Cryptoware detection

Hello everyone,

We kinda have a big bad bogeyman floating around the internet called 'cryptoware'.
We have adopted the approach of 'its not IF we get hit but WHEN' approach and are currently looking at pre-emptive damage control through decreasing detection times, restricting file access more tightly and backups.

Has anyone else put some thought into this ? Whilst the SLES servers themselves are (probably) immune, the NSS data on them is not.
I'm currently looking at if I can do something with monitoring file creation/changes and how big of a performance hit that will be.
This is a bit of new terrain and we are assuming an up to date virus scanner will not detect the malware before it is too late. (it is highly 0 hour).

Currently the FAM daemon has my attention but I've not been able to put any time into it as of yet.
  • You could do monitoring with something like Sentinel, which can pick up
    NSS events from OES.

    For those with OES I have heard multiple accounts already of how NSS saved
    things because of its salvage feature.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...
  • Hi,

    I have done a script that run each hour to find file on all NSS volume. The script search for file of type HELP_DECRYPT.*and send the list by email if he found some. I have done this for cryptowall but it's maybe good for cryptoware

    #!/bin/bash
    receiver="user@toto.com"
    if [ -e "/tmp/scan" ]
    then
    echo "Scan already in progress"
    exit 0
    fi



    touch /tmp/scan
    echo "Scan started at `date "%m-%d-%y %T"`" > /tmp/resultat.txt
    echo " " >> /tmp/resultat.txt
    if [[ -n $(nice -n20 find /media/nss/ -type f -name HELP_DECRYPT.* | tee -a /tmp/resultat.txt ) ]]

    then
    echo " " >> /tmp/resultat.txt
    echo "Scan stoppped at `date "%m-%d-%y %T"`" >> /tmp/resultat.txt
    echo "File of type ENCRYPT.* found on server $HOSTNAME" | mailx -r virus@toto.com -a /tmp/resultat.txt -s "Scan result on server $HOSTNAME" $receiver
    fi
    rm /tmp/scan

    Martin Dallaire
  • On 23.3.2015 18:10, ab wrote:
    > You could do monitoring with something like Sentinel, which can pick up
    > NSS events from OES.
    >
    > For those with OES I have heard multiple accounts already of how NSS saved
    > things because of its salvage feature.



    Salvage can help, when enough space. Same with NAS snapshots.
    But if everything gets overwritten, then its bad :/

    Also, having personal quotas on all drives should also limit the
    disaster as the quota would kick in before all is lost.

    -sk

  • Salvage will indeed depend on methods used, my server is scaled for IO's and not just for space so there's enough of the latter to hold all the data a number of times.

    The script is also a nice one, sentinel is however not an option for me currently.
    I'll post something if I can get something useful out of the FAM daemon once I have the time to tinker with it.
  • On 31.3.2015 14:06, Conz wrote:
    >
    > The script is also a nice one, sentinel is however not an option for me
    > currently.
    > I'll post something if I can get something useful out of the FAM daemon
    > once I have the time to tinker with it.


    I created two excel