Note that Badrabbit will use the same file names so there are no file extensions to watch out for.

You can use this behavior to trigger an alert. If the number of renames go above a certain threshold, then you have a potential Ransomware issue. Our recommendation is to base your alert on 4 or more renames per second.

The video below shows how you can setup a LANGuardian trend graph which you can then use to create an alert. It also demonstrates how you can setup a file activity monitoring report which shows any filenames with extensions known to be associated with Ransomware.

Worried about Ransomware? Download a free trial of LANGuardian today

If you want to audit your network for signs of Ransomware activity; download a 30-day free trial of LANGuardian here. This includes a pre-configured Ransomware dashboard, so you get instant visibility of any suspicious activity.

How to detect the presence of Gryphon Ransomware on your network

Gryphon Ransomware Screenshot

Gryphon Ransomware

Gryphon Ransomware is actually a variant of the BTCWare ransomware. This family of Ransomware typically uses RDP (remote desktop protocol) brute force attacks to spread within computer networks. Once the hacker gains access to a computer, they will install the ransomware and encrypt the victim’s files.

What you need to watch out for

1. Inbound RDP connections

RDP can be a useful IT tool for managing user systems remotely. However, it is not a protocol that you should leave open at your network edge. Watch out for inbound RDP connections from external clients. RDP typically uses TCP port 3389 for connections. The screen shot below shows an example of what you should be capturing with your network traffic monitoring tool. In my case, the connections are local to my LAN.

2. Increase in file renames on network shares

When Ransomware strikes it often seeks out network file shares as that is where the most valuable data is. One way to detect if Ransomware has become active on your network is to monitor the rate of file renames. When Ransomware encrypts data it renames files with a new extension.

File rename rates can be captured by monitoring the network traffic going to and from your network file servers. A tool such as our own LANGuardian can then use this data source to create an audit trail of file and folder activity.

The image below is an example of what you should be watching out for. The graph shows an increase in file renames and the client responsible for this is also shown. An alert can also be triggered when this activity is detected.

file renames

3. Crypton file extensions

When Gryphon Ransomware strikes a network it appends the .Crypton extension to encrypted files. Any client that is renaming files with this extension, need to be taken off the network immediately. The image below shows an example of what you should be watching out for; in this example, a database file was renamed with the .Crypton file extension.

Crypton file extension

Worried about Ransomware? Download a free trial of LANGuardian today

If you want to audit your network for signs of Ransomware activity; download a 30-day free trial of LANGuardian here. This includes a pre-configured Ransomware dashboard, so you get instant visibility of any suspicious activity.

How to deal with the Locky Ransomware Email Campaign

Locky Ransomware Screenshot

Locky Ransomware

Ransomware has been the number one cyber-security threat in 2017. Outbreaks such as WannaCry have caused massive amounts of damage worldwide. If you want to detect Ransomware such as WannaCry you should watch out for an increase in file renames and deploy technologies such as IDS to identify outbreaks on your network.

Recently there has been an increase in activity associated with the Locky variant of Ransomware. Locky was first detected in 2016 and one of its first victims was the Hollywood Presbyterian Medical Center in Los Angeles, California. The infection encrypted systems throughout the medical center, locking staff out of computers and electronic records.

5 Locky Fingerprints that you need to watch out for

If you want to detect Locky activity on your network, you need to watch out for this activity. Some are directly associated with Locky, others would be suspicious and would need to be checked.

  • Dodgy subject lines which are known to be associated with Locky distribution
  • Clients trying to access the domain
  • Lukitus file extensions on network drives
  • Increase in file renames
  • ZIP file attachments

Further information below on each of these.

Search inbound email for specific subject lines

The email campaign associated with the latest outbreak of Locky uses this list of subject lines:

  • please print
  • documents
  • photo
  • images
  • scans
  • pictures

If you host your own email servers, you should monitor all SMTP servers and alert if any emails using these subject lines are detected. One way to do this is to use our own LANGuardian product to extract the email metadata from network traffic which can be sourced from a SPAN or a mirror port. The image below shows an example of what you should be watching out for.

Locky Ransomware email

Monitor DNS or Web Traffic for activity associated with Locky domains

This Locky outbreak uses Visual Basic Script (VBS) files embedded in zip email attachments. The emails do not contain the Ransomware code. When a user opens the attachment the VBS script attempts to connect to the domain From here, it pulls down the Locky Ransomware and then goes about encrypting files. You can check for activity associated with this domain by monitoring web or DNS traffic. It may also be possible to do this with a firewall or proxy logging, but check your device to see if it capture domain names.

The image below shows an example of what you should be watching out for. Here, we can see that a client attempted to access a suspicious domain and would need to be taken off the network and checked.

Locky Ransomware Domain

Watch out for Lukitus file extensions

Once this variant of Locky is active on a network, it will seek out local folders and network based file shares. Files are encrypted and a Lukitus file extension is appended to each file. Make sure you are monitoring all activity to your important network shares. One way to do this is to monitor network traffic to and from the file servers.

The image below shows an example of what you need to watch out for. The client associated with this event would need to be removed from the network and checked for Ransomware infection.

lukitus file extension

A sudden increase in file renames is a sign of Ransomware

All variants of Ransomware which target end user data have common attributes which are to take the user data, encrypt and then rename with a new file extension. In some cases, the files are encrypted with their original file names but the rename action still occurs.

We recommend that you constantly monitor the rate of file renames on all of your network shares. A good starting point would be to alert on any instances, where the number of file renames goes above 4 per second. Our lab analysis shows that this is a good indicator of mass renaming which is typically associated with Ransomware. Make sure your alerts also contain the client IP address associated with the renaming as they need to be removed from the network immediately.

File renames associated with Ransomware

Get an inventory of what ZIP files are coming into your network

Compressed files (ZIP and others) are often used to deliver malware via email. Many email servers block attachments if they have strange file extensions. However, if the malware is embedded within a ZIP  file, it can get through some filters. Most network devices are able to open ZIP files which is why they are used.

If you host your own email servers, we recommend that you monitor all attachments that are inbound into your network. One way to do this is to monitor network traffic going to and from your email servers. A system such as our own LANGuardian can extract attachment names from this traffic and provide reports and alerts on suspicious activity.

For more information, take a read of this blog post which looks at 5 Methods For Detecting Ransomware Activity. If you need to put monitoring in place today; download a 30 day trial of our LANGuardian product, which includes a Ransomware monitoring dashboard out of the box.

Game of Thrones, Dragons and Network Visibility?

Network VIsibility

There once existed vast unexplored areas of the oceans that in apocryphal sea charts were marked off and labeled ‘Here be Dragons’; meaning no-one knew what was there, but the suspicion was, it couldn’t be good.

This week there’s talk of dragons of a different hue – for Game of Thrones fans; as the 7th season premieres around the world, it promises to be the most action-packed season yet, with dragons, treachery, White Walkers and so on.  It also promises to be an action-packed time for networks and network managers, and treachery will play its part!

With the excitement of this premiere, many users may let their defences down as they try to download the latest episodes.  Links to downloadable episodes provides excellent bait for delivering Ransomware and other malware to unsuspecting users. Even without the threat of malware, we’ve seen time and again, how frequent media downloads can bring even the most stable networks to a stop when bandwidth provided for business operations is swallowed up.

Do you know what content your users are downloading and storing on fileshares, what sites your users are visiting, what copyrighted material is being downloaded and seeded by torrents through your firewall, what malware is being inadvertently downloaded and what it’s accessing on your network, do you know why that recently upgraded WAN link is at full capacity again? In other words, do you have blind spots? Or do you have continuous network visibility and the control it brings?

Visibility is a very common and maybe an overused term these days. However, it really is important to always have visibility into the various activities on your network, and also have drill down to rich detail and be able to understand and prove the root cause.

If you don’t know what happening on your network, you can’t secure it or manage it properly.

NetFort’s LANGuardian is downloadable software that’s quick to configure and quickly gives you visibility into what’s on and what’s happening on your network. Understand what users, applications, and devices are on your network and what they are doing.

Visit to watch our 3-minute video

Or else you’ll continue to have network blind spots, the ‘Here be Dragons’ areas; not sure what’s there, but can’t shake that feeling that it can’t be good.

Prevent Petya Ransomware by disabling SMBv1 on your Network

NotPetya Petya Petna Ransomware

Last Updated: July 3rd, 2017

Petya \ GoldenEye encrypts entire disks

A new variant of Petya ransomware, also known as Petrwrap, NotPetya, or GoldenEye, is spreading rapidly with the help of the same Windows SMBv1 vulnerability that the WannaCry ransomware abused to infect 300,000 systems and servers worldwide in just 72 hours. Petya ransomware has been delivered via phishing emails pretending to provide a resume which is, in fact, a malicious dropper. Make sure your users are aware of the risks of opening attachments from unknown sources.

Unlike most ransomware, the new GoldenEye variant has two layers of encryption: one that individually encrypts target files on the computer and another one that encrypts NTFS structures. This approach prevents victims computers from being booted up in a live OS environment and retrieving their data.

Just like Petya, GoldenEye encrypts the entire hard disk drive and denies the user access to the computer. However, unlike Petya, there is no workaround to help victims retrieve the decryption keys from the computer. It encrypts the hard drive’s master file table (MFT) and rendering the master boot record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk.

What you should do right now to prevent a Petya \ NoPetya outbreak

  1. Deploy the Microsoft Security Bulletin MS17-010 patch
  2. Add a read only file called C:\Windows\perfc to all Windows clients
  3. Avoid giving users adminstrator access to their local machines
  4. Watch out for any inbound or outbound activity associated with TCP ports 445 or 139
  5. Use traffic analysis to identify if any systems are connecting or trying to connect using SMBv1
  6. Root out any clients or servers scanning your network over TCP port 445 or 139

Further details below

Patch your Windows systems to remove one attack vector for Petya Ransomware

It is critial that you address Microsoft Security Bulletin MS17-010 and patch all Windows clients on your network. Microsoft have published a good post at this link which more background on this and also includes some information on what they are doing to prevent the spread of this Ransomware.

Petya or Petrwap is spreading by exploiting an NSA-built Windows exploit known as “Eternal Blue” which targets the SMBv1 protocol. While SMBv1 is a legacy protocol, it is still available in the latest Microsoft operating systems including:

  • Windows XP (all services pack) (x86) (x64)
  • Windows Server 2003 SP0 (x86)
  • Windows Server 2003 SP1/SP2 (x86)
  • Windows Server 2003 (x64)
  • Windows Vista (x86)
  • Windows Vista (x64)
  • Windows Server 2008 (x86
  • Windows Server 2008 R2 (x86) (x64)
  • Windows 7 (all services pack) (x86) (x64)

In parallel to applying the patch, you should disable SMBv1 use on your network. You can do this by running these commands in Power Shell on each system. Further information on how to disable SMBv1 on other systems are available here.

  • Check for SMBv1
    • Get-SmbServerConfiguration | Select EnableSMB1Protocol
  • To disable SMBv1 on the SMB server
    •    Set-SmbServerConfiguration -EnableSMB1Protocol $false

Create a read only file called C:\Windows\perfc

A researcher called Amit Serper discovered that NotPetya/Petya/Petna would search for a local file and would exit its encryption routine if that file already existed on disk.

To vaccinate your computer so that you are unable to get infected with the current strain of this Ransomware simply create a file called perfc in the C:\Windows folder and make it read only. If you are unsure how to do this, follow this guide or follow the steps in the video below.

Avoid giving users administrator access

Peyta \ GoldenEye first encrypts the files on the computer and then tries to install the MBR bootkit to encrypt the drive’s MFT. The GoldenEye variant starts by encrypting the user’s files, just like regular ransomware. For each file it encrypts, GoldenEye appends a random 8-character extension at the end.

The ransomware then modifies the user’s hard drive MBR (Master Boot Record), with a custom boot loader. Petya \GoldenEye ransomware must obtain administrative permissions to overwrite a computer’s MBR (Master Boot Record). Make sure you limit what users have administrator access to the network and local PCs’. You can use the Microsoft Local Administrator Password Solution (LAPS) to manage the local account passwords of domain-joined computers.

Once it gains administrator access on a machine, it then leverages that power to commandeer other computers on the network or sniff domain admin credentials present in memory to take control over the entire Windows network.

