Kaseya Community

Resources

Resources
The place to find product documentation, user guides, video demos, and scripts/procedures shared within the community

___

Detect Cryptolocker script

I thought I would share a script we wrote to detect Cryptolocker.   We are planning on running this on all of our clients every morning to help detect and mitigate attacks

 

It checks the registry for a couple known keys that are created by Cryptolocker.  If found it does the following:

- Sets a custom field in Kaseya to mark that it is infected.  This will help find the infected computer by viewing all workstations in Agent Status.

- Export the registry key that contains a list of files that it encrypted to c:\temp.

- Copy the exported file to the KServer

- Create an event log entry

- Disconnect all network drives to prevent it from encrypting more files.

- Send an email to report that the infected computer was found.

 

 

To use this script, you’ll need to:

- Import the script

- Create a custom field called ‘Cryptolocker Infected’

- Modify the script to add the email address you want alerts sent to.

 

 

Thanks,

- Marc

6/10/14 - Updated to detect CryptoWall

Comments
  • Detect Cryptolocker script

    Hi Marc,

    unable to import script getting "The file you are trying to import is not formatted correctly. It contains invalid XML." error

    any idea

  • Detect Cryptolocker script

    I'm not sure why it was bad.  I tested and it gave me the same error.

    I've re-exported it (and successfully tested importing it) and re-posted the file here.  It should work now.

    Side note - We had our first successful detection from the script this week.  We had a client who's network files kept getting encrypted.  They swore they could not find a computer that was not giving any CryptoLocker messages.  That is what prompted creating this script.   This week I got an email from this script reporting the machine that was infected.  I checked the files sent to Kaseya from that computer and there was a .REG file listing all the files that it had encrypted.

    Thanks,

    - Marc

  • Detect Cryptolocker script

    Thanks :) its working now

  • Detect Cryptolocker script

    Have you noticed these registry keys to be pretty consistent to catch the issue? i've found other possible registry keys via google (more related to startup)

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

    CryptoLocker

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

    *CryptoLocker

    HKEY_CURRENT_USER\Software\CryptoLocker\Files

    are any of these more or less likely to assist in detection?

  • Detect Cryptolocker script

    From what I've seen Cryptolocker always creates the HKEY_CURRENT_USER\Software\CryptoLocker_0388\Files key and stores the list of files it's encrypted there.

    We had a client get hit by a variant called CryptoWall yesterday.  It looks like it works much the same.  I found the registry key is uses to keep the list of files in, but it had what looked like a random number in it.   I found that it adds a file called DECRYPT_INSTRUCTION.txt in all the folders it encrypts that can be used to detect it.   I think I've got detection for it added to this script and working, but it hasn't been tested.    I'll update this script later today.

    Thanks,

    - Marc

  • Detect Cryptolocker script

    Marc

    I've had some of my clients hit with CryptoWall today and I'm hopefully having a registry dump pulled from a machine for me to examine. Have you had any luck with adding a CryptoWall detection method?

    Also are there any other major variants that you have come across yet?

    Eric

  • Detect Cryptolocker script

    I've updated the script with what I had for CryptoWall.   I have not had an opportunity to test it against an infected system yet.

    If you've got multiple systems infected, could you see if they have a common registry key we could use?   I did find one on the system I briefly had access to, but it looked like it had a random number in it.

    Thanks,

    - Marc

  • Detect Cryptolocker script

    Yes, I would like to see the script that detects CryptoWall as well. Thanks!

  • Detect Cryptolocker script

    The script in this post is updated with the CryptoWall detection.

  • Detect Cryptolocker script

    So far I think we only found one machine infected. The system admin onsite may or may not cooperate with supplying me a registry dump. If i get anything I'll report back here. Thank you for your update.

  • Detect Cryptolocker script

    I just got notified of a cryptowall infection thanks to your detection. Again I'm still working on getting registry dumps.

  • Detect Cryptolocker script

    pastebin.com/raw.php

    i made an update to your script to have it include the list of mapped drives in the email when disconnecting them (trying to figure out what was what after the fact was a pain)

    i also have some good ideas on cryptowall detection im still working on

    the key is HKEY_CURRENT_USER\Software\##RANDOM#STUFF##\CRYPTLIST

    so i'm working on scripting that tomorrow

  • Detect Cryptolocker script

    here is an alternate version pastebin.com/raw.php this will detect cryptolocker or cryptowall using registry for both checks, and it works even if a user is not logged in, or if a different user on the system was the one who got the infection.

    BIG KICKER!

    This is a little process heavy so i recommend not scheduling this during working hours.

    Currently i have this script scheduled once a day before standard business openning and i use the original provided by Marc throughout the day multiple times during operating hours

  • Detect Cryptolocker script

    btw if you use the one i linked on pastebin please remember to change the email address (i accidentally left ours in there)

  • Detect Cryptolocker script

    nemchik.... I clicked your paste link and it says it was removed.  Do you have a copy elsewhere I could view?