___
I thought I would share a script we wrote to detect Cryptolocker. We are planning on running this on all of our clients every morning to help detect and mitigate attacks
It checks the registry for a couple known keys that are created by Cryptolocker. If found it does the following:
- Sets a custom field in Kaseya to mark that it is infected. This will help find the infected computer by viewing all workstations in Agent Status.
- Export the registry key that contains a list of files that it encrypted to c:\temp.
- Copy the exported file to the KServer
- Create an event log entry
- Disconnect all network drives to prevent it from encrypting more files.
- Send an email to report that the infected computer was found.
To use this script, you’ll need to:
- Import the script
- Create a custom field called ‘Cryptolocker Infected’
- Modify the script to add the email address you want alerts sent to.
Thanks,
- Marc
6/10/14 - Updated to detect CryptoWall
Hi Marc,
unable to import script getting "The file you are trying to import is not formatted correctly. It contains invalid XML." error
any idea
I'm not sure why it was bad. I tested and it gave me the same error.
I've re-exported it (and successfully tested importing it) and re-posted the file here. It should work now.
Side note - We had our first successful detection from the script this week. We had a client who's network files kept getting encrypted. They swore they could not find a computer that was not giving any CryptoLocker messages. That is what prompted creating this script. This week I got an email from this script reporting the machine that was infected. I checked the files sent to Kaseya from that computer and there was a .REG file listing all the files that it had encrypted.
Thanks :) its working now
Have you noticed these registry keys to be pretty consistent to catch the issue? i've found other possible registry keys via google (more related to startup)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
CryptoLocker
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
*CryptoLocker
HKEY_CURRENT_USER\Software\CryptoLocker\Files
are any of these more or less likely to assist in detection?
From what I've seen Cryptolocker always creates the HKEY_CURRENT_USER\Software\CryptoLocker_0388\Files key and stores the list of files it's encrypted there.
We had a client get hit by a variant called CryptoWall yesterday. It looks like it works much the same. I found the registry key is uses to keep the list of files in, but it had what looked like a random number in it. I found that it adds a file called DECRYPT_INSTRUCTION.txt in all the folders it encrypts that can be used to detect it. I think I've got detection for it added to this script and working, but it hasn't been tested. I'll update this script later today.
Marc
I've had some of my clients hit with CryptoWall today and I'm hopefully having a registry dump pulled from a machine for me to examine. Have you had any luck with adding a CryptoWall detection method?
Also are there any other major variants that you have come across yet?
Eric
I've updated the script with what I had for CryptoWall. I have not had an opportunity to test it against an infected system yet.
If you've got multiple systems infected, could you see if they have a common registry key we could use? I did find one on the system I briefly had access to, but it looked like it had a random number in it.
Yes, I would like to see the script that detects CryptoWall as well. Thanks!
The script in this post is updated with the CryptoWall detection.
So far I think we only found one machine infected. The system admin onsite may or may not cooperate with supplying me a registry dump. If i get anything I'll report back here. Thank you for your update.
I just got notified of a cryptowall infection thanks to your detection. Again I'm still working on getting registry dumps.
pastebin.com/raw.php
i made an update to your script to have it include the list of mapped drives in the email when disconnecting them (trying to figure out what was what after the fact was a pain)
i also have some good ideas on cryptowall detection im still working on
the key is HKEY_CURRENT_USER\Software\##RANDOM#STUFF##\CRYPTLIST
so i'm working on scripting that tomorrow
here is an alternate version pastebin.com/raw.php this will detect cryptolocker or cryptowall using registry for both checks, and it works even if a user is not logged in, or if a different user on the system was the one who got the infection.
BIG KICKER!
This is a little process heavy so i recommend not scheduling this during working hours.
Currently i have this script scheduled once a day before standard business openning and i use the original provided by Marc throughout the day multiple times during operating hours
btw if you use the one i linked on pastebin please remember to change the email address (i accidentally left ours in there)
nemchik.... I clicked your paste link and it says it was removed. Do you have a copy elsewhere I could view?