Highlighted
Absent Member.
Absent Member.
908 views

Cryptoware detection

Hello everyone,

We kinda have a big bad bogeyman floating around the internet called 'cryptoware'.
We have adopted the approach of 'its not IF we get hit but WHEN' approach and are currently looking at pre-emptive damage control through decreasing detection times, restricting file access more tightly and backups.

Has anyone else put some thought into this ? Whilst the SLES servers themselves are (probably) immune, the NSS data on them is not.
I'm currently looking at if I can do something with monitoring file creation/changes and how big of a performance hit that will be.
This is a bit of new terrain and we are assuming an up to date virus scanner will not detect the malware before it is too late. (it is highly 0 hour).

Currently the FAM daemon has my attention but I've not been able to put any time into it as of yet.
Labels (2)
0 Likes
5 Replies
Highlighted
Knowledge Partner
Knowledge Partner

You could do monitoring with something like Sentinel, which can pick up
NSS events from OES.

For those with OES I have heard multiple accounts already of how NSS saved
things because of its salvage feature.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Highlighted
Absent Member.
Absent Member.

Hi,

I have done a script that run each hour to find file on all NSS volume. The script search for file of type HELP_DECRYPT.*and send the list by email if he found some. I have done this for cryptowall but it's maybe good for cryptoware

#!/bin/bash
receiver="user@toto.com"
if [ -e "/tmp/scan" ]
then
echo "Scan already in progress"
exit 0
fi



touch /tmp/scan
echo "Scan started at `date +"%m-%d-%y %T"`" > /tmp/resultat.txt
echo " " >> /tmp/resultat.txt
if [[ -n $(nice -n20 find /media/nss/ -type f -name HELP_DECRYPT.* | tee -a /tmp/resultat.txt ) ]]

then
echo " " >> /tmp/resultat.txt
echo "Scan stoppped at `date +"%m-%d-%y %T"`" >> /tmp/resultat.txt
echo "File of type ENCRYPT.* found on server $HOSTNAME" | mailx -r virus@toto.com -a /tmp/resultat.txt -s "Scan result on server $HOSTNAME" $receiver
fi
rm /tmp/scan

Martin Dallaire
0 Likes
Highlighted
Absent Member.
Absent Member.

On 23.3.2015 18:10, ab wrote:
> You could do monitoring with something like Sentinel, which can pick up
> NSS events from OES.
>
> For those with OES I have heard multiple accounts already of how NSS saved
> things because of its salvage feature.



Salvage can help, when enough space. Same with NAS snapshots.
But if everything gets overwritten, then its bad 😕

Also, having personal quotas on all drives should also limit the
disaster as the quota would kick in before all is lost.

-sk


HAMK University - OES, NW, GW, NCS, eDir, Zen, IDM, NSL - www.hamk.fi
0 Likes
Highlighted
Absent Member.
Absent Member.

Salvage will indeed depend on methods used, my server is scaled for IO's and not just for space so there's enough of the latter to hold all the data a number of times.

The script is also a nice one, sentinel is however not an option for me currently.
I'll post something if I can get something useful out of the FAM daemon once I have the time to tinker with it.
0 Likes
Highlighted
Absent Member.
Absent Member.

On 31.3.2015 14:06, Conz wrote:
>
> The script is also a nice one, sentinel is however not an option for me
> currently.
> I'll post something if I can get something useful out of the FAM daemon
> once I have the time to tinker with it.


I created two excel&word files on shared network drives and then have
small FolderSpy utility running on one windows box - if those files are
changed, it emails me... then I can go and check if it cryptoware or
some weird user 😜

-sk



HAMK University - OES, NW, GW, NCS, eDir, Zen, IDM, NSL - www.hamk.fi
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.