Check for suspicious traffic flows on your network

You also should review your network traffic flows for any activity associated with Microsoft SMB ports and external addresses. SMB typically uses TCP port 445 and this is one of the main attack vectors used for recent Ransomware attacks. You can monitor network traffic by using SPAN or mirror ports off your core switches.

The image below is an example of what to watch out for. I used a Top Clients report from our LANGuardian product to show all connections over TCP port 445 where the client IP address was external. Based on this data I need to make sure the target machines are not running SMBv1 and I will also block TCP 445 access on my firewall.

Peyta activity over TCP port 445

Infected machines may also scan the network looking for other Microsoft clients. Watch out for the following behaviour

  • Workstations scanning ports tcp/139 and tcp/445 on their own local (/24) network scope
  • Servers (in particular, domain controllers) scanning ports tcp/139 and tcp/445 across multiple /24 scopes

How to passively detect SMBv1 use on your network

Even if you think you have patched all systems on your network, you should still run an audit to check for any activity associated with SMBv1. Some network devices may have embedded operating systems which could easily be missed. One method to do this is to use network traffic analysis to detect the presence of clients attempting to connect to other systems using SMBv1.

Our own LANGuardian product can be used to report on SMBv1 use and an example of this is shown in the video below.

We will continue to update this post as we learn more about this Ransomware variant.

Other indicators of Petya \ NoPetya

Watch out for any activity on your network associated with these IP addresses. Check any local systems on your network if they are trying to connnect to these or if you have any inbound activity through your firewall(s) associated with them.


How to detect SMBv1 use on your Network

SMBv1 file sharing

How can I find out if SMBv1 is being used on my network?

Even if you disable SMBv1 on all clients and servers, it is still good practice to check if any systems on your network are using this protocol. You may have un-managed systems like personal laptops or embedded operating systems within other network-connected devices. These are the most common ways to find out if SMB1 is in use on your network:

  1. Use a network traffic analysis system connected to a SPAN, mirror port or network TAP to monitor traffic associated with your file servers
  2. Run Get -SmbConnection on a client
  3. Scan your network using a vulnerability scanner
  4. Take a packet capture off the network and use Wireshark to identify what version of server message block you are running

Detect SMBv1 Use on Your Network

Use the deep packet inspection engine of LANGuardian to report on SMBv1 client or server activity by IP address or username. Real time and historical reports available. No need to install any agents or client software.

What is SMBv1?

Server message block (SMB) is an application layer network protocol used typically to provide shared access to files and printers. It is also known as Common Internet File System (CIFS). Most data is transferred via TCP port 445 although, it also uses TCP port 137 and 139.

SMB was first used in Windows operating systems around 1992. Windows Server 2003, and older NAS devices use SMBv1 natively. It is a very inefficient protocol; Microsoft have advised all customers to stop using SMBv1. SMBv2 was introduced with Windows Vista in 2006 and the latest version is SMB 3.1.1 which was introduced with Windows 10 and Windows Server 2016.

Detect SMBv1 Scanning and SMNv1 active or established connections

Click on the image above to try out our online LANGuardian demo which uses packet capture to root out SMBv1 activity.

Why all the attention about SMBv1?

In May 2017, the WannaCry Ransomware started to infect computer networks around the world. It was the first in the family of WannaCrypt Ransomware which targeted both locally stored data and network based file shares. It has become a huge problem, and most IT and Security Managers have made detecting WannaCry Ransomware their top priority.

There are three known attack vectors for WannaCry. Some computers were accessed directly, some people opened email attachments and some were redirected to websites where they downloaded the malware.  Direct access is an unusual attack vector and occurred if a network allowed NetBIOS packets from external networks.

Data from antivirus provider Kaspersky Lab showed that 98% of the victims were actually running Windows 7. When the Ransomware first came out it was suggested that it was targeting Windows XP systems but the number of affected Windows XP systems looks to be insignificant.

This could be one reason for the widespread infection seen in this outbreak and why many people are unsure about the initial infection vector of the malware. More the reason why need to know what is going in and out of your network. Not just in real-time but also historically so you can look back and see what happened.

Once downloaded the malicious code in the zip file infects the local computer, which then does two things:

  • Encrypts the local filesystem
  • Attempts to infect other systems, by exploiting vulnerabilities SMBv1 (EternalBlue)

A further exploit known as DoublePulsar is then used to create a backdoor and inject malicious DLLs into the target system’s kernel. The EternalBlue and DoublePulsar exploits are linked to tools originally developed by the NSA which were recently exposed by the Shadows Brokers group.

Customer Use Case – Is there a way to detect SMB1 traffic?

Way back in October 2016 a US public sector customer sent us this query

“Is there a way to detect SMB1 traffic? Microsoft recommends to stop using it so I’d like to see if it’s being used in our network.

IT Manager”

At that time our LANGuardian product could detect SMB traffic and extract metadata such as filenames and actions but it did not capture and store the SMB version. Our product management team looked at this and we decided to modify our SMB decoder to capture the following information

  1. Capture and store the SMB version of all SMB traffic.
  2. Generate an alert if a client or server establishes a connection using SMBv1
  3. Generate an alert if a client tries to connect to another network device using SMBv1

This use case also highlight the flexibility and power of using wire traffic data as opposed to logs to get visibility, to get the critical detail, in this case the SMB version. Some critical details like the SMB version may not be available from logs, but are available via network traffic analysis.

It is worth noting that at the time our customer did not have a Ransomware problem. They were being proactive by dealing with the SMBv1 problem before it could be exploited on their network. This is still very relevant today. Too many networks are still using SMBv1 and IT managers have no visibility into what protocols are being used on their internal networks.

What systems are at risk?

Any Windows system that supports SMBv1 and does not have patch MS17-010 applied is potentially at risk. This is not limited to just Windows Server 2003 and Windows XP clients. As far back as September 2016 Microsoft the removal of SMBv1 from networks. Potentially all Windows clients on your network need to be checked and patched. Publicly available exploit code lists targets as:

  • Windows XP (all services pack) (x86) (x64)
  • Windows Server 2003 SP0 (x86)
  • Windows Server 2003 SP1/SP2 (x86)
  • Windows Server 2003 (x64)
  • Windows Vista (x86)
  • Windows Vista (x64)
  • Windows Server 2008 (x86
  • Windows Server 2008 R2 (x86) (x64)
  • Windows 7 (all services pack) (x86) (x64)

Windows XP and Windows Server 2003 can only support SMBv1. Aim to cease use of these systems on your network, as they are end-of-life and Microsoft does not provide regular updates. The latest Windows 10 indsider build removes the SMBv1 server software. he client SMB1 remains, so that users can connect to devices still using the protocol, but server-side is gone.

What should I do?

Make sure you apply patch MS17-010. Disable SMBv1 on systems that can support SMBv2 and SMBv3. SMBv2 and SMBv3 are much more efficient and will use less network resources. Check your backups, are they running and have you tested restoring data.

To disable SMBv1 you need to run these commands in Power Shell on each system.

  • Check for SMBv1
    • Get-SmbServerConfiguration | Select EnableSMB1Protocol
  • To disable SMBv1 on the SMB server
    •    Set-SmbServerConfiguration -EnableSMB1Protocol $false

Further information on how to disable SMBv1 on other systems available here. You can also disable SMBv1 via Group Policy preferences. This approach will allow you to configure and enforce the registry settings related to disabling SMBv1 client and server components for Windows Vista and Server 2008 and later.

Checking SMB version on a client

The version of SMB used between a client and the server will be the highest dialect supported by both the client and server.

This means if a Windows 10 machine is talking to a Windows Server 2012 machine, it will use SMB 3.0. If a Windows 8 machine is talking to Windows Server 2008 R2, then the highest common level is SMB 2.1.

To check which dialect version you are using, run the the PowerShell cmdlet: Get-SmbConnection


Scan your network using a vulnerability scanner

Various vulnerability scanners may help with this, but need to know which systems to query. Microsoft have released Desired State Configuration Environment Analyzer which is a PowerShell module which can be used to scan a Windows Server 2012 R2 environment to see if any of the systems have SMB1 installed. Further reading in this post which also contains a sample script.

Using packet capture and analysis to detect SMBv1 activity

One of the easiest ways to detect what versions of server message block you are using is to use network traffic capture. You can do this locally on a client or server or use a SPAN\Mirror port. Once you have a source of network packets you need to process them using a network traffic monitoring application.

Microsoft have some guides on how to use their Message Analyzer application to audit active SMB1 usage. Further reading on this page which includes some screenshots of what to look out for. As per the image below, Wireshark can also be used to check for SMB1 connections from live traffic or from a PCAP file. However, WireShark and Microsoft Message Analyzer do not monitor continuously and do not alert.

Should I worry about non Windows operating systems?

The main target for Ransomware is Windows based file shares. However, variants such as KeRanger are designed to target maxOS systems. In recent days the Samba team released a patch (CVE-2017-7494) on May 24 for a critical remote code execution vulnerability in Samba, the most popular file sharing service for all Linux systems.

All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.

There is a high probability that this could be the target of a Linux specific Ransomware variant. It is even trending as SambaCry on Twitter at the moment. According to the Shodan computer search engine, more than 485,000 Samba-enabled computers exposed port 445 on the Internet. The main advice you can take from this is to make sure you patch vulnerable Linux systems and close access to TCP port 445 on your firewall if it is not needed.

What does LANGuardian do and how can it monitor SMBv1 traffic?

Deep Packet Inspection Software can monitor all client network connections and if equipped with sufficiently sophisticated application layer decoders, can determine the version of SMB protocol that is being used. All you need is a data source which is typically a SPAN\Mirror port or network TAP. Our own LANGuardian product includes a deep packet inspection engine which can be used to monitor network traffic on any network that has a managed switch.

LANGuardian can detect, report and alert on the following scenarios:

  • A client connection request to any server, using SMBv1 protocol
  • A successful connection response from a server using SMBv1
  • Any file share actions (file write, rename, read etc) transacted using the SMBv1 protocol

The advantages of this continuous monitoring are:

  • Any attempt by an infected client to infect any other system on the network (lateral movement) via SMBv1 can be detected.  It is not possible for a client to hide its “network traffic trail”
  • Clients do not have to be known by the monitoring system beforehand (so monitors managed and unmanaged devices)
  • Detects embedded systems that may not be patched
  • No endpoint software is needed such as agents or client software
  • Very easy to deploy, simply SPAN or mirror the traffic to and from the file share servers (usually on the same VLAN) to get instant visibility
  • No logs are required, no configuration changes or extra load on servers

The video below shows LANGuardian in action and how it can be used to root out SMB1 clients and servers on your network.

Creating a Ransomware Monitoring Dashboard

Ransomware Monitoring Dashboard

Creating a Ransomware Monitoring Dashboard with LANGuardian

Ransomware has really hit the headlines since WannaCry was first detected. If you want to learn more about this variant, check out our latest blog post which takes a look at how to detect the presence of WannaCry Ransomware and SMBv1 servers on your network.

We regularly send security bulletins to customers and one of the most common questions when it came to Ransomware was what would be a good set of reports to add to a Ransomware Monitoring dashboard. As WannaCrypt and its variants are very prominent at the moment, the focus is on it. However, as you can see from the video below, the dashboard can be used to monitor many other Ransomware variants.

Ransomware Monitoring Elements

This list shows the 8 elements that make up our basic Ransomware monitoring dashboard. We will publish more information at a later date as we learn more about WanaCrypt0r 2.0 and other variants. The video below explains more about how to setup each element and how to interpret the data returned.

  1. Filename extensions associated with WannaCry. This list may grow in time and you can add to it.
  2. Any activity associated with WannaCry web domains.
  3. A list of Windows XP clients; as these use SMBv1, they are seen as vulnerable.
  4. A list of servers running SMBv1.
  5. Graphic showing rate of file renames on network shares. High numbers of file renames is a sure sign of Ransomware.
  6. Top clients (you can also get usernames) renaming files on your network
  7. Any outbound activity on your network using TCP port 445
  8. Any instances of ransom note text files associated with WannaCry

The video references these variables which you can copy\paste when needed.

  • WannaCry file extensions: \.wnry$|\.wcry$|\.wncry|\.wncryt$
  • WannaCry web domain:
  • WannaCry ransom note text file: @Please_Read_Me@.txt

If you want to add elements for detecting XData Ransomware, use these variables

  1. Search for any file containing the text string XData
  2. Search for any file names matching HOW_CAN_I_DECRYPT_MY_FILES.txt.

