1.Early Detection: Using Honeypots to Detect Ransomware Infections
Aaron Goldstein
April 27, 2016
2.Ransomware Trends
Lots of Macro-enabled document malware
Getting trickier to detect (for end users)
Detect unmapped shares for further destruction
3.Common Execution Chain
Once Executed, most ransomware will:
Create a manifest of files to encrypt
Usually based on file extension / path
Encrypt the data
Often with the file names becoming scrambled as well
Delete original files
Delete Volume Shadow Copies
Present Users with a Ransom Note
4.Honeypots to the rescue
What if we could know when critical files have been altered?
By creating a honeypot, it’s possible to set “traps”
While this can be effective, it is not guaranteed to work
5.Monitoring Shares with FSRM
File Server Resource Manager is a tool for screening and monitoring data shares
File Screening Option can be used to set actions based on user activity on a file share
6.Testing FSRM active screening
Create a new file group and set it to active screening (monitor all activity on share)
In “command” tab, set it to run powershell from your local path
In the arguments tab enter
-ExecutionPolicy Unrestricted -NoLogo -Command “& { Get-SmbShare -Special $false | ForEach-Object { Block-SmbShareAccess -Name $_.Name -AccountName ‘[Source Io Owner]’ -Force } }”
This specific example will block access to all shares on the server once a write / modification is observed that matches the file screen pattern
7.Creating a HoneyPot
Create a new share
Create a readme file within share to explain what this is for, so other users that might stumble upon the share
Setup FSM to monitor “*.*” within the share, since no one should be writing to the folder
8.Keys to a successful honeypot
Create the new share, and give access to all “Authenticated Users”
Place a file within the share, instructing users not to open / alter the files within.
Note: It isn’t proven, but naming the share $ should put it near the top of file share listings. Hopefully that will make it one of the first to be encrypted
Once it’s working, consider updating file path “*.*” to common ransomware files / extensions (see references)