This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Malware simulation

Hi,

In an attempt to trigger CryptoGuard in a test setting I wrote several test scripts encrypting 50k+ files on disk in suspicious file paths. None of them seem to have triggered Cryptoguard, which makes me wonder if it's triggered solely on known IOC's. My first thought was that the number of I/O operations would have been enough to trigger an alarm, but it didn't. Is there something to be said about the detection that could help me trigger an alarm?

This thread was automatically locked due to age.

Top Replies

Kyle Parrish over 2 years ago in reply to RichardP +1 verified

So, I took a bunch of files (copied the "Program Files (x86)" dir) and ran this against it. https://gist.github.com/arnydo/a0c41325e579b7dae3c8abd1a6b13980 Triggered CryptoGuard.

Parents

0 RichardP over 2 years ago

It all comes down to context and actions. How did you do the encryption? A Powershell script that calls on Windows to encrypt the file?

RichardP

Program Manager, Support Readiness | CISSP | Sophos Technical Support
Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 Kyle Parrish over 2 years ago in reply to RichardP

I used the .Net AesCryptoServiceProvider in PowerShell and ran it against a directory of files, renaming them as it went. Seemed to trigger Sophos after certain number of files were encrypted. I forgot what the threshold was, it has been a while.
Cancel
Vote Up 0 Vote Down

Cancel
0 RichardP over 2 years ago in reply to Kyle Parrish

what you describe is what I would expect to happen. CG doesn't trigger instantly - it monitors an has a context dependent rule set that will trigger when the the thresholds/criteria are met.

RichardP

Program Manager, Support Readiness | CISSP | Sophos Technical Support
Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 dc31xx over 2 years ago in reply to Kyle Parrish

I did use AesCryptoServiceProvider as well against more than 50k files, renaming them to .encrypted after encrypting them. I also ran test where I encrypt/decrypt them multiple times etc. but all without any luck. After that I created a .NET executable (.exe) to try if that makes a difference, but it didn't.

Can you tell more about the files you encrypted? (file size, age) that might be different. Also, did you test recently, or was that some time ago? Thanks for the responses so far!
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 dc31xx over 2 years ago in reply to Kyle Parrish

I did use AesCryptoServiceProvider as well against more than 50k files, renaming them to .encrypted after encrypting them. I also ran test where I encrypt/decrypt them multiple times etc. but all without any luck. After that I created a .NET executable (.exe) to try if that makes a difference, but it didn't.

Can you tell more about the files you encrypted? (file size, age) that might be different. Also, did you test recently, or was that some time ago? Thanks for the responses so far!
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Kyle Parrish over 2 years ago in reply to dc31xx

It looks like I tested this the beginning of 2020.

Ill run it again and see what happens.
Cancel
Vote Up 0 Vote Down

Cancel
0 RichardP over 2 years ago in reply to Kyle Parrish

Please, let me know the results.

RichardP

Program Manager, Support Readiness | CISSP | Sophos Technical Support
Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel
+1 Kyle Parrish over 2 years ago in reply to RichardP

So, I took a bunch of files (copied the "Program Files (x86)" dir) and ran this against it. https://gist.github.com/arnydo/a0c41325e579b7dae3c8abd1a6b13980

Triggered CryptoGuard.
Cancel
Vote Up +1 Vote Down

Cancel
0 dc31xx over 2 years ago in reply to Kyle Parrish

Kyle Parrish said:
(copied the "Program Files (x86)" dir)

Thanks Kyle.. I think this is the only noteworthy difference between your attempt and mine. I created dummy text files (created by another proces to make it less obvious).
Cancel
Vote Up 0 Vote Down

Cancel
0 Kyle Parrish over 2 years ago in reply to dc31xx

If I remember correctly, when I ran this test last year I had created dummy files as well, but made sure to include many different file/mime types. This triggered it as well.
Cancel
Vote Up 0 Vote Down

Cancel
0 dc31xx over 2 years ago in reply to Kyle Parrish

Good to know. That I didn't do. Thanks.
Cancel
Vote Up 0 Vote Down

Cancel
0 Kyle Parrish over 2 years ago in reply to dc31xx

You can run this too www.knowbe4.com/ransomware-simulator
Cancel
Vote Up 0 Vote Down

Cancel