We are also working on an update to LANGuardian which can trigger an alert whenever an SMB1 protocol request or response is seen. This will then enable you to use the Ransomware Monitoring dashboard and get alerts, if required.

Video Guide: Setting up a Ransomware Monitoring dashboard

How to detect the presence of WannaCry Ransomware and SMBv1 servers on your network

Wannacry Ransomware

How to detect the presence of WannaCry Ransomware and SMBv1 servers

WannaCry Ransomware has become very active in May 2017. It looks to be targeting servers using the SMBv1 protocol. SMBv1 is an outdated protocol that should be disabled on all networks. One of the big lessons from this Ransomware outbreak is that it is vital that you have monitoring in place on your network. You need to be able to quickly identify suspicious activity. When it comes to detecting Ransomware there are three key things to watch out for

  1. An increase in file renaming on your network shares.
  2. SMBv1 activity
  3. Inbound SMB activity if TCP port 445 is open on your Firewall

Passively Detect Ransomware Using Network Traffic Analysis

Network traffic monitoring is an ideal way of monitoring what is happening on your network, as you don’t need to install agents or client software on your network devices. It is also a very useful option for continuously checking your network for vulnerable legacy systems like Windows XP or systems that can use SMB1 which is deemed to be insecure.

Detecting Ransomware Step 1 – Setup a Data Source

One of the easiest ways to monitor what is happening on your network is to setup a SPAN\Mirror port or use a network TAP. This will give you access to flows and packet payloads, so you can see who is connecting to what and if there is anything suspicious moving around.

Check out this blog post if you use Cisco switches, as it explains how you can monitor multiple network segments without the need to remember what is connected to what switch port. If you don’t use Cisco switches, there is an excellent resource on the Wireshark wiki site which looks at how to setup monitoring on other switches.

As I mention above, you can monitor what is happening on your network by monitoring network traffic. However, you do need an application that can process network packets to get meaningful information. Tools like Wireshark may struggle if you are dealing with large volumes of traffic.

Our own product LANGuardian can be used to monitor network traffic. It does not store every packet, instead it captures metadata which can used to spot security or operational issues on networks. It includes a SMB and NFS decoder as well as having a built in Intrusion Detection System (IDS). When it comes to Ransomware, these metadata values are useful for spotting problems:

  • File names, specifically those hosted on Windows file shares
  • File actions like rename or create
  • File sharing protocol versions like SMBv1
  • Capturing specific packets associated with known Ransomware variants
  • Flow records of clients connecting to external IP addresses

Even if you don’t plan on using LANGuardian, check if your existing network monitoring tools have the ability to capture this data. Flow based tools are not good at detecting Ransomware, as they see the packet payloads which are required to see if your file shares are under attack.

Step 2. How to Focus on WannaCry Ransomware

There are six things to watch out for when it comes to detecting WannaCry Ransomware:

  1. Check for SMBv1 use. This Ransomware is not limited to just Windows server 2003 and XP clients. A large number of WannaCry victims were running Windows 7. SMBv1 can run on all Windows versions so check your network for any activity.
  2. Check your web and DNS traffic for any attempts to connect to these domains:
  3. Check for an increase in the rate of file renames on your network
  4. Look out for any outbound traffic on TCP 445. This really should be blocked
  5. Check for any instances of the file @Please_Read_Me@.txt on your file shares
  6. Check for any instances of files with these extensions
    • .wnry
    • .wcry
    • .wncry
    • .wncryt

SMBv1 is deprecated and should be removed from your network. SMBv1 isn’t safe and you lose key protections offered by later SMB protocol versions. At a minimum, you should be patching your systems as per Microsoft Security Bulletin MS17-010. In the video below, I cover off more on how you can use LANGuardian to detect SMBv1 and suspicious file activity.

Top Tips for preventing Ransomware on your Network

  1. Backup your files regularly and make sure to keep a copy off site. This may be stating the obvious, but a lot of people get caught out when they go to restore files. Build a test server and see if you can restore onto it.
  2. Limit the use of Microsoft Office Macros: A lot of Ransomware is spread using Office attachments.  Microsoft recently published an add-on which can stop you from enabling macros in documents downloaded from the Internet. Some more reading here.
  3. Be careful of opening attachments from unknown sources: This is especially true for employees who may receive CVs or financial documents. It may seem normal for them to open attachments from strangers. I have seen targeted attacks where a company advertised a job on the Internet. The HR department received applications with attachments which contained malware associated with Ransomware. Make sure you tell applicants to only send PDF type attachments.
  4. Keep your systems patched: WannaCry and other WannaCrypt variants targeted systems running SMBv1. Microsoft had published Security Bulletin MS17-010 which addressed issues with SMBv1. At a minimum, you should disable SMBv1 and patch all relevant systems on your network. However, the advice is to stay on top of getting update installs, you just never know what will be targeted next.
  5. Know what is happening on your network: When Ransomware strikes it can be difficult to figure out what data was encrypted. Users will report that they cannot access certain files or folders, but they won’t know what exactly was targeted.  Get an audit trail of all file and folder activity. You can implement file activity monitoring passively using network traffic analysis.
  6. Know what is happening at the edge of your network: When it comes to keeping your network safe, it is vital that you know what is going in and out of the network edge. Don’t rely on firewall logs as they may become inaccessible when your network is under attack. Look at deploying a combination of intrusion detection (IDS) and flow analysis with metadata capture. Information captured at this point can be crucial if your network is attacked. Look at capturing:
    • IP addresses with associated GeoIP details
    • Flow information such as source and destination TCP or UDP ports. WannaCry targeted networks where TCP port 445 was open so you should block this type of activity at the edge.
    • DNS traffic details like hostnames and DNS server addresses
    • Attachments inbound and outbound via SMTP
    • Web domain names – HTTP and HTTPS
    • IDS events associated with suspicious packet payloads
    • Associated usernames so you can track who is doing what
    • Web client information such as operating type and browser type
  7. Don’t rely on log files alone for investigating issues. Log management tools have their uses but they can be compromised if a network is attacked. Recently a number of school districts were targeted with a Ransomware attack in the US and the hacking group turned off the logs recording who accessed their systems.

How to disable SMBv1

Server Message Block (SMB) is a protocol mainly used for providing shared access to files and printers on computer networks. Microsoft is recommending that SMBv1 is disabled on all server and client Windows installs as it is insecure and has been replaced. If you detect any SMB1 activity on your network, these steps for shutting down the protocol should apply to the most popular Windows versions. Take a read of this article on how to enable and disable SMBv1 in Windows and Windows Server.

For client operating systems:

  1. Open Control Panel, click Programs, and then click Turn Windows features on or off.
  2. In the Windows Features window, clear the SMB1.0/CIFS File Sharing Support checkbox, and then click OK to close the window.
  3. Restart the system.

For server operating systems:

  1. Open Server Manager and then click the Manage menu and select Remove Roles and Features.
  2. In the Features window, clear the SMB1.0/CIFS File Sharing Support check box, and then click OK to close the window.
  3. Restart the system

There is some additional reading in this Microsoft post which includes some customer guidance for WannaCrypt attacks.

I don’t have Ransomware on my network; should I worry?

If you have good update procedures and network users are cautious when it comes to clicking on attachments and strange links, you should be able to keep the WannaCry Ransomware away from your network. However, now is the time to get an inventory of what SMB versions you are running on your file servers and take action if you find SMBv1.

Now is also the ideal time to get a good network monitoring system in place. Don’t wait for Ransomware to strike, it is much easier to get something in place when your network is not under attack.

How to generate Ransomware alerts

How to generate Ransomware Alerts

Focus on file renames to generate Ransomware alerts

See Also:

How to detect the presence of WannaCry Ransomware and SMBv1 servers on your network

If you are interested in learning more about detecting Ransomware on your network, check out the blog posts below which I published recently. There is a lot of good info in these if you want to learn more about how Ransomware can get into a network.

One of the most common questions I get on the subject of Ransomware is how can you generate an alert if any variant of Ransomware gets into a network? The key thing here is being able to detect any variant which rules out things like antivirus signatures which are designed to alert on a specific Ransomware variant.

When Ransomware strikes it seeks out local and network based storage, encrypts files and leaves behind text or HTML files containing instructions on what is required to decrypt the data. You can look at setting up alerts if specific file extensions are detected on network shares but this is not reliable as some Ransomware variants use common  extension types like .HTML.

A more reliable way is to watch out for file renames on network file shares. While rename is a valid action it is not one used a lot by network users. Any sudden increase in file renames is an indication that something suspicious is happening on your network.

I am going to use our own product LANGuardian to show you how you can trend renames and create alerts when there is a sudden increase in activity. However, you may be able to setup similar alerts in other monitoring tools if they have the ability to capture file and folder actions associated with network file shares.

LANGuardian uses network traffic as a data source so you don’t need to install agents or enable logging on your file servers. It monitors and records every access to file shares, recording details of user name, client IP address, server name, event type, file name, and data volume. Just setup a SPAN or mirror port to sniff the traffic.

If you use Cisco switches on your network, we have a free Cisco SPAN Port Configurator which makes the job really easy. Just select the port or VLAN that your file server(s) are connected to and send the data to whatever port you have your LANGuardian connected to.

Create a LANGuardian trend to focus on file renames

Before you can setup Ransomware alerts, you need to create a trend of how often renames are being detected. Our support team carried out some tests on a number of Ransomware variants. From this research we recommend a good starting point when it comes to detecting Ransomware is to generate an alert when renames go above 4 per second.

To get this alerting in place, log onto your LANGuardian and click on the All Reports option top right and select Search by File/Folder Name.

Ransomware Alerts Report
File Renames

Select Rename from the action drop down and then run the report. It does not matter what date selection you use, just be sure to select the action prior to running the report.

You may or may not see results when the report completes, this does not matter. Now select Actions at the top of the report and choose Trend Report. Enter a name like File Renames and select click on the Create button.

Filename actions

Configure Ransomware Alerting

Follow these steps to configure Ransomware alerts

  1. Click on gear symbol top right and then select settings
  2. Select Trends which can be found under the Modules section
  3. Locate your renames trend and click on Alarms
  4. Give your alarm a name and enter 4 as the value. 4 is a good starting point and you can tweak this if needed
  5. Choose Send Email as the action and enter a description if needed.
  6. Click on Save and your alert is now configured. If renames go above 4 per seconds you will get an alert sent to your mailbox
Setting up Ransomware Alerts

You can also send the alert via SNMP which makes it possible to integrate with tools like SolarWinds UDT and IBM QRadar to take an action like immediately disconnecting the infected client by disabling a port on a switch.

What to do if you get hit by a Ransomware attack?

Dealing with a Ransomware Attack

See Also:

How to detect the presence of WannaCry Ransomware and SMBv1 servers on your network

Recently I published a blog post which looked at methods for detecting Ransomware on your network. I also used this topic as a subject for a number of webinars that I hosted and one of the most common questions asked was what to do if you get hit by a Ransomware attack. The obvious response to this is just to restore the encrypted data but this may be a waste of time unless you put a proper incident response in place.

Ransomware attack

Incident response

If you don’t have a documented incident response in place and you have not been hit by a Ransomware attack, now is a good time to get something ready. Your incident response document should include:

  • Incident handling and Management
  • Incident Notification and identification
  • Incident Classification
  • Incident Response
    • Incident Response Team
    • Processes and procedures
    • Incident remediation

A decent incident response document will make it easier to deal with cyber security incidents as you will have everything in one place. Make sure you cover off what to do during business hours and outside business hours.

If you have been hit by Ransomware then the following steps should help you deal with the situation.

Getting your data decrypted

In 2016 the infosec industry rallied around a common goal to combat ransomware under the No More Ransom initiative. Whilst the public face of this initiative is the portal where almost 100 decryption tools are provided freely to anyone who may have the misfortune of being a victim of ransomware, the initiative is a true collective of organizations and law enforcement agencies combating ransomware and those behind such cowardly attacks.

Find out what variant of Ransomware you are dealing with by reviewing any splash screens or by checking for information within ransom note text files. You can then search for a decryption tool on the website.

Find the source of the Ransomware infection

One of the biggest mistakes I see when Ransomware hits is that people focus on getting data restored first. This can be a waste of time as an infected client will encrypt freshly restored data just as quick as you can get it restored.

