[Samba] Ransomware?
Neil Price
nprice at gibb.co.za
Mon May 16 15:00:25 UTC 2016
There is malware that names the files .crypt
A novel solution here
https://isc.sans.edu/diary/Novel+method+for+slowing+down+Locky+on+Samba+server+using+fail2ban/20805
though it seems locky specific
I use this non-samba solution in cron.hourly. Pretty awful, but it works for malware that I know
about. I have fast drives, so updatedb only takes a few seconds.
#!/bin/sh
updatedb
wait 20
if locate DECRYPT > /tmp/cryptowall; then
mail -s "PANIC! Possible Server Cryptowall found" support at domain.com</tmp/cryptowall
#else
# echo "not found";
fi
if locate --regex INSTRUCTIONS_\.\{3,10}\.png > /tmp/cryptowall1; then
mail -s "Possible Cryptowall 4.0 found on server" support at domain.com </tmp/cryptowall1
fi
if locate HELP_YOUR_FILES > /tmp/cryptowall1; then
mail -s "Possible Crtptwall 4.0 found on server" support at domain.com </tmp/cryptowall1
fi
if locate .locky > /tmp/cryptowall1; then
mail -s "Possible Locky crypto found on server" support at domain.com </tmp/cryptowall1
fi
if locate .cerber > /tmp/cryptowall1; then
mail -s "Possible Cerber crypto found on server" support at domain.com </tmp/cryptowall1
fi
if locate .crypt > /tmp/cryptowall1; then
mail -s "Possible CRYPTXXX crypto found on server" support at domain.com </tmp/cryptowall1
fi
if locate _DECRYPT_INFO_ > /tmp/cryptowall1; then
mail -s "Possible Maktub crypto found on server" support at domain.com </tmp/cryptowall1
fi
More information about the samba
mailing list