2/24/2017 HowtoDetectRansomwarewithFileAuditEnterpriseNetworkSecurityBlogfromISDecisions

According to the FBI, ransomware the strain of malware whereby files and folders are locked down by
criminals and not released until a ransom is paid isa growing concern.This, coupled with thenew mass
access alerts with FileAudit 5, has triggered many questions from both customers and prospects on how to
detect these attacks with FileAudit.

Given the surge in interest, I wanted to answer some of those questions.

FileAudit plays a strong role in protecting a network against these kinds of attacks, so the following provides an
overview of best practice in usage as well as a practical test encryption, including the results. So if youre interested
in using FileAudit to protect against ransomware, read on!

How does encrypting ransomware work?

Lets start by explaining how exactly ransomware works.

An encrypting ransomware will typically come via an email attachment, which is opened by the victim an
unwitting company employee. Through a security exploit or flaw, malicious code is then launched which allows to
download and install a program on the victims machine.

The program will then contact a remote server owned by the attackers where an asymmetric encryption key pair is
generated. The private key is kept on the attacker server while the public key is stored on the victims computer.
The program can then start encrypting all documents the user has access to by generating a random symmetric
encryption key for each file, encrypt the file with this key and add at the end of the file the encryption key
encrypted with the public asymmetric key.

It is done this way because encrypting data directly with an asymmetric key is 1000 times slower than with a
symmetric key, but in both cases the result is the same. Without the private key it is not possible to decrypt the
files.

What this means is that if the victim doesnt have a backup of all the encrypted files, the attacker will be able to
force him to pay a ransom to get the private key.

Defence in depth
So how can we protect against such a threat? There are a number of practical measures:

1. Clearly, you should educate your users to not open strange email attachments!

2. You can disallow files with certain extensions in mail attachments e.g. executable files, type of files unneeded in
your business.

3. You should ensure that the programs which are allowed to open attachments are up to date, e.g. if run the latest
versions of Microsoft Word or Acrobat Reader.

4. Normal users should be disallowed from being able to execute programs from locations they are allowed to
write to e.g. their document folders. They should only be able to launch programs approved by the
administrator. In Windows, this can be implemented with AppLocker.

5. An administrator account should never be used to do basic user tasks such as read email, surf on the internet or
do normal office work.
http://www.isdecisions.com/blog/itsecurity/howtodetectransomwarewithfileaudit/ 1/4
2/24/2017 HowtoDetectRansomwarewithFileAuditEnterpriseNetworkSecurityBlogfromISDecisions

6. Users should only be able to modify files needed to do their work. Files they have no reason to modify should
be restricted to read only access for them.

7. You should have up to date antivirus software running on your mail server and on workstations to detect
infections and protect against them.

8. You should have a way to detect massive file encryption on your file servers. The sooner you detect an attack
the sooner you will be able to stop it, which means less data loss and less work to clear up the mess! This is
where FileAudit can help you, in configuring mass alerts.

9. You should have a backup of all your files in a secure place.

More measures can be found here

AppLocker is an excellent line of defence, because most malware will not be able to infect a computer if the user is
only allowed to run programs, and not write, from the designated folders such as c:\Program files and
c:\Windows.

The difficulty however, is that more and more cloudbased applications run from the user profile in order to be able
to automatically update. So the administrator may need to handle many exceptions in the AppLocker rules,
depending on what kind of applications users are allowed. The second difficulty is that AppLocker is only available
in Enterprise and Ultimate editions of Windows.

How to configure FileAudit to detect massive

encryption detection
So now that we have a good idea where FileAudit can play a role in our defence, how do we configure it?

If ransomware is encrypting files in a folder or share audited by FileAudit, this will trigger a lot of access events in
FileAudit and we can usemass access alertsto detect it.

But what kinds of file accesses are generated by the encryption of a file? Firstly, the file content needs to be read in
order to be loaded in the memory. Then, the data is encrypted in memory, the encrypted data is written into a new
file and lastly the original file is deleted.

In consequence we should see three consecutive file operations in FileAudit: a read, a write and a delete. So in
order to detect a massive encryption attack on a file server we should set three mass alerts: one for massive read,
one for massive write and one for massive deletion. If we get the three alerts simultaneously we most probably face
an encryption attack.

To test this, I developed a small tool to encrypt all files in a specific folder.

The tool allows the generation of a folder tree with many

http://www.isdecisions.com/blog/itsecurity/howtodetectransomwarewithfileaudit/ files in it. The names of the files in the folder will all match2/4
the pattern EncryptMe*.* to avoid any mistake later when I run the encryption task. Files that dont match the
2/24/2017 HowtoDetectRansomwarewithFileAuditEnterpriseNetworkSecurityBlogfromISDecisions

pattern will not be encrypted. There are about 8000 files in the folder.

Once the folder tree has been generated we need to configure the folder to be audited in FileAudit.

Then we can create the three mass alerts in FileAudit filtered byAccess Type;respectivelyRead,WriteandDelete.

http://www.isdecisions.com/blog/itsecurity/howtodetectransomwarewithfileaudit/ 3/4
2/24/2017 HowtoDetectRansomwarewithFileAuditEnterpriseNetworkSecurityBlogfromISDecisions

We keep the default thresholds for now. We will see later if we need to tweak them.

http://www.isdecisions.com/blog/itsecurity/howtodetectransomwarewithfileaudit/ 4/4
In the alerts added to FileAudits monitored paths we specify the star *, to monitor all audited paths.