Before you go near your backups you need to find the source of the infection. There are many methods you can use to do this but they one I use all the time is to use network traffic as a data source. If you extract certain metadata like file renames you can quickly find the source of the infection.

Once the infected systems are located, disconnect them from the network and check your monitoring tools for any other infected systems. The problematic client(s) may have been powered down so you need to make sure you have continuous network monitoring in place.

Getting your data restored

Once you have your network cleared of infected hosts you can then focus on data restores. In most cases you won’t need to pay a ransom, most of the analysis shows that this only funds the next Ransomware attack.

If you have a network traffic analysis system in place like LANGuardian, check its reports to find out when the Ransomware was first detected. This will allow you to pinpoint what backups you should use to restore the data.

If your backups are corrupt or not available then you need to make a decision. Do you take a hit and try and get users to manually recreate data. Many of your users will have local copies of their own data so this may bring back a large percentage of it. These private backups could save the day!

If you are faced with no option but to pay the ransom, check if any master keys are available to decrypt the data. For example, a master decryption key for TeslaCrypt was released in May 2016 that unlocks files encrypted by the malware. Another example is the master boot record killer Petya, if you can extract some data from the disk you may be able to get your data back without paying the ransom. For other crypto variants, check forums like Reddit and see if there are any discussions on the subject.

Paying the ransom should be your very last option. Remember, your payment will only fund the next variant.

Also, don’t forget about end user education, continuous training (and testing) is absolutely critical. Send some ‘test emails’ regularly. You can never give users too much training !

5 Methods For Detecting Ransomware Activity

Ransomware attacks on the rise

See Also:

How to detect the presence of WannaCry Ransomware and SMBv1 servers on your network


According to a new report from McAfee Labs, Ransomware will remain a major and rapidly growing threat in 2016. New variants of Ransomware are appearing on a daily basis and traditional security tools like antivirus are struggling to keep up. New variants have also changed the way they encrypt files and what happens your data once it is encrypted. This includes:

  • Ransomware-Locky removes the volume shadow copies from the compromised system, thereby preventing the user from restoring the encrypted files.
  • Filecoder.Jigsaw is really aggressive and deletes some of the encrypted files every hour. Newer variants of Jigsaw are branded CryptoHitman and displays a series of pornographic images on the victim’s computer.
  • Latest variant of the TeslaCrypt ransomware no longer uses an extension for encrypted files, making it more difficult for victims to identify the threat. However, a master decryption key for TeslaCrypt was released in May 2016 that unlocks files encrypted by the malware.
  • Master boot record killers like Petya have the ability to install a second file-encrypting program. However, if you can extract some data from the disk you may be able to get your data back without paying the ransom.
  • The authors of the CryptMix Ransomware are offering to donate ransom fees to a children’s charity but this is belived to be another scam to dupe victims into paying the ransom.
  • Tech support scammers have begun using Ransomware tools to increase their chances of extracting money from victims. New variants warn the user that they cannot access their computer due to an expired license key.

Previously, we have looked at many ways of preventing Ransomware attacks on our blog. The #1 tip is to backup your data and make sure you do a test restore. However, even with the latest generation firewalls and antivirus on all desktops, Ransomware can still get into a network. The most common attacks use email phishing with dodgy attachments but we have also seen attacks using remote desktop services and infected data storage devices.

How you can detect the presence of Ransomware on your network

The first variants of Ransomware used a small number of very specific file extensions like .crypt. However, each new variant seems to use different extensions and some even keep the file name intact. Because of this, you need to watch out for multiple symptoms of an attack; here, we take a look at 5 of them:

1. Watch out for known file extensions

Even though the list of known Ransomware file extensions is growing rapidly, it is still a useful method for detecting suspicious activity. Before you do anything you need to get file activity monitoring in place so that you have both a real time and historical record of all file and folder activity on your network file shares.

There is an interesting discussion on this Reddit post which has a link to a number of resources including this spreadsheet which has a comprehensive list of all known Ransomware variants. We currently work off this list and you can use this on your LANGuardian to create a custom report. As the list is in Regex format, you may be able to use it on other monitoring systems. The video further down in this blog post shows you how you can use this list on LANGuardian.

\.enc|\.R5A|\.R4A|\.encrypt|\.locky|\.clf|\.lock|\.cerber|\.crypt|\.txt|\.coverton|\.enigma|\.czvxce|\.{CRYPTENDBLACKDC}|\.scl|\.crinf|\.crjoker|\.encrypted|\.code|\.CryptoTorLocker2015!|\.crypt|\.ctbl|\.html|\.locked| \.ha3|\.enigma|\.html|\.cry|\.crime|\.btc|\.kkk|\.fun|\.gws|\.keybtc@inbox_com| \.kimcilware.LeChiffre|\.crime|\.oor|\.magic|\.fucked|\.KEYZ|\.KEYH0LES|\.crypted|\.LOL!|\.OMG!|\.EXE|\.porno|\.RDM|\.RRK| \.RADAMANT|\.kraken|\.darkness|\.nochance|\.oshit|\.oplata@qq_com|\.relock@qq_com|\.crypto|\.helpdecrypt@ukr|\.net|\.pizda@qq_com| \.dyatel@qq_com_ryp|\.nalog@qq_com| \.chifrator@qq_com|\.gruzin@qq_com|\.troyancoder@qq_com|\.encrypted|\.cry| \.AES256|\.enc|\.hb15|\.vscrypt|\.infected|\.bloc|\.korrektor|\.remind|\.rokku|\.encryptedAES|\.encryptedRSA| \.encedRSA|\.justbtcwillhelpyou|\.btcbtcbtc|\.btc-help-you| \.only-we_can-help_you|\.sanction|\.sport|\.surprise|\.vvv|\.ecc|\.exx|\.ezz|\.abc|\.aaa|\.zzz|\.xyz|\.biz|\.micro|\.xxx|\.ttt|\.mp3|\.Encrypted| \.better_call_saul|\.xtbl|\.enc|\.vault|\.xort|\.trun|\.CrySiS|\.EnCiPhErEd|\.73i87A|\.p5tkjw|\.PoAr2w|\.xrtn|\.vault|\.PORNO

2. Watch out for an increase in file renames

File renames are not a common action when it comes to activity on network file shares. Over the course of a normal day, you may end up with just a handful of renames even if you have hundreds of users on your network. When Ransomware strikes, it will result in a massive increase in file renames as your data gets encrypted.

You can use this behavior to trigger an alert. However, if the number of renames go above a certain threshold, then you have a potential Ransomware issue. Our recommendation is to base your alert on anything above 4 renames per second.

Our video (opposite) shows how you can setup a LANGuardian trend graph which you can then use to create an alert. It also demonstrates how you can setup a file activity monitoring report which shows any filenames with extensions known to be associated with Ransomware.

3. Create a sacrificial network share

When Ransomware strikes, it typically looks for local files first and then moves onto network shares. Most of the variants that I have looked at, go through the network shares in alphabetical order G: drive then H: drive etc…

A sacrificial network share can act as an early warning system and also delay the Ransomware from getting to your critical data. Use an early drive letter like E:, something that comes before your proper drive mappings. The network share should be setup on old slow disks and contain thousands of small random files.

When doing small random files, there’s no easy way to get the list of files in the right order to avoid lots of seeking around the disk. Depending on how it is implemented, the cipher might need to be re-initialized for each file and thus slowing down the encryption process.

The slower the disk the better. You could go to the extreme and put it behind a router and limit data throughput to this network share. It may add a slight delay to the logon process but this honeypot may give you enough time to shut client machines down if they get infected with Ransomware.

You could also setup an alert which would trigger if a specific file was accessed somewhere within the network share. This would be a sure sign that something was going through your file shares. You just need to educate your users to stay away from this network share.

Sacrifical network share

4. Update your IDS systems with exploit kit detection rules

Many IDS, IPS and firewall systems come with exploit detection features. Exploit kits are used as a way to get Ransomware onto a client through malspam or via compromised websites.

The two most common exploit kits (EK) associated with Ransomware are the Neutrino EK and the Angler EK. Check if your network security monitoring systems are up to date and see if they have the capability to detect exploit kits.

LANGuardian includes the Snort IDS system which supports the detection of exploit kits. Watch out for any activity in the Top Network Events report.

5. Use client based anti-ransomware agents

Over the past few months companies like Malwarebytes have released anti-ransomware software applications. These are designed to run in the background and block attempts by Ransomware to encrypt data. They also monitor the Windows registry for text strings known to be associated with Ransomware. The problem with this approach is that you will need to install client software on every network device.

Researchers are also looking at ways to ‘crash’ computer systems when droppers are detected. Droppers are small applications that first infect target machines in preparation for downloading the main malware payloads. This will likely mean that the system is sent to IT where the attack should be discovered.

You should also inform your network users to avoid installing agents themselves. There is too much of a risk that they will install the wrong agent or they end up install more malware on their systems.

Getting your data decrypted

In 2016 the infosec industry rallied around a common goal to combat ransomware under the No More Ransom initiative. Whilst the public face of this initiative is the portal where almost 100 decryption tools are provided freely to anyone who may have the misfortune of being a victim of ransomware, the initiative is a true collective of organizations and law enforcement agencies combating ransomware and those behind such cowardly attacks.

Find out what variant of Ransomware you are dealing with by reviewing any splash screens or by checking for information within ransom note text files. You can then search for a decryption tool on the website.

If you are dealing with a Ransomware attack you can download our LANGuardian product trial to find the source of the infection. Trial version has all relevant reports available.

Will Ransomware go away?

The simple answer to this is no! All of the indicators suggest that Ransomware will remain a major and rapidly growing threat, fueled by anonymizing networks and payment methods.

Expect to see an increase in Ransomware variants which target websites instead of file stores. Linux.Encoder.1 is an example of this threat. When a website is attacked the Ransomware will hold the site’s files, pages and images for ransom.

There are two key lessons here:

  1. Ensure you are backing up your website
  2. Keep the website operating system and CMS fully patched

Ransomware is also a growing problem for users of mobile devices. Lock-screen types and file-encrypting variants: lock screen Ransomware will stop you from accessing anything on your mobile device and file encrypting variants will encrypt data stored on the device. You can decrease you chances of an attack, by avoiding unofficial app stores and by keeping your mobile device and apps updated.

I’ll finish by repeating the advice: ensure you backup all of your personal and work data. Educate users on the risks and disconnect problematic users from sensitive data.

Building Your Own Cryptolocker Monitoring Dashboard

CryptoWall Monitoring Dashboard

Cryptolocker Monitoring – How to Build Your Own Dashboard

Last Friday, one of our public sector customers got hit by Cryptolocker Ransomware. Because their LANGuardian is continuously monitoring the network, it proved to be a crucial ‘go to system’ for quickly investigating the attack, for forensics. It had all the detail to really understand what happened. Within a very short time frame they were able to track down infected hosts and get the associated username so that the outbreak was contained very quickly.

This blog post looks at what you need to do to setup your own Cryptolocker Monitoring Dashboard. The examples shown here use the LANGuardian system but you can adopt a similar approach if you are collecting file and network activity through other means.

A sample of this Cryptolocker monitoring dashboard is shown below. This is from a network which is not under Ransomware attack. Most reports are not showing results and only small numbers of file renames are being reported which would be seen as normal network activity.

Cryptolocker Monitoring Dashboard

Step 1 – Watch out for .micro file extensions

The first report we created checks for any files with the .Micro extension.These are known to be associated with TeslaCrypt Ransomware and thousands of these will appear on your network when you get hit with this Malware. The report should remain blank. If results are shown then you should check any client machines listed for a Cryptolocker infection.

LANGuardian Report – Use Search By Filename from the Windows File Shares report section. Use the filename filter to show any files with the .micro extension.

micro file extensions

Step 2 – Track down clients renaming large numbers of files.

When Cryptolocker strikes it encrypts files and at the same time it renames the files so that they have different file extensions.

You should create a report to focus in on top clients based on the number of file renames. In normal operation you should not see thousands of renames over a 1 hour period. The report will normally show results but you are watching out for clients associated with hundreds\thousands or renames

LANGuardian Report – Use Top Clients :: by Num of Events from the Windows File Shares report section. Use the action filter to only show renames.

Step 3 – Cryptolocker Canary.

Ransomware infections can result in the creation of files like INSTALL_TOR.txt and DECRYPT_INSTRUCTION.txt.  TOR (the onion router) is free software for enabling anonymous communication and is used by the cyber criminals to communicate with you.

