Early Detection: Using Honeypots
to Detect Ransomware Infections
Aaron Goldstein
April 27, 2016
Ransomware Trends
• Lots of Macroenabled document
malware
• Getting trickier to
detect (for end users)
• Detect unmapped
shares for further
destruction
Common Execution Chain
• Once Executed, most ransomware will:
– Create a manifest of files to encrypt
• Usually based on file extension / path
– Encrypt the data
• Often with the file names becoming scrambled as well
– Delete original files
– Delete Volume Shadow Copies
– Present Users with a Ransom Note
Honeypots to the rescue
• What if we could know when critical files have
been altered?
• By creating a honeypot, it’s possible to set
“traps”
• While this can be effective, it is not
guaranteed to work
Monitoring Shares with FSRM
• File Server Resource
Manager is a tool for
screening and
monitoring data
shares
• File Screening Option
can be used to set
actions based on user
activity on a file share
Testing FSRM active screening
• Create a new file group and set it to active screening (monitor all
activity on share)
• In “command” tab, set it to run powershell from your local path
• In the arguments tab enter
– -ExecutionPolicy Unrestricted -NoLogo -Command “& { Get-SmbShare Special $false | ForEach-Object { Block-SmbShareAccess -Name
$_.Name -AccountName ‘[Source Io Owner]’ -Force } }”
• This specific example will block access to all shares on the server
once a write / modification is observed that matches the file screen
pattern
Creating a HoneyPot
• Create a new share
• Create a readme file
within share to explain
what this is for, so other
users that might stumble
upon the share
• Setup FSM to monitor
“*.*” within the share,
since no one should be
writing to the folder
Keys to a successful honeypot
• Create the new share, and give access to all
“Authenticated Users”
• Place a file within the share, instructing users not to
open / alter the files within.
• Note: It isn’t proven, but naming the share $<name>
should put it near the top of file share listings.
Hopefully that will make it one of the first to be
encrypted
• Once it’s working, consider updating file path “*.*” to
common ransomware files / extensions (see
references)
References
• https://community.spiceworks.com/how_to/100368cryptolocker-canary-detect-it-early
• https://raw.githubusercontent.com/thephoton/ransomware/
master/filescreendecryptreadme.txt
• http://blog.netwrix.com/2016/04/11/ransomwareprotection-using-fsrm-and-powershell/