Anyone knows how to automatically detect file activity characteristic of virus-the cryptographer?

Many are now faced with the problem of encoders. Briefly the essence of the problem:
1. The Trojan uses to infect social engineering, which the average user is very difficult to distinguish from the actual daily activity. For example, if a person works with the accounts, he received a letter, they say, please pay the invoice in the attachment
2. The Trojan is not detected by the antivirus. At the anti-virus simply no virus signatures at the time of receipt. For each distribution is almost a separate Assembly of the virus.
3. The Trojan encrypts all files on the user's machine, and extorts money for their decryption.

In short... We are faced with the fact that I can not exclude infection with cipher, however on reflection we realized that the behavior of cryptographer should be trivial by definition. Ie, it behaves approximately as a search scanner, accesses a large number of files in different folders, deletes files, creates new files, only works with certain file types and files of a certain date changes (for example, only the most recent files first).
In one word all of this activity it is possible to perform heuristic and conclude that the app is behaving suspiciously. And then to take action. Not every application will behave in a similar way, it is a very rare form of activity. You can block a whole class of applications that unwanted file behavior and corporate users is satisfied.

In General, the question arises: if the above heuristic idea is actually obvious enough, then surely someone has already implemented this mechanism in its anti-virus software. Have you heard anything about the antivirus software or utilities of this type?
July 9th 19 at 11:14
10 answers
July 9th 19 at 11:32
>No. Cipher does not have any obvious differences in activity for which it can be clearly distinguished from the useful programs.

This, of course, wrong. Heuristics securely detektywa coders, there is a measurement of the change of the degree of order file in the recording process. During encryption, the order of the file is significantly reduced, which allows the detection of coders. So working 11th Kaspersky and some other antivirus corporate
July 9th 19 at 11:34
someone already implemented this mechanism in its anti-virus software. Have you heard anything about the antivirus software or utilities of this type?

The solution is:
AppCheck Anti-Ransomware Solution
RansomFree by Cybereason

Description in Russian see the links:
July 9th 19 at 11:16
The most reliable means of cryptogateway is a versioned backup.

The easiest way to do this is to deploy ownCloud (done in 1 hour with a smoke break, lunch, and chat with colleagues) and to set on the clients sync with the cloud.

At the same time get rid of:
Oh, my file was lost!
-Yes, two months ago as from the recycle bin erased!
You probably use this thing, so I'll ask. If the folder was encrypted, all files in the directory will be re-synchronized to the cloud. Often, coders are changing the file extension, but for example, the cipher did not change the extension. In the end, we discover that in our cloud there will be two versions of the files are not encrypted and encrypted. And if the file is one, then there is no problem, but if a lot of them... So here's the question: is it possible in ownCloud in one motion roll back all files in the user directory in the previous version? - yasmeen.Lyn commented on July 9th 19 at 11:19
: The obvious way to do it, there is not obvious - all versions of files stored in the file system on the server in directories that mimic user of FS, just their names is appended timestamp. Any tool to batch rename can rename files in place - get what you want. - orin.Runte commented on July 9th 19 at 11:22
July 9th 19 at 11:18
I agree with :
Business information lives on server, not on the computer of the user.
The User has write access only to a limited range of files, else it can only be read, LiBr did not see it.
Files are synchronized with the backup disk (cloud, ...) and keeping versions.
Access to backup storage from users of no.
How to implement it - there are a number of ways.
July 9th 19 at 11:20
Fully emulates the file system and the registry with no risk to the working system (without affecting the files and registry last).
The app does not "see" that it is in the sandbox, so it behaves as usual.
Something to install, use and simply click "clean" without any uninstall)
Rich settings for each sandbox separately.
The best option for peace of mind.

Place and adjust to were:
1. and/or run in a "sandbox" for specific folders/processes, etc.
2. and/or normal run only from the selected folders, etc.
July 9th 19 at 11:22
Systems like Tripwire, Samhain, OSSEC
Track changes in files by comparing the hashes of the files specified by the program settings, with data from a closed database.
If unauthorized file changed - no heuristics is not necessary.
The system is interesting, but it seems that only for *nix - yasmeen.Lyn commented on July 9th 19 at 11:25
: I'm on *nix systems specializers, so brought them. Have OSSEC seems like under Windows agents there.
Look counterparts - there should be a lot. - orin.Runte commented on July 9th 19 at 11:28
July 9th 19 at 11:24
In short... We are faced with the fact that I can not exclude infection with cipher, however on reflection we realized that the behavior of cryptographer should be trivial by definition.

