Using a SIEM to Identify Cryptolocker

We are seeing more cases of the Cryptolocker/CryptoWall family of malware. Also known as “ransomware”, this type of attack is delivered through spear-phishing methods such as an email attachment. Users must pay a ransom before a set deadline passes or all their files will remain  encrypted. Cryptolocker uses a number of techniques (HTTPS, P2P, TOR) to mask its command and control communications.

Security information and event management (SIEM) technology combined with threat intelligence can be effectively used to detect this type of attack. We recommend you ask your MSSP or SIEM Administrator to create the following use cases:

AV Repeat Infection – Track a system that has indicators of infection. If within a twenty-four hour period the system at any time generates additional AV alerts, a repeat infection is in progress and the system may still be compromised.

AV Virus Outbreak – Track multiple systems with the same type of malware on the system. This would detect multiple systems with a Cryptolocker infection detected by an AV product.

Threat Intelligence Profiler Tor Activity – Track systems that connect to an external IP address identified as a Tor exit node and treat as an indicator of ransomware compromise. CryptoWall has recently used Tor for command and control. Detecting any type of Tor activity, regardless if it is user initiated or related to malware, usually indicates a security incident.

IP Watchlist – Add discovered indicators of compromise to an IP Watchlist to monitor future outbound traffic to these IP addresses. HTTP activity and high port Tor connections from are often associated CrytoWall attacks.

Botnet Webfilter Traffic – Webfilter products such as Blue Coat or Websense will engage all botnet categorized network hits. These categories (even if only a few hits) are often useful for identifying Cryptolocker/CryptoWall command and control communications.

IDS/IPS Triggers – Use IDS signatures to identify indicators of command and control communications. Fortigate UTM Botnet Application Control events, Palo Alto Networks Spyware IPS events, and Snort Trojan-Activity events all identify many types of malware including ransomware.

Our ProSOC service has detected Cryptolocker with each of the above methods and fortunately the detection and remediation occurred quickly enough in the kill chain to prevent the attacker from encrypting data. In one recent incident, we caught an attempted ransomware infection via one of our AV correlation use cases. If an antivirus partially detects infection, the malicious program will likely continue to replicate itself on the system as the AV repeatedly deletes the same file replicated by the malware over and over again. We call this a repeat infection. Here is the repeat infection we detected.

Threat name: Troj/Ransom-AQR

Filename: C:\ProgramData\Spydus8\Cat\Conversion\HELP_DECRYPT.HTML

The virus was repeatedly placing the HTML file that is part of the ransomware message to the user. Our repeat infection correlation discovered a system that could not remediate the infection.

In addition to monitoring the above use cases, we recommend you take all the standard precautions against email malware and, of course, backup your data!

Bryan Borra is the SIEM Manager at Proficio Inc