A Cryptolocker Canary can be created by alerting if any of these files are detected on network shares. You just need to create a report to look for these files. In normal operation the report should remain blank. If results are shown then you should check the client machine for a Cryptolocker infection.

LANGuardian Report – Use Search By Filename from the Windows File Shares report section. Use the filename filter to show any files called INSTALL_TOR.txt or DECRYPT_INSTRUCTION.txt. 

Step 4 – Root out filenames associated with other Crypto variants.

New Cryptolocker variants are appearing on a daily basis. Applications like Tox require very little technical skills to use and are designed to let almost anyone deploy Ransomware in three easy steps.

File types known to be associated with other Cyrpto variants include restore_Files*.*, *djqfu*.* or *.aaa

LANGuardian Report – Use Search By Filename from the Windows File Shares report section. Use the filename filter to show any files called restore_Files*.*, *djqfu*.* or ones ending with *.aaa

The report should remain blank. If results are shown then you should check the client machine for a Cryptolocker infection.

Cryptolocker variants

Step 5 – Focus in on Cryptowall 4.0 infections.

Cryptowall 4.0 infections can result in the creation of files like help_your_files*.* or  help_decrypt

Look at setting up alerting if any of these files are detected on network shares. You can start by setting up a report to look for these files. In normal operation the report should remain blank. If results are shown then you should check the client machine for a Cryptolocker infection.

LANGuardian Report – Use Search By Filename from the Windows File Shares report section. Use the filename filter to show any files called help_your_files*.* or help_decrypt

LANGuardian Online Demo
Download LANGuardian Trial

Forensic Analysis of a DDoS Attack

forensic analysis of a DDoS attack

In this blog post we are going to do a forensic analysis of a DDoS attack. The DDoS analysis is supported by screenshots captured from a LANGuardian system that was monitoring network edge traffic via a SPAN port at the time of the attack.

The purpose of our DDoS analysis is to demonstrate how DDoS monitoring can identify an attack in progress. With the information gathered by using a DDoS attack monitor, we can then take steps to mitigate against these types of DDoS attacks.

Why DDoS Monitoring is Important

Over the past ten days in Ireland, numerous online services and public networks have been targeted by DDoS attacks. A recent article from the BBC also suggests that website-crippling cyber-attacks are to rise in 2016 – the organization itself having been taken offline by a massive DDoS attack at the end of last year.

The majority of the recent attacks in Ireland were NTP amplification attacks. NTP is a popular vector for DDoS attacks because, like DNS, it is a simple UDP-based protocol that can be persuaded to return large replies to small requests. It has been estimated there are over a hundred thousand abusable NTP servers with administrative functions incorrectly open to the general Internet.

Using LANGuardian as a DDoS Attack Monitor

All of the following screenshots were taken using LANGuardian as a DDoS attack monitor on a real network. The network was one of many that suffered multiple DDoS attacks during January 2016. The first image below shows traffic associated with this network at a time when it was not under attack. What I am watching out for here is:

  1. The majority of the traffic is IPv4.
  2. Over 97% of traffic is TCP with small amounts of UDP. This is very normal and what I would expect.
  3. Drilldown on the UDP traffic shows the majority is DNS. For most networks DNS Would be the most active UDP protocol. Exceptions this this would be on networks where applications like Bittorrent are allowed.
DDoS monitoring dashboard

The next screen shot shows the network traffic profile during a time when the network was under attack. The main thing that stands out is the UDP traffic is now the majority. This is the classic fingerprint of a UDP based amplification attack. You can read more about amplification attacks here and here.

UDP Traffic associated with DDoS attack

Drilling down on the UDP traffic reveals that the network is receiving large amounts of NTP and DNS traffic. Both of these are important protocols so you cannot just block them. The other issue is that the network packets will contain spoofed IP addresses so basic firewall rules are useless.

Composed of legitimate-appearing requests, massive numbers of “zombies” and spoofed identities that make it virtually impossible to identify and block these malicious flows.

UDP Protocol Analysis

Drilling down further reveals that the traffic appears to originate from 4700 different servers.  We can do a WHOIS by IP address and determine that these are valid NTP servers, owned by reputable organizations.

It’s unlikely that 4700 reputable NTP servers are compromised and targeting an attack at the network, so something else is happening here.

The NTP protocol is based on UDP, a connection-less protocol. This means that a malicious client can create an NTP request, but instead of using its own IP address as the source, it uses the IP address of the target network. The NTP server assumes the request is genuine and responds, sending the response, not to the originating client, but to the target network.

This is known as a reflection attack. We can determine this is occurring, because our network has not sent any NTP packets to the NTP servers in question (zero packets sent, zero bytes sent) as seen here.

Further, we can calculate that the average received NTP response packet size is about 440 bytes, significantly larger than a standard NTP response packet (about 90 bytes). The 440 byte packet is likely a response to a ‘monlist’ request, a remote command in older NTP servers to return a list of the last clients to contact it. The ‘monlist’ command returns multiple packets of this size in response to a single request. This is known a amplification, where a small request generates big responses.

DDoS packet numbers

Finally, what of the client that originated the NTP request? We have no information about that client, as it successfully forged the source IP address in the original NTP request. We can assume that the client was a member of a botnet and was issued commands to target this network. There can be many thousands of compromised clients in a given botnet.

The scenario is shown in the diagram below, showing how a single C&C, controls many zombie clients, to generate malformed NTP requests to many servers, which in turn send amplified responses to the target network. Click on image to zoom in.

DDoS Amplification Traffic

Any local servers shown in the reports would need to be checked for malware activity. It could end up as a zombie host in a botnet or it may also be serving up Malware.

Using DDoS Analysis to Mitigate Against DDoS Attacks

When it comes to mitigating against DDoS attacks, you do have a number of options. It does depend on what stage you are at. If you are presently under attack, you may need to weather the storm a bit and avoid any rush decisions. Blocking traffic for example may only introduce other problems and you may end up with a network cut off from the outside world.

It is critical that you have some type of network activity monitoring in place prior to and during an attack. Make sure you can see where the traffic is coming from and what servers are being targeted. To try and mitigate against an attack you should consider the following.

  1. See if your ISP can black hole the suspicious traffic. Most will not get involved but if you are an education or government institute you may be able to address the issue at an ISP level.
  2. If you host your own web applications or servers you could consider a local DDoS protection system. These high-performance appliances enable attack traffic analysis and cleaning of the traffic, enabling a defense against large-scale DDoS attacks. Good traffic goes one way and bad traffic is dropped.
  3. If your website is hosted externally you could consider something like the Cloudflare DDoS protection infrastructure. They do the job of sorting out the good traffic from the bad in the cloud.
  4. In some extreme cases I have heard of companies changing their ISP to get away from the problem. Their public IP addresses seem to be a constant target to the only way out is to change them by moving to a different ISP.

Do you have any tips for mitigating against DDoS attacks? Comments welcome.

LANGuardian Online Demo
Download LANGuardian Trial

Latest Ransomware Attacks: End of Year Payments

Ransomware Attachment

End of Year Themed Ransomware Attacks

As we get closer to year end, a lot of financial transactions are being processed. This can include everything from new sales to companies sorting out maintenance contracts for the year ahead.

Cyber criminals are exploiting the fact that employees are under pressure to close accounts out. In recent days we have noticed an increase in the latest Ransomware attacks which have an end of year theme.

The image below shows a typical example, some detail has been blanked out as it used spoofed information associated with an unrelated company. The attachment name is suspicious but some automated billing systems generate files like this so the email recipient may think it is okay.

Latest Ransomware Attacks using email attachment

The author of this knows that finance departments are both very busy and keen to process as many year end payments as possible. The language in the email creates a sense of urgency by stating that extra costs could be added. The email recipient is directed towards the Word attachment which is described as some sort of report.

Manage Ransomware infections on YOUR network

Use the advanced deep packet inspection features in LANGuardian to track down hosts encrypting data on your network file shares. Active Directory integration also lets you see the associated username.

The Word file contains an embedded binary which will trigger once the email recipient opens the attachment. This binary then infects the local computer and local files and/or files hosted on network shares are encrypted.

If you do end up with an infected computer on your network you should quickly verify that there are no other infected PC’s active. Ransomware infections can spread quickly so there is little point in looking at backups if these clients encrypt the files once they are restored.

Preventing Ransomware Attacks

  1. Inform your users to never open attachments or embedded links in emails unless they know with 100% certainty that they are safe. If people ignore this advice you may need to consider blocking attachments to all email recipient. Attachments that need to be sent in could be forwarded to a special mailbox.
  2. Make sure you are backing up all important files and check that these backups are working. Make sure network users are not storing important data locally on their computers.
  3. Keep all applications and operating systems up to date. Some Ransomware variants exploit known bugs and security vulnerabilities.
  4. Make sure you have some form of network forensics system in place. You need to be able to track down infected hosts quickly if Ransomware gets into your network. You should not rely on firewalls or other edge devices as new Ransomware variants are appearing on a daily basis.

Do you have any experiences with Ransomware attacks? Comments welcome

Darragh Delaney

CryptoWall infection – Verifying that there are no other infected PC’s active

CryptoWall infection screenshot

Using LANGuardian to manage a CryptoWall infection

One of the most important tasks when dealing with a CryptoWall infection is to locate the PC(s) on your network that introduced the malware. If you don’t locate this system your files will keep getting encrypted after you restore them or pay the ransom.

In a recent blog post I looked at Auditing File Access on File Servers. One method for auditing file activity involves deep packet inspection and this is ideal for cleaning up after a CryptoWall infection. Malware like  CryptoWall leaves certain traces behind and you just need to watch out for these to trace the clients responsible.

Check file share activity for certain text strings

When CryptoWall infections target file shares it creates text and/or HTML files within folders where data has been encrypted. Typically the file names are HOWDECRYPT.txt and HOWDECRYPT.html. These files contain instructions on how to get the data decrypted. What you need to do is find the clients which created the files as they are the ones infected with the Ransomware.

You need to check for the presence of these files through network traffic analysis or log files. There is no point in searching for them through applications like Windows explorer. You may find the files but you won’t be able to see what clients created them.

Manage CryptoWall infections on YOUR network

Use the advanced deep packet inspection features in LANGuardian to track down hosts encrypting data on your network file shares. Active Directory integration also lets you see the associated username.

You can use the LANGuardian search feature to track activity associated with suspicious file names. It uses deep packet inspection to capture file names, IP addresses, actions and user names from network packets. You just need to setup a SPAN\mirror port or use a network TAP to get a copy of the network traffic going to and from your file servers. Once you have LANGuardian installed you need to follow these steps to track down CryptoWall infections.

  1. Click on the down arrow beside the search field
  2. Enter DECRYPT into the File Name
  3. Modify the time range so that includes the date and time of when the CryptoWall infection was reported
CryptoWall infection file search

Once you click on the search option you should see a report like the one below. This reveals what IP address is associated with the CyrptoWall infection. In my case the suspicious IP address is

HOWDECRYPT files in Windows file shares

Find out what users are responsible for CryptoWall infections

Tracking down the network clients associated with CryptoWall infections may be all you need. However, if you use DHCP you may need to find out what usernames are associated with the Ransomware.

Once you have an IP address you can either cross reference your Windows domain controller security log files or use the LANGuardian user reports to identify the usernames. You do need to make sure you are auditing domain logons to get this data.

To reveal usernames in LANGuardian you should click on the arrow symbol in the top right panel of either of the reports shown above. This will return all results. Then click on the View by: User Name option in the top right hand side and you will see what users names are associated with the file share activity.

Users accessing files on network shares

History of Ransomware Attacks

Ransomware attacks on networks

A brief history of Ransomware attacks and what you can do to avoid them

Ransomware, it’s nothing new but it is making a big comeback over the last few years and I have seen it gradually rise and encrypt peoples laptops, servers and heard of entire networks held to ransom. Due to the current rise I decided to write about it.

When was the first known encrypting ransomware discovered?

1989, the year of the “AIDS” trojan, aka. “Aids Info Disk” or “PC Cyborg Trojan” which replaced the AUTOEXEC.BAT file and it would then count the number of times the machine had booted, once it reached 90 days it would then hide directories and encrypt the names of all the files on the C: drive and rendered the system to be unusable. It would then display a message to the user asking them to “renew the license” and contact PC Cyborg Corporation for payment, this involved sending $189 to a post office box in Panama! Like today’s Ransomware more than one type of variant exists and different one’s will do slightly different things, except one thing and that is to try and extort money from you. AIDS actually had an end user license agreement and would display it to the user, an excerpt can be seen below.

