home
Home button Search button Dr. Hain buttonClinic website Information for Dizzy Patients Fun Opinions (rants/raves)

Dr. Hain's Rants/Raves has helpful information about things that Dr. Hain has discovered by trial and error.

Cryptolocker and Locky

The cryptolocker virus is a malicious software that scrambles the contents of files, generally entire directories, and makes then unreadable.

One has to "invite this software in" -- download it as an email attachment and then execute it. Unless you are the only person using your network, there will likely always be people in an enterprise who will be fooled, and thus one can generally assume that someone will run this virus or a relative of it eventually. It is just only a matter of time. Bigger organizations will have bigger problems -- obviously if you have 1000 workers, the chance of one of them downloading a virus are 100 times greater than an organization with 10 viruses.

If one has good backup, one can restore the scrambled files. Nevertheless there is still the problem of finding the files. See the better solution at the end.

The locky virus

This is a similar idea -- one "invites in" this virus, either by opening up a word doc file that contains a macro, or by clicking on a web site with a javascript file. Thus it takes someone with a basic lack of computer savvy to let this creature into your network. Perhaps you know someone like this that works with you eh ?

Locky files are easy to find -- they say "locky".

We don't think you can prevent your staff from doing dangerous things, so the best solution to locky is to put your critical system behind a DMZ -- i.e. put them on another internal network, that your staff cannot access, with the only connection being through a remote desktop type software. Microsoft, VMware and Citrix all offer DMZ type solutions.

The method of finding encrypted files for Cryptolocker.

The following is method of finding encrypted files, using simple linux shell programming. The idea is to find a particular file type (pdf here), then check the "magic number" to see if the file type matches. When a file is encrypted, the magic # is encrypted too. If the magic # doesn't match the file type, then the file is encrypted. Other methods have been published online to find encrypted files, but they generally depend on unfamiliar languages (e.g. python), or access to powerful forensic tools.

This method is very fast, but it might need to be "tweaked" to your own file system's characteristics. Because it uses standard Linux shell programs, it should work on any system where you can "get to" the files using linux. If the files are already on linux -- you are in good shape.

Here are two shell scripts.

1. Crypto

find -type f -name \*.pdf -exec file {} \;

Change directories to the top level of the partially encrypted file system, and run sh < crypto > crypto.out

2. Crypto2

grep -v 'PDF document' crypto.out > crypto2.out
uniq -w 14 crypto2.out > crypto3.out
wc -l crypto3.out

From the same location as crypto, run sh < crypto2.

How the scripts work:

How the "crypto" shell script works.

After crypto has been run, crypto.out has a list of lines that contain filename : magic# type.

The "crypto2" shell script does this:

This script might need to be altered for your situation as your directory names may not necessarily all be 14 columns.

The following script, that replaces crypto2, will work for any size directory:


grep -v 'PDF document' crypto.out > crypto2.out
sed 's![^/]*$!!' crypto2.out > crypto2b.out
uniq crypto2b.out > crypto3.out
wc -l crypto3.out

The "sed" line deletes everything from the last '/' to the end, isolating the path to the file without the final filename itself. The main problem of this syntax is that it has more than needed - -it includes subdirectories of encrypted directories.

Other uses of similar methodology

It seems likely to us that one could also defend against the cryptolocker (and similar) viruses that work through a normal user who invites them in by setting permissions of files to read only. One could do this using the a similar script to "crypto", by passing the file name to the chmod function.

How to stop ransomware--the general solution

Backup is not a good method of defending from ransomware as it requires diligence, lots of disk space as well as disk accessing (which makes them burn out), and every time someone lets in a new virus, you have to get stuff off the backup. This takes time.

A far more rational solution to the ransomware problem is to put your critical systems behind a DMZ -- i.e. put them on another internal network, that your staff cannot access, with the only connection being through a remote desktop type software, that only sends pixels rather than executable files. Microsoft, VMware and Citrix all offer DMZ type solutions.

This has issues - -you need a powerful server to do this, and you must limit your users ability to do harm by curating their access to these programs, but nevertheless, it is the only reasonable method to defend from your staff and ransomware both.

 

 

© Copyright March 11, 2016 , Timothy C. Hain, M.D. All rights reserved.
Dr Hain's CV Clinic dizziness-and-hearing.com FLW Rant-Rave