Ok I wrote a batch script that looks at every file and checks to see if it has a Crypto style ext or Crypto style ransom note.
I.E. known file ext and ransom notes.
But I am looking answers to a few questions to help my quest.
In order to help me build my idea below.....
Here is my questions...
With the crypto lockers or remote trojan or Powershell virus's.....
Does anyone have a list know any of the following??
1St What types of items or services do this items typically go after...
I.E. I understand and have a good working list of types of files that they look for but again
What items do you all understand they go after.
Yes jpg's pdf docs etc but what is your list?
2 What services do they go after (alter or disable) (Maybe Virus's in general)
3 What area's do the bad guys try to put symlinks?
And or list of common links they add.
4 Does anyone have an understanding of locations or method of infection?
I.E. is it any file with jpg or only c:\users\xxxx\pictures
And yes I understand 50 50 some hit all some hit just some directors?
I am looking for specif directories they like / generally target.
5 Does anyone have an understanding of order in which they infect. (In General) again 50 50.
But has anyone been able to determine how or order they infect?
Some other order?
6 Anyone know if these crypto agents can go after hidden directories?
7 Anyone know of a Free filewatcher service or best way to enable auditing and monitor logs to try to maybe watch live and trigger responds? Without killing a system with overhead?
I was hoping to be able to ad rules to my antivirus to look for some of this but.. .With mine.. Not so much..
Here is my idea.
Make a Carney in a cage or Honeypot..
Put test files of jpg's / doc's / pdf's etc in directories any run test scripts watching these files.
Why this vs all?
My testing writting all files to a text file via batch takes about 5 mins and a bunch of cpu and 30 meg or more to do this every X mins.
I'm thinking only do a big scan at night and small honeypot scans during the day.
But I need to help my odds by it more quickly finding these by maybe naming test directories like
000 AAA ZZZ
I.E. if they are hitting 0-Z it would get hit first. ZZZ if they are hitting backwards
Also by watching services.
I.E. if X services are suddenly disabled.
Kind of a poormans tripwire but more targeted for windows machines and lest impactful as possible.
Again just looking to fill in the gaps that my A/v is note watching to detecting.
Any yes I am using policy's and crypto prevent to try to stop some of this, but they got through 2 systems with full a/v policies and cryptoprotect (Non full) via a regular user (I think).