It is the same with the user's behavior and on his PC. Any software practically does the same thing. This heuristic peremanit all the software on the PC.

The thin place - post office. If you in a corporate network, then:
1. as you have admitted the fact that the employee lit up a corporate email?
2. If the employee come by mail, why not the "white list" of recipients?

It is not a virus, and the gasket between the chair and the monitor. And you need to treat it him/her.

To work with files directly, rather than native methods, which watches the antivirus. How do defragmenters. Work hard as a complete file.
1. Workers a lot and it is impossible to determine exactly how it could leak email. If a person needs to correspond with the outside world, sooner or later, his Inbox will be someone famous. Anyway, for one reason or another, but it seems that to force the employee to hide the corporate address is not always possible.
2. Well, for example when you are chatting with thousands of organizations and dozens of new organizations are added each day, you will have serious problems with a white list. Even if you solve them, then there is the problem of communication: if you are expecting a letter from the organization, but require that the organization provided to you previously your e-mail address, and on the other side still do not know exactly which post office it will all be sent and if they do, they dictate it all on the phone and with errors. And finally, one more problem - what to do if the letter with the cipher comes from a trusted contact?

Much and long to talk about the gap between the chair and the monitor, develop regulations for the safe reading mail, but the reality is that sooner or later get on a Cypher even by the very people that these rules and developed. Because sometimes it happens that people came to work not enough sleep, problems in the family, attention is scattered, etc. and ultimately you cannot throw the responsibility on ordinary employee, because he needs to mind his own business, and you should be engaged in. - yasmeen.Lyn commented on July 9th 19 at 11:27
I agree with Alexander. Virus pulls NtCreateFile, what you do is program.. the Only thing you can certainly monitor call functions from Windows Crypto Api, but I think not so simple, it is at first glance just a pattern of behavior easy to get - orin.Runte commented on July 9th 19 at 11:30
: Yes, no, for CryptoAPI probably not an option to follow, it can also a cryptographic library to bring. It is clear that all programs use the same API functions, but at the same time it is also clear, for example, what if the user moved the mouse during the last 10 minutes, the ward was not able to open 100 files and modify their contents. In addition, office applications can be excluded from the watchlist or limit it to file activity on the quota/threshold response. To determine which application points to NtCreateFile is also possible. Yes, even if some unknown application suddenly decided to get into the folder with the documents and the start of the open\change\delete, it will be enough to guard.

In General it seems to me that a characteristic pattern of behavior exists and it possible to filter out and distinguish from other file activity on the machine. I may be wrong of course...

With regard to access disk in low level, it requires administrator privileges. - yasmeen.Lyn commented on July 9th 19 at 11:33
: But faith is not in a hurry to do it. In General, you can select a pattern a legitimate program won't get around to all of the drives and change files. According to this criterion, and should be filtered. But you know, easier to just add the signature, than to cut such a decision) - Nathan_Gaylord commented on July 9th 19 at 11:36

as you have admitted the fact that the employee lit up a corporate email?
Are you kidding me? Actually corporate email intentionally Shine, and spend on this business a lot of money - the cost is called.

If the employee come by mail, why not the "white list" of recipients?
You propose to spend the money to rewrite millions of email addresses of all potential customers, and to bring them to the white list? - yasmeen.Lyn commented on July 9th 19 at 11:39
July 9th 19 at 11:26
Yes, ban the hell out of getting executable files to users on the postman, and all that kind of comes send myself on a dedicated box for review, and when in doubt use a validator.
July 9th 19 at 11:28
It is possible for encoders the following is true:
  • targeting certain types of documents
  • simultaneous change of hashes, most of the files in the directory
  • improving the resource consumption of the machine
July 9th 19 at 11:30
and still it is possible , through policy , to permit the running of certain executable files (EXE) , like word,Excel etc , you need to register in policies that should help.

Find more questions by tags EncryptionInformation securityviruses