1. Create an "Application and Device Control" rule.
"Apply this rule to the following processes:" *
Add "File and Folder Access Attempts"
1.1. "Properties" of File and Folder Access Attempts
Apply to the following files and folders:
decrypt all*.txt
decrypt_instruction*.txt
*.doc.???????
*.docx.???????
*.xls.???????
*.xlsx.???????
*.pdf.???????
*.rtf.???????
*.txt.???????
*.zip.???????
*.pst.???????
*.locky
*.crypted
*.encryptedRSA
do not apply the following files and folders:
*.???.???
*.partial
1.2. "Actions":
Under the "Launch Process Attempts":
properties:
Apply to the following processes:
new "cryptolocker" and "download.ponic" variants md5's
Actions:
Terminate process, Enable logging, severity - 0, Send e-mail alert.
2. Create a "Notification condition" under Monitors/Notifications:
Done.
When the malware makes an action (encrypts any files), SEPM generates a mail to system administrators.
Cool, so I will create some policy to test before applying it to the production servers.
Thanks Brian !
No you need to assign a policy for it.
Brian,
Does the "application and device control" is enabled by default when full stack of SEP client is enabled / deployed ?
Detects alot.
You need application and device control enabled.
Hi Viktor,
Is this only to detect one version or variant of Cryptolocker or it can be used for all type of Cryptolocker ?
Do you have to enable the full stack of SEP client in order to get email alert ?
New file types:
HELP_YOUR_FILES.* .fun .sanction HOW_TO_DECRYPT.*
Hi, Tony
Here is some MD5 and SHA256 sum:
https://www.secureworks.com/research/cryptolocker-ransomware
Other way: search with Google eg.: "cryptolocker md5 list", "cryptolocker md5 site:virustotal.com", "locky md5 site:virustotal.com"
This is brillant idea, would you be able to share the MD5 for "Launch Process Attempts" so we can use them as well?
Cheers.
Yes
Hi Brain have you using any policy similar like this ?
If you're concerned, set it to test mode first.
There's also one here by Symantec:
https://www-secure.symantec.com/connect/blogs/defeat-powerware-using-sep-application-control-policies
Hi nice share , really appreciated it. Have you tested it and does it work fine . Can I use this in my production network to be safe from Crtypto Locker is this policy safe to use without impacting anything ?
Thanks