Tips on How To Detect Encrypted Files (or The Battle against Ransomware)

The Problem

cryptolocker

Even with multiple lines of defense in place, someone in your network is inevitably going to click on that attachment or link prompting them to open that scan or document they requested (if they would briefly stop and think about it, they actually did not scan or request any document) and the next thing you know every document on the shared drive is encrypted. Welcome to the wonderful world of ransomware!

The only real solution to this problem up until now once the damage has been done is to have a good backup (and/or Volume Shadow Copy). Although I have heard stories that you can actually pay the ransom fee and you will get your files back that may work for home users, but I doubt very much that an organization with hundreds of thousands of files infected is going to get off the hook for $500.

So for now restoring from the latest backup seems to be the best line of defense against ransomware, I do however anticipate a future where things will become much harder to protect against. For example, what if a crafty hacker was able to detect documents that are important, but are only opened once a year for review?

What can you do?

  1. For Windows workstations turn on System Protection and also make sure users either do not store documents locally (that is what I recommend) or have a backup in place.
  2. From servers: As I mentioned above, make sure you have backups and/or Volume Shadow Copy turned on.
  3. Read this
  4. This Scan Tool should be useful to identify encrypted files (I have never used it, though).
  5. Use Powershell to test files for Crypto. Typically it is easy to find out who is infected by checking the owner of an encrypted file and also recording the time when the file was last modified. The script below can be modified accordingly to scan through your shared folders and find what has been encrypted. Edit the file, then Dot-Source the file to your Powershell session (http://mikepfeiffer.net/2010/06/how-to-add-functions-to-your-powershell-session/) then run it by using:
    Get-Postcrypto Path
    Example Get-Postcrypto “E:\shared\Company”

 

Leave a Reply