“If you install [this] on a microcomputer…

then under terms of this license you agree to pay PC Cyborg Corporation in full for the cost of leasing these programs…

In the case of your breach of this license agreement, PC Cyborg reserves the right to take legal action necessary to recover any outstanding debts payable to PC Cyborg Corporation and to use program mechanisms to ensure termination of your use…

These program mechanisms will adversely affect other program applications…

You are hereby advised of the most serious consequences of your failure to abide by the terms of this license agreement; your conscience may haunt you for the rest of your life…

and your [PC] will stop functioning normally…

You are strictly prohibited from sharing [this product] with others… ”

A few years later the AIDS Trojan was analyzed even further. A fatal weakness was discovered in the malware by Young and Yung and pointed out to show that that the AIDS Trojan relied on symmetric cryptography. They then showed how to use public key cryptography in order to implement a secure extortion attack. They published and expanded on this in a 1996 IEEE Security and Privacy paper [YY96]. A cryptovirus, cryptotrojan or cryptoworm hybrid encrypts the victim’s files using the public key of the author and the victim must pay to obtain the needed session key. This is one of many attacks, both overt and covert in the field known as Cryptovirology.

What is Cryptovirology?

It is a field that studies how to use cryptography to design powerful malicious software (malware). Think of Regin, Stuxnet, and Dark Hotel APT which have come from nation states, have been stealthy and intended to steal information or spy on users for an extended period of time without them knowing about it, they may also be used to cause harm and often sabotage.

The first attack that was identified was called “Cryptoviral extortion”. This involves a virus, worm or trojan hybrid encrypting the victim’s files and then they must pay the malware author to receive the needed session key which providing they have no backups will be the only option available to recover their data from the grasps of the lock on anything that it has touched.

What do I do if I am infected?

  1. Turn off your machine, disconnect it from the network and restore from a backup. If you are seeing a pop up asking for payment then the chance of your files being already encrypted already is very high as you usually will not see this until it has finished the encryption process.
  2. Alert your IT/Security department of what has happened as they will need to assess the damage and see if there has been any sort of spread within the company network eg network shares.
  3. You may be able to decrypt some files if hit by CrypoLocker for example with an online decryption tool like this one by FireEye and FoxIT in which the key’s were obtained during Operation Tovar when a huge amount of Law enforcement and business joined forces in order to take down the Gameover Zeus botnet which was believed by the investigators to have been used in bank fraud and the distribution of CryptoLocker. Now at this point I will say don’t hold your breath as this is only for CryptoLocker and there are many, many variants out there!

How do I protect myself or users?

  1. Back up all your important data or anything that you do not want to lose and make sure it is not left connected to your machine if you choose to backup locally. Try to use some form of online backup service also if it is really important as there is more of a chance of restoring your data if you can restore previous versions of your files.
  2. Make sure you have an up to date Anti-Virus and also maybe some other third party tools like Malwarebytes, Spybot etc and use a nice layered approach, IDS and also some form of packet analysis can help with the cleanup if you need to trawl through the network and see how far the infection has spread.
  3. Use a standard user with UAC enabled to the maximum and have a separate administrator account with a different password.
  4. Make sure all your software is up to date, you can use Personal Software Inspector from Secunia for this as this provides an effective automated patch management solution.
  5. Be vigilant when clicking on emails and avoid clicking on or opening attachments from people you don’t know or companies you have not previously done business with.
  6. Don’t use internet explorer, use Firefox or Chrome and use a plugin like no-script to make judgements yourself on what to and what not to allow access to run in your browser. I have been using this for years and it is very effective and quite possibly the best protection for blocking malicious payloads from being delivered to your system from within the browser.
  7. Drive-by downloads are a common form of infection and as per step 5 above use no-script to protect against something like this, just don’t allow scripts to run globally and you should be ok.
  8. Show hidden file-extensions within your browser, for example if you receive an e-mail that says “super_secret.PDF.EXE” it should raise concerns, this however requires vigilance and with some proper “Spear Phising“ you may not notice this and click it regardless, at this point just turn of your machine and disconnect it from the network.
  9. Disable files from running in AppData or LocalAppData folders and this can be done one of two ways, manual and the automated tool which has instructions here on usage.
  10. Disable RDP XP, 7, 8 & 8.1.

There is quite possibly more you could do to protect yourself also but informing the user and providing some form of user awareness training about the dangers of emails and testing your users internally which yes I know sounds a bit cruel but it is a very good way to make them learn.

Users are your weakest link, you can have the best endpoint protection in place but without a signature for the latest variant of Ransomware, virus, malware etc you then find yourself infected again. It is your responsibility to inform your users and if you don’t then don’t blame them, they don’t know any better, just because you know doesn’t mean everyone does so spread awareness and watch the infections fall.

Before I let you go though I would like to make you aware of the latest attack vector’s coming your way and that is RansomWeb which has been given the name due to similarities with Ransomware like the extortion of money for example after encrypting your database, think Personally Identifiable Information (PII), credit cards etc.

File integrity monitoring is the trick to detecting RansomWeb but this is not always the case with a web application provider so it may be some time before this becomes a reality and when this get’s out of control providers will be reactive rather than proactive to the latest threat.

It’s also hard to gauge how successful RansomWeb will be, but if RansomWare is anything to go by, threat agents will find a way to make it a lucrative business and start reeling in the money.

Finally the way I see this moving in your internal network is as follows:

  1. System is infected.
  2. Encrypted.
  3. Held to Ransom with a timer.
  4. Timer runs out, you haven’t paid the ransom so you get a system wipe. (Destructive Malware, Wiper) You have already lost your data once encrypted but this just puts the final nail in the coffin.

Why do I think this? Well just look at the Sony hack before Christmas when exactly that happened to them. According to the FBI this was North Korea who did this but the smell of inside job is so strong with this I am not even going to get into it here as it is another article in itself.

What we learned though is 100TB’s + was exfiltrated from their network, the ransom was asked, denied and then their systems were wiped and staff were forced to use pen and paper to carry out their work. Would you be able to sustain such a hit to your business?

5 Quick Tips To Hunt Down Ransomware With LANGuardian

CryptoWall 3.0 Ransomware

How To Hunt Down Ransomware With LANGuardian

When infected by Ransomware there is usually an initial infection vector with something like a user clicking on an attachment in an email, an infected advertisement on a site or something pushing the Angler Exploit kit for example that will then pull down the Cryptowall payload to the machine.

If you have been infected by Ransomware use the search page up the top left in order to either:

  1. Enter the IP of the infected machine in the forensic search https://x.x.x.x/main.cgi
  2. Enter the name of the file into the ‘Filename’ field that has been modified on your machine e.g. HELP_DECRYPT.txt to see if it has spread and to where, also located on the search page https://x.x.x.x/main.cgi
  3. Run the All Events::By Signature report – https://x.x.x.x/netmon/view.cgi?id=&rid=52
  4. Run the All Events::By Destination report https://x.x.x.x/netmon/view.cgi?id=&rid=106 putting the infected machine IP in the destination filter field.
  5. Check for any websites or IP addresses visited during the time period of the initial infection and you should see communication between the C&C. Confirm the website or IP is malicious by checking it with Virustotal’s URL adviser. It’s also a good way to see if anybody else has been infected by running a website search for the specific domain over the last 24 hours for example.

Following the steps above you should be able hunt down Ransomware and find out when and where the initial infection came from.

Cyber Attacks – Businesses Held for Ransom

Businesses Held for Ransom

Really nice crisp clear morning here in Galway, bit chilly though. Before I dropped my 14 year old son to school, I tuned into an Irish station, NewsTalk and caught most of a very interesting conversation between a member of a large Irish law firm, William Fry and the presenter.

They were discussing the increasing threat of cyber-attack for Irish businesses. They spoke about the importance of detection as 43% of business are not even aware that they are being attacked and the hackers can have access for weeks/months before they are detected.

Newstalk Podcast

They also indicated that 4 out of 5 businesses have been impacted, hard to believe but if this also includes recent Ransomware attacks for example, based on feedback from NetFort customers I would believe it. Maybe also as large enterprise are spending more on security and have ‘tightened up’ the hacker has moved on, redefined the ‘low hanging fruit’, it is now the small to medium enterprise (SME)?

It reminds me of a discussion I had last year with a network admin of a college in Chicago. ‘John, we are entering an era where continuous monitoring, visibility is becoming more and more critical because there is no way all the inline active systems can protect us internally and externally these days’.

I am biased but I think he is absolutely correct. Visibility, actionable intelligence, data normal users can read and interpret and act on is critical.

Visibility not just at the edge though, also at the core, the internal network because it is critical to be able to see and detect suspicious activity or network misuse here also. It is also important to track this, to keep a record of it to help troubleshoot, to provide proof for management, auditors and even users.

I was discussing some recent LANGuardian use cases with an adviser in the US this week and mentioned that we are hearing the term ‘network misuse’ a lot more these days and I was not sure why. Maybe organizations are becoming more concerned about data theft?

His explanation makes sense, it was all about the attack surface for him, if users are misusing the network, accessing sites and applications that are non-critical or inappropriate and infected, it is increasing the attack surface, the security risk and will result in pain for everybody.

In defence of Irish business though, a lot of the systems out there in this space are only suitable for large enterprises, too expensive and complex to manage, tune and get real actionable intelligence. The SMEs all over the world, not just Ireland cannot afford them in terms of time, people and money.

John Brosnan
NetFort CEO

Detecting XCodeGhost Activity

Detecting XCodeGhost Activity

Detecting XCodeGhost Activity By Monitoring HTTP Traffic

Apple are presently working on issues with malware (XCodeGhost) in their App Store. According to this blog post, over 50 iOS apps contained malicious code that made iPhones and iPads part of a botnet that stole potentially sensitive user information including:

  • Application name
  • Application version
  • OS version
  • Language
  • Country
  • Developer info
  • Application installation type
  • Device name
  • Device type

One of the quick ways to check for suspicious activity on your network is to look for HTTP or DNS traffic associated with:


Lately criminals have been targeting user of mobile devices more as people are less cautious on mobile devices than on desktops. This attack also highlights how security awareness is so important throughout the application development process. Everyone from the developer from the end user needs to be alert. In this incident developers were tricked into using counterfeit software to build their applications which created an ideal environment for malware to spread.

Detect XCodeGhost Activity on YOUR Network Using LANGuardian

Use the advanced deep packet inspection features in LANGuardian to track down XCodeGhost Activity on your network. Active Directory integration also lets you see the associated username.

The BBC is reporting that the majority of people affected by this attack were in China. However, we would recommend that you check your own network for activity, especially if you allow mobile devices to connect to the corporate network.

A recommended approach to do this would be to use network packet capture. Tools which use NetFlow (or other flow source) are poor when it comes to web usage tracking. Packet capture allows you to look inside HTTP headers where interesting data like User-Agent can be found.

You can use a free tool like Wireshark or a commercial product like LANGuardian. Once installed you should setup a SPAN or mirror port to get a copy of network packets going in and out of your Internet connection. This is a passive monitoring approach so you wont need to install client or agent software on all of your network devices.

Deep packet inspection (DPI) based monitoring also works whether you have a proxy or not, just need to sniff the traffic at the correct location. Many organizations are not using proxies these days because they are a potential bottleneck, another inline device that can degrade performance or cause issues. If you do not have one and need visibility, you  have the option of using a SPAN port or port mirror.

The following video shows how you can setup a SPAN or mirror port to monitor Internet or mobile device activity. This is an ideal way for detecting HTTP or DNS traffic associated with XCodeGhost. Even if you don’t have a problem today, you should get familiar with the concept so that you are prepared for the next big security issue.

Our support team is here to help if you have any questions about detecting XCodeGhost activity on your network. Contact information can be found at the very top of this blog post. Use the following procedure if you want to use LANGuardian for detecting XCodeGhost activity.

  1. Enter websites in the find field which is located in the top right of the GUI
  2. Select Web : Top Websites & URI
  3. Search for or by using the website name filter.
DNS traffic associated with XCodeGhost

Please use the comment section below if you have any feedback or further information for detecting XCodeGhost activity.

