In these two articles, I already presented a way to protect Windows file servers from Locky and other ransomware:
- https://www.frankysweb.de/windows-fileserver-vor-ransomware-crypto-locker-schuetzen/
- https://www.frankysweb.de/windows-fileserver-vor-ransomware-schuetzen-update/
Tobbi has also implemented the idea for Netapp Filer:
But there are still the clients, from which most of the danger emanates. The faster the computers infected with Locky are identified, the faster the client can be isolated from the network and the Trojan rendered harmless.
So I did a little more thinking and ended up on the Fortinet blog while researching Locky. Fortinet has taken a closer look at Locky:
The article from Fortinet is well worth reading and also contains important information that can be used. Locky contacts command & control servers on the Internet, Fortinet even specifies which ones these are:
The C&C servers can simply be blocked at the firewall, then they are no longer accessible, but that probably does not prevent Locky from encrypting files, especially since not all C&C servers are probably encrypted yet.
But the C&C servers help to identify the clients that have caught Locky, if the firewall cannot report this directly, you could also have the Windows DNS servers log which computers resolve which domains. The log can then be searched for the C&C domains and if a client tries to resolve a C&C server via DNS, it will probably have caught Locky.
I've prepared something:
In order for the script to identify the computers trying to reach the Locky C&C servers, debug logging must be enabled on the DNS server:
After a short time, the DNS debug log is filled:
This log file can be analyzed using PowerShell. If the script finds one of Locky's command & control servers in the DNS log, an email is sent:
The script still needs to be adapted a little:
In Zeile 1 muss der Pfad zum DNS Debuglog angegeben werden, Zeile 2 bis 5 enthalten die Daten für den Mailversand. Wenn das Script durchgängig laufen soll, kann in Zeile 7 der Wert für „LoopScript“ auf „$true“ gesetzt werden.
The script can now either be started in an endless loop via PowerShell (LoopScript = $true) or executed cyclically via Task Scheduler.
Note: If the script runs in an endless loop and hits are found in the log, a small flood of mail is triggered. I still have to adjust this a bit, but it's better to have too many mails than a big mess on Monday...
All C&C servers that I have found so far are listed from line 10 onwards. If you know of any more, please let us know.