In case you haven’t heard, Crypto Locker is the malware that encrypts your files and then holds them hostage. Generally you have to pay to get them decrypted.  If you have a backup of all of your data, you might be able to avoid the payment. If you have a backup…

What makes it worse is that Crypto Locker will lock any files that an infected computer can access, including files on the network.  That means businesses with networks and shared folders (virtually all businesses) are at great risk. Do you have important shared folders with files that are accessed by many users? It just takes one user’s computer to get infected and all of those files could get encrytped

Clever Detection Solution

We have brilliant customers. One of them, Eric, works at a large real estate management firm. His network has been hit a few times by Crypto Locker so he devised a clever means of detecting it quickly before it could do much damage. To do this, he uses PA File Sight.

PA File Sight alerts you when files are accessed, which means written to, read from, created or deleted. Eric used this to his advantage by creating a ‘honeypot’ folder in his shared folders that people wouldn’t normally access, but which everyone had full access to. He loaded it up with typical files that might be in a folder like Word and Excel documents, PDFs, etc. Then, since some Crypto Locker applications will scan directories in alphabetical order, he named it so it would be at the front of the list.  Employees were instructed not to touch any files in that folder.

Next he installed PA File Sight and had it watch the honeypot folder. If any writes (such as writing a newly encrypted file to disk) happened in that folder, PA File Sight would send an alert.  Eric also mentioned writing an Execute Script action that would disconnect the share to protect the files.

This was a great start, but Eric didn’t stop there.  He used PA File Sight’s unique ability to alert when a user reads, writes or deletes more than a certain number of files within a set timeframe.

He set his threshold differently than the screenshot here — something like 50 file writes in 2 minutes.  No normal user is going to be saving 50 files in 2 minutes! But Crypto Locker probably will — once it starts causing trouble, it needs to get as much done as quickly as it can. So when this file access behavior is detected, he had PA File Sight alert, and then run his script to disconnect the share.  This allows him to watch the full share for those instances where Crypto Locker doesn’t read folders in alphabetical order.

Eric reported that there were occasionally some false-positives when a user was doing something unexpected, but those few were well worth the time and money they saved preventing an all out Crypto Locker attack.  In fact, just recently he was back purchasing more licenses so he could protect additional servers