Darragh Delaney

How Hiring Employees Increases Your Chance of a Ransomware Attack

How Hiring Employees Increases Your Chance of a Ransomware Attack

Tips For Avoiding Ransomware Attacks

It seems like a strange combination, employee hiring and Ransomware but there is a connection. Ransomware is one of the biggest network security issues in today’s world and businesses have paid out tens of millions in ransoms this year. Thankfully a lot more people are aware of the problems it can cause and how it can get into a network. This is making things more difficult for the virus writers but they are a resourceful bunch with a lot of time on their hands.

Most people avoid opening attachments in emails from strangers. However, there are ways to trick people into opening attachments with virus payloads.

One such way which I observed recently is where companies advertise for new job positions. A common approach is to advertise jobs on websites and make a bit of noise about it on social media. Contact details are usually published and people submit their applications.

What we now have is strangers sending their CV’s as attachments and this introduces a new attack vector as it is not seen as unusual activity. Malicious attachments really have made a comeback as top attack vector.

Ransomware bandits know that sending email to a generic human resources email address may not be successful as HR teams will be used to dealing with attachments. They will employ social engineering tactics and send their ‘CV’ to other email addresses within the company. The helpful recipient will probably forward it on and may even open it. As soon as they do they will find their files are encrypted.

Attack Surface

Advertisements for jobs and other services within a company increases that companies attack surface.

These social engineering attacks are getting more and more advanced. Not that long ago you could spot the suspicious emails easily as they contained lots of spelling mistakes or started off with something like “Dear Firstname”. This is no longer the case, one off emails are written for specific attacks and they can look legitimate at first glance. You should also be on the guard for unsolicited messages in LinkedIn and other social networks.

Anatomy of a Ransomware Attack

Anatomy of a Ransomware Attack

  1. Attacker spots company activity. Job announcements, corporate events, etc…
  2. Email created to match company activity
  3. Email sent to unsuspecting employees with attachment
  4. Attachments opened, files encrypted locally and on shared drives

Tips For Preventing Ransomware Attacks

The lessons here of course are to continue to educate employees on the dangers of opening emails from strangers. Perform spot checks by creating a new Gmail address and send emails to see if employees open them or forward them on to others.

Email attachment with virus
Do we really need email attachments in the era of cloud based applications?

As well as sending in bogus CV’s you will see tactics such as sending bogus purchase orders, software licenses, delivery notices and banking statements. In most cases the email will be tailored to match the recipients role or to coincide with specific company events.

I am beginning to wonder in the age of cloud applications, do we really need to be sending attachments in emails? They have been the source of countless virus outbreaks over the years. For example, the ILOVEYOU virus from a few years ago affected over 45 million computers.

Employee training and security awareness is the number one way you will prevent Ransomware attacks. In parallel to this you should make sure you have some sort of network monitoring tool in place that can track who is accessing file shares and give you warnings when something suspicious is happening. Also consider:

  • Block attachments on emails or restrict them to specific accounts.
  • Use contact forms on your website instead of publishing email addresses.
  • If you use Google Apps check out the attachment filtering feature. It lets you block specific attachment types or quarantine them for review later.

The image below shows a sample SMTP email report from NetFort LANGuardian which shows suspicious looking attachments that were detected moving around on a network. This information was captured using Wire Data Analytics. Two things look strange from this. Firstly the same email was sent to two people and secondly the compressed attachment (zip) is a tactic used to try and get past email filters.

New variants of Ransomware are appearing on a daily basis. Do not rely on host based antivirus as they struggle to keep up. Training and constant monitoring are the most vital activities and don’ forget about your backups.

Dealing With A Ransomware Attack

I would recommend that you create an incident response document before you get hit by Ransomware. Just something basic like backup information, support contact details, what tools to use for forensics etc… Also include notes on shutdown steps for key servers and applications.

If you do get hit, don’t just pay the ransom. As soon as you have it paid you will be dealing with another outbreak. Watch out for infected files on cloud storage services such as DropBox, files encrypted or infected with malware could be synchronized with a cloud service within seconds. It is a good example of why should really know what applications your users are running on your network. We have a few other blog posts which you may find useful in the event of a Ransomware outbreak.

The following video also shows how you can use file activity logs to track down the source of Ransomware on a network

I cannot stress how important training is for the prevention of network security attacks. If you make noise about something within your company like job postings, financial updates or corporate events, be prepared for advanced social engineering attacks.

Do you have any experiences with Ransomware attacks? Comments welcome

Darragh Delaney

Angler Exploit Kit and CryptoWall 3.0 Incident Response

Angler Exploit Kit and CryptoWall 3.0 Incident Response

Angler Exploit Kit Attack Vector

We have seen a huge rise in the Angler Exploit Kit serving up CryptoWall 3.0 in the past few weeks encrypting peoples file servers and forcing them to restore from backups to get rid of the infection. Nobody has resorted to paying the ransom which is asked of them.

The infection vector looks similar to the diagram displayed below:

CryptoWall 3.0 Ransomware

CryptoWall v 3.0 Ransomwarev3

Steps to infection:

  1. User visits a website.
  2. The website is serving up the Angler Exploit Kit regardless of current patch level.
  3. A request with some queries are sent back to the C&C.
  4. The client then receives a flash zero day dropped to the machine currently serving up CryptoWall 3.0.
  5. Client receives a notification that files are encrypted and a ransom is asked, the following files will appear on your local and shared network drives HELP_DECRYPT.txt, HELP_DECRYPT.PNG, HELP_DECRYPT.html.

A list of the file extensions targeted are below:

.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt

There are many other attack vectors such as double-clicking on and opening an email attachment, clicking on a link, a malicious website, a legitimate website that has been hacked or getting infected from an advertising network to name a few but the most common at the moment are the flash zero day’s which are served up from the Angler Exploit Kit on a legitimate website. Email is also a huge vector for infection and if you receive an email which has an attachment or a link to a missed DHL or FedEx shipment for example you should delete the email, especially if you weren’t expecting it!

Track Down Ransomware on Your Network

Use the deep packet inspection engine of LANGuardian to find the root cause of malware and Ransomware infections on your network. No client or agent software needed.

Some clients may also infect themselves by clicking on a website pop up so that they can view content on a website. A good example of this is a fake YouTube video of some cat’s doing very silly things which require you to install the fake malicious plug-in to update your Flash and view the video, who doesn’t love silly cats?

Silly Cat

The Angler Exploit Kit has been turned into a model which rapidly integrates new zero days almost as soon as they have been released and even with the latest up to date version of Flash or Java for example you actually don’t stand a chance. Even while assisting in Incident Response for certain businesses I have noticed a change in both the method of communication between the client and the C&C differ greatly as do the URL’s they use. It is currently a never ending game of cat and mouse where the AEK seems to be ahead of the curve and already evading whatever is currently detecting it and due to this it is common for the signatures to miss the latest variant.

I have found web domains are a very good way to hunt CryptoWall 3.0 after an infection to see if any other clients have been compromised. Say for example your client was infected at 13:24 on the July 14th, all you have to do is look for access to any websites or IP addresses during that time period to help in your investigation from that client machine.

If you notice accesses to a domain which may not necessarily look suspicious (for example, you can check it very easily using Virustotal’s URL advisor:

Virustotal URL advisor

You can then also very easily check your logs or traffic for that period and see if any other machines on your network have accessed this site and have also been infected.

If you get a hit with Virustotal there is a good chance that by Googling the domain or IP address next within quotes “” you will see some information that will back this up with a heading like below:

Google Angler EK

Google Angler EK

While this is a manual process it is an excellent way to discover the initial vector from which CryptoWall 3.0 has been delivered to the client system.

An example of some of the information seen form a recent infection can be seen below:

In this example the “POLICY Outdated Windows Flash Version IE” signature alerted me to look a bit deeper at this triggered alert as there were no signatures triggering for the latest version of the Angler Exploit Kit or CryptoWall at this time, expanding further on this it lead me to a domain which Virustotal confirmed was serving up the Angler Exploit Kit as it was flagged as malicious and linked to the Angler Exploit Kit.

Snort IDS Example. Flash outdated

The forum has a few resources on this from a brief overview of ransomware to tips on hunting down the source of infection on your network, if you are having difficulty tracking down a Ransomware infection try the tips and you will hopefully get to the bottom of things.

Finally, do not forget to make regular backups!

Keith Bennett
NetFort Support Team

Breaking Bad Themed Crypto Ransomware

Trojan.Cryptolocker.S Ransomware

Trojan.Cryptolocker.S Ransomware

A new Ransomware threat named Trojan.Cryptolocker.S, has been discovered by Symantec. Initial reports suggest that the Ransomware only targets users in the Australian region. However, network managers in any region should watch out for signs of an infection.

The malware authors use a ‘Los Pollos Hermanos’ branded image which can be found in the Breaking Bad TV series. The malware arrives through a zip archive and contains a malicious file called ‘PENALTY.VBS’. When executed, the malware downloads the Crypto Ransomware onto the victim’s computer. The malware also downloads and opens a legitimate .pdf file to trick users into thinking that the initial zip archive was not a malicious file.

Once installed it is reported to encrypt images, videos and documents on compromised computers and then demand up to AU$1,000 to decrypt them. Once your files are encrypted they can only be decrypted by using the actual private key from the attackers thus stopping the use of tools to get around paying the ransom.

Crypto Ransomware typically uses social engineering techniques as a means of infecting victims. You should continuously educate your users on the dangers of clicking on email attachments or website links.

You should also look at implementing a file activity monitoring solution on your network. Watch out for the presence of suspicious files like HOWDECRYPT.txt or users accessing large amounts of files on network shares.

Recently we hosted a Webinar which looked at ways you can track down the source of Ransomware on your network. You can view a recording of this Webinar at the link below.

View Webinar Recording: Your guide to detecting ransomware

You can contact our support team at any time if you need any help with clearing up a Crypto Ransomware problem. Alternatively, you can also download a trial version of LANGuardian which can show you what systems are infected with malware on your network.

Darragh Delaney

Support Team Stories – Detecting the Source of Ransomware


Locating the source of Ransomware on a network

The following case study is from an actual client network and as such some information is masked in the screen shots. The methods used to locate the source of Ransomware can be used on networks of any size.

Incident Background

We were contacted by a client to help with their incident response in tracking down an infection on a clients machine with the new CTB-Locker ransomware (Curve-Tor-Bitcoin Locker) aka Critroni which had no signatures available at the time of infection for this variant.

LANGuardian includes a file share activity monitoring module which provided a very detailed forensic analysis of the ransomware and the paths it had taken in order to encrypt the clients system and also the fileserver in which it was connected to, the initial infection came from the opening of an attachment in an e-mail.

CTB-Locker Ransomware

What type of Ransomware were we dealing with?

CTB-Locker is usually delivered through SPAM e-mail, there is no way to get the data back except by restoring from backup or paying the ransom as per this analysis.

CTB Locker and Network SharesCTB Locker will encrypt data files on network shares only if that network share is mapped as a drive letter on the infected computer. If it is not mapped as a drive letter, then CTB Locker will not encrypt any files on a network share.

It is strongly suggested that you secure all open shares by only allowing writable access to the necessary user groups or authenticated users. This is an important security principle that should be used at all times regardless of infections like CTB Locker.

How we found the source of the Ransomware

Using the LANGuardian forensic dashboard to focus on the specific IP address given (X.X.81.61) for investigation we detected some strange fileshare traffic. If you have a LANGuardian you can do this yourself by following these steps:

Go to the LANGuardian search page (search button top left in GUI). Enter the IP address (X.X.81.61) in the Forensics search panel.

LANGuardian Forensics

Once the next page has loaded change the time and date to the correct date and time of the incident.

Forensics Date Selection

You are then presented with the forensics page which contains a lot of useful information, most notably during this time period the SMB traffic spiked which was spotted by the IDS, Content Based Application Recognition (CBAR) and the Windows File Shares :: Top Fileservers reports:

Forensics Drilldown

Looking a bit closer random files can be seen named “laaaaaaa.tmp” so we decided to dive a bit further and see what was lurking beneath the surface and discovered that it was then contacting X.X.1.182 which was the fileserver, this can also be seen on the dashboard above.

  • Looking up “laaaaa.tmp” online at the time lead to 1 hit on Google in Russian.
  • The infection name is “Win32/Filecoder.DA.Gen

A bit of a closer look at what is happening shows us that the files on the fileshare have been infected and are then encrypted:

Ransomware Encryption

In order to check on the network for any other systems that may have been infected we went back to the search page again and used the file search to track down any further infections on the network.

