4

Since a virus infected PC has to download (encrypt) reupload the entire file (to a file server), and repeat the process for every network drive, is is possible to detect this unusually high bandwidth event? Is there a way to respond to it (via QOS or something?)

I'm looking for a way to detect and/or limit Cryptolocker encryption by monitoring how much data is transferred (as it is encrypting files) and possibly set a quota on this transfer (QOS?).

Is such a mechanism available for a Windows machine? I haven't been able to locate this myself in default Windows settings but am open to alternative solutions.

Alternatively, such a bandwith-monitoring approach could be used to prevent a data leak, or an employee stealing company secrets.

makerofthings7
  • 50,090
  • 54
  • 250
  • 536
  • I'd rather put a strong lock on the front door than add chains, bolts, and barbed wire to the valuables inside my house. It seems to me that if your users are using workstations with Win 7 or better, something like "Applocker" is the better discussion. – boggart Mar 04 '15 at 15:06
  • @boggart Good idea about Applocker – makerofthings7 Mar 04 '15 at 15:35
  • I presume you're already locking users down to non administrator accounts. Beyond that, just know that the initial setup of Applocker is a little daunting but easy to manage after that. It took me about 3 hours to read the documentation and then setup the policies for my Wife's and Kiddo's computers: http://technet.microsoft.com/en-us/library/cc731745.aspx http://technet.microsoft.com/en-us/windows/applocker.aspx -- I'm leaving this in a comment since it does not answer your question and suggests the answer to another question. – boggart Mar 04 '15 at 15:42

2 Answers2

1

Since a virus infected PC has to download (encrypt) reupload the entire file, and repeat the process for every network drive, is is possible to detect this unusually high bandwidth event? Is there a way to respond to it (via QOS or something?)

You're mistaken: the malware doesn't need to transfer the file. It uses asymmetrical encryption: the file is first (symmetrically) encrypted with a long, unique and randomly generated key and that key is the encrypted using only the public half of the decryption key.

Once that symmetrical encryption key is deleted, there is nothing left on your machine to decrypt the files and you never touched the key that will unlock it.

I'm looking for a way to detect and/or limit Cryptolocker encryption by monitoring how much data is transferred (as it is encrypting files) and possibly set a quota on this transfer (QOS?).

Don't try to build your own: there are plenty of security systems that can assist you with detecting (and provide protection against) this and many other threats: antivirus scanners, IPS, IDS, NBAD, firewalls, etc. Any (smart) investment you make is these will be orders of magnitude more efficient than trying to jury-rig a protection on your own - especially if you do not understand the nature of the threat.

Stephane
  • 18,557
  • 3
  • 61
  • 70
  • A client accessing a network share will need to transfer the entire file to do symmetric encryption. I clarified that this is a client accessing a network share. – makerofthings7 Mar 04 '15 at 15:00
  • Also, for your second bullet I'm pushing out SourceFire, I was mainly looking at the Network aspect since it can also detect "something strange" going on – makerofthings7 Mar 04 '15 at 15:35
0

A better way to protect against cryptolocker is to set up a NAS, that will force versioning of files. With force, I mean that all Changes of files will be saved on the NAS, and the client has no way to affect this. Then you save all important data on this versioned NAS. If the cryptolocker encrypts your NAS, you simply tell the NAS to rollback the files until the date where they is not encrypted.

Its important that the client cannot in some way touch this versioning. Eg, the client access the NAS and write a file. If the NAS sees that a already existing file will be overwritted, instead it will direct the write to a "change file" - eg something like a COW overlay but file-based instead of block-based.

When you notice "omg my files on the shared drive has been encrypted", you simply log in physically to the NAS and tell it to rollback the encrypted files to its previous version. If the files instead was deleted and a encrypted copy was saved, you tell the NAS to restore the deleted files.

Such a NAS can be built using a Linux server, samba and a couple of further software that allows it to keep track of Changes to files inside the shared drive.

The good thing with such a NAS, is that you kan safely keep the NAS connected and "mounted" all time. If cryptolocker touch it, you can simply roll back the time. Note that you need to build the NAS in such a way the client uses it as a simple shared drive. The client should NOT do the versioning of files itself, then cryptlocker can bypass it. Its the NAS server that needs to enforce the versioning.

Yes, this means whole files will be transmitted to the NAS over the wire "unneccesarly", and then cut down to "difference files" at the server, but its really Worth it.

Using a external drive and just connecting it regularly for backup is NOT safe, cryptolocker can sit latent and wait for the backup drive to be connected, and then encrypt the files. You MUST use a NAS drive which enforces "versioning" on the server side.

This also protect against simply destructive payloads which simply deletes/infects files without encrypting them and without offering the possibile to pay a ransom to get the files back. (those are actually worser than the ransom viruses).

sebastian nielsen
  • 8,779
  • 1
  • 19
  • 33