Search for Ransomware

Looking closer and using the search field for specific file names it appeared that only the machine in question “X.X.81.61” was infected but this also infected a high number of files on the fileserver which had to be restored from backup prior to the infection and encryption process.


It is critical to continuously monitor and alert on suspicious fileshare activity, for example on the creation of filenames associated with malware or renaming of large numbers of files in a short time.  If something gets into your network you need a fast way of locating and disconnecting the source or it will continue to encrypt files as you restore them.

If you need any help with detecting Ransomware on your network, please don’t hesitate to contact us.

NetFort Support Team

I ain’t afraid of no GHOST (CVE-2015-0235)


Ghost Vulnerability

The first big vulnerability of this year is out and what is it’s name? GHOST! Discovered by Qualys, it is exploiting a serious weakness in the glibc library which then allows a threat agent to compromise a system and gain full remote access to the target without any prior knowledge of system credentials.

Qualys have worked closely with Linux distribution vendors and have released the advisory in the link above yesterday. Patches are available for all distributions as of yesterday the 27th of January.

This vulnerability actually goes back as far as glibc-2.2 which was released on November 10, 2000. Yet another OLD vulnerability which is 15 years old. Once the automated scripts start to scan you better make sure that you are patched. It is only a matter of time really.

So what is GHOST?

It’s a ‘buffer overflow’ bug which affects the gethostbyname() and gethostbyname2() function calls in the glibc library. This then allows the Threat agent to make an application call to either of these functions and execute arbitrary code with the permissions of the user running the application.

How does it work?

Simply put, in order to exploit this the gethostbyname() function calls which are used for resolving DNS have a buffer overflow triggered by supplying an invalid hostname argument to an application that performs a DNS resolution.

What now?

Remediate and make sure all your systems are up to date in order to mitigate this threat to your network. We are currently working on a signature update for LANGuardian so you can check for exploit attempts on your network.

Test if your system is vulnerable or not with the following script:

# –  GHOST vulnerability tester. Only for CentOS/RHEL based servers.  #
# Credit : Red Hat, Inc – #
vercomp () {
   if [[ $1 == $2 ]]
       return 0
   local IFS=.
   local i ver1=($1) ver2=($2)
   # fill empty fields in ver1 with zeros
   for ((i=${#ver1[@]}; i<${#ver2[@]}; i++))
   for ((i=0; i<${#ver1[@]}; i++))
       if [[ -z ${ver2[i]} ]]
           # fill empty fields in ver2 with zeros
       if ((10#${ver1[i]} > 10#${ver2[i]}))
           return 1
       if ((10#${ver1[i]} < 10#${ver2[i]}))
           return 2
   return 0

echo “Vulnerable glibc version <=” $glibc_vulnerable_version“-“$glibc_vulnerable_revision
echo “Vulnerable glibc version <=” $glibc_vulnerable_version2“-“$glibc_vulnerable_revision2
echo “Vulnerable glibc version <=” $glibc_vulnerable_version3“-1.”$glibc_vulnerable_revision3

glibc_version=$(rpm -q glibc | awk -F“[-.]” ‘{print $2″.”$3}’ | sort -u)
if [[ $glibc_version == $glibc_vulnerable_version3 ]]
   glibc_revision=$(rpm -q glibc | awk -F“[-.]” ‘{print $5}’ | sort -u)
   glibc_revision=$(rpm -q glibc | awk -F“[-.]” ‘{print $4}’ | sort -u)
echo “Detected glibc version” $glibc_version” revision “$glibc_revision

vulnerable_text=$“This system is vulnerable to CVE-2015-0235. <>
Please refer to <> for remediation steps”

if [[ $glibc_version == $glibc_vulnerable_version ]]
   vercomp $glibc_vulnerable_revision $glibc_revision
elif [[ $glibc_version == $glibc_vulnerable_version2 ]]
   vercomp $glibc_vulnerable_revision2 $glibc_revision
elif [[ $glibc_version == $glibc_vulnerable_version3 ]]
   vercomp $glibc_vulnerable_revision3 $glibc_revision
   vercomp $glibc_vulnerable_version $glibc_version

case $? in
   0) echo “$vulnerable_text”;;
   1) echo “$vulnerable_text”;;
   2) echo “Not Vulnerable.”;;

If vulnerable you will then see the following output below:

CVE-2015-0235 Ghost

Keith Bennett

Support Engineer

Could there be zombies lurking on your network?

Zombie host

A few years ago I covered the network zombie issue on my Computerworld blog. In it I looked at a couple of customer issues where a zombie client had caused network problems. Is this all a distant memory?

If anything the problem has become worse in 2014. The list below is just a sample of the threats and vulnerabilities that made the news so far in 2014.

No matter what size network you manage you can fall victim to any of the above. While the majority of issues that I hear about are still user and application ones, you should still have tools and procedures in place to deal with the really bad stuff. I could be generalising here too much but the majority of network issues are typically broken down as follows:

  • Equipment failures
  • User and\or application problems
  • Malware or other targeted attacks

Back to the subject of zombies and they are still a big problem. Recently I heard from a customer where an IP phone went faulty during a very busy time on their network. The phone started flooding the network with broadcast traffic and had the potential to grind things to a halt. Once they received an alert they got onto their network activity monitoring solution and weeded out the phone quickly. Metadata captured from network packets was used to identify the phones MAC and IP address and this information was then used to trace where the device was plugged in.

In another recent case where LANGuardian was used, a faulty network switch resulted in a network getting flooded with data from a number of hosts. What was once a managed switch doing its job suddenly became a zombie; under the control of no one and destined to cause havoc. If you manage a network you can use this to justify the investment in network monitoring tools.  You need to be able to get alerts and see what is happening on your network. This will save money with less downtime and quicker troubleshooting speeds.

Over the last 18 months a trend has emerged where zombie hosts are now trying to take control of your data. Cryptorbit and its variants actively seek out file share and encrypt all files found. In some cases you may be able to decrypt your data but in others you may need to pay a ransom.

As I mentioned previously, these zombies can arrive on any network. Now that we are entering the era of the Internet of Things, we are increasing the possibility of zombies appearing on networks. No matter what sized network you manage you need to be able to see what is happening.  When it comes to home networks, Wireshark can be a really useful tool. Just install it on a client and use it to monitor local traffic or connect the client to a SPAN or mirror port if the traffic rates are low. On larger networks you should look at commercial tools like LANGuardian.

Tell us about the zombies you found on your own network, comments welcome!


Keep your poodle on a leash


New Vulnerability Issue (CVE20143566)

Yet another critical vulnerability exists (CVE20143566) in something we use everyday and much like the other serious vulnerabilities discovered recently this one potentially affects around 97% of the internet.


SSL 3.0 was improved upon by SSL 2.0 by adding SHA1 based ciphers and support for certificate authentication. This was done as serious security flaws were found in the previous version and so v3.0 was born. TLS 1.0 took over in 1999 but you should really be using at least v1.1 or v1.2 as lets face it, they were created for a reason right? Nobody creates a new version of anything for the fun of it do they, especially when it is being used by a large part of the internet.

Padding attacks are nothing new though as Serge Vaudenay a French cryptographer published back in 2002 and later in 2010 successful attacks were applied to several web application frameworks (WAFS).

What is an Oracle Attack though? Well “an oracle attack is an attack that exploits the availability of a weakness in the system which can be used as an “oracle” which can give a simple go/no go indication to show whether the attacker has reached, or is nearing, their goal. The attacker can then combine the oracle with systematic search of the problem space to complete their attack¹.

Ok but what is an oracle? Well “an oracle is a mechanism used by software testers and software engineers for determining whether a test has passed or failed. It is used by comparing the output(s) of the system under test, for a given test case input, to the outputs that the oracle determines that product should have. The term was first used and defined in William Howden’s Introduction to the Theory of Testing”².

Now that we have discovered what a Padding oracle attack is we have pieced together some of the POODLE acronym, it actually stands for “Padding Oracle On Downgraded Legacy Encryption”and it was discovered by Google.

Ok, how does this look in a diagram? Glad you asked as I put together a little flowchart below which you may find interesting as this is a protocol flaw and not an implementation issue.


What you are looking at in the above flowchart is a lot simpler than it looks, it is a Cipher Block Chain (CBC). “In cryptography a mode of operation is an algorithm that uses a block cipher to provide an information service such as confidentiality or authenticity³.


Pretty much your plaintext goes in, it then has an initialization vector (iv) added to it, think of this as a starting variable (sv) which is used to randomise the encryption process, each block of plaintext is encrypted using a key that is derived from the previous block of ciphertext that is scrambled using a process called exclusive OR (Xor) and padded where necessary to make blocks of the required size.

CBC is still widely used today as you have now discovered with the discovery of POODLE which is sure to have some tools released in the coming days much like the BEAST (Browser Exploit Against SSL/TLS) or CRIME attacks, BEAST like this vulnerability was also discovered by Thai Duong along with Juliano Rizzo and discovered on September 23, 2011.

How do I protect myself from a POODLE attack?

Don’t connect to a WiFi hotspot that you are not in control of as this is where the most probable attack will most likely occur at the time of writing this article. It is possible to be downgraded to SSL 3.0 if using another protocol so even if you are using something else this could be your fall back!

How can I detect it?

Use an Intrusion Detection System (IDS) to detect such a threat that may be happening on your network.

Keith Bennett

Support Engineer

NetFort Technologies Ltd.


  1. “Padding oracle attack Wikipedia, the free encyclopedia.” 2010. 16 Oct. 2014
  2. “Oracle (software testing) Wikipedia, the free encyclopedia.” 2009. 16 Oct. 2014
  3. “Block cipher mode of operation Wikipedia,the free …” 2004. 16 Oct. 2014

Detecting CVE-2014-6271 Bash Vulnerability ShellShock Attempts


What is with all these new fun and exciting vulnerabilities we have encountered recently like Heartbleed and ShellShock?

Both of these are a very big deal for anyone in IT whether you are in a general admin role or an IT Security position. In most cases, it will be up to system administrators and software companies to issue patches.

Both have existed for years and remained unnoticed or have they? Someone else has surely noticed these before they had been made public and abused them to gain access to systems and this does not just include Government Actors who are known to hoard all of the vulnerabilities they find but Threat Actors too just out to infiltrate as much as they possibly can and cast the widest net they can and ultimately becoming an Advanced Persistent Threat (APT).

Regarding the name ShellShock it seems to have originated from this twitter page by Andreas Lindh and Robert Graham the image above is also Andreas creation and is quite a cool image at that which grabs your attention. The researcher who discovered it however was Stephan Chazelas.

In my short video which you watch below I show you how easy it actually is to exploit this vulnerability of which has many different attack vectors which include Linux OS, Apple OS, DHCP, SSH, OpenSSH, OpenVPN, Apache, Embedded devices, rooted phones, SCADA systems powering our infrastructure, the list goes on and if you are using Windows and have CygWin installed you may also be vulnerable to the recent vulnerability.

Looking at one of these different vectors and breaking down this vulnerability in an Apache environment which requires mod_cgi to be enabled is quite simple for the Threat Actor who has found this vulnerability on your server possibly by using curl to see what headers are available to them.

  • Now if we look at the file output in the cgi file we just created you will see a similar output:
  • Next the attacker tries to connect to your Apache server using curl and the handy User-Agent flag in curl with netcat listening on the attacking machine:
  • Curl using the User-Agent flag creating a reverse tcp shell on the target machine with the bash vulnerability:
  • Looking at the initial curl command a bit closer we can see that the host has accepted our connection attempt and the User-Agent flag contains the reverse shell back to the attacking machine:

As of the 7th of October 2015, Malware Must Die posted on their blog the threat known as “Mayhem” in which the white-hat security research workgroup performs a detailed analysis of the infection and warns that we have not seen the final wave of this bash vulnerability yet.

What have we learned from this vulnerability? Maybe that we should not always take for granted that we are secure and that the best form of defense is a layered approach which incorporates NetFort forensics in which you can look back in time and see what happened in the event of a breach.

I know for a fact that some people out there would not have known their systems had been hit had they not been able to go back a few days or months simply and quickly to check with a nice report and pass it on to their security team to investigate with all the detail required to pass on to the authorities if needed.

Know your traffic.

Keith Bennett