File headers combined with write times appears to be an effective means detection, as Encrypted file headers do not match even each-other, and write-times will be VERY close to eachother when a crypto-ransomware hits, so write-times helps weed out false positives.
Turning to powershell, I borrowed from Will at http://learningpcs.blogspot.com/2012/07/powershell-v3-check-file-headers.html. I made some minor modifications to his script, limiting the file types it targets, and causing it to search recursively through the directory tree of it's target. Enable verbose messaging and you will see the headers for any mismatches, so you can add your own if needed. This script will ONLY tell you about mismatches.
<
# http://learningpcs.blogspot.com/2012/07/powershell-v3-check-file-headers.html
# http://garcol.blogspot.com/2014/07/detecting-cryptolockercryptowall-by.html
function Check-Header
{
param(
$path
)
# Hexidecimal signatures for expected files
$pdf = '25504446';
$doc = 'D0CF11E0';
$docx = '504B0304';
$xls = 'D0CF11E0';
$xls2 = '093C7461';
$xlsx = '504B0304';
$targets = Get-ChildItem -file -Path $path -recurse -include ('*.pdf','*.doc','*.docx','*.xls','*.xlsx') | select fullname, lastwritetime
foreach ($file in $targets){
# Get content of each file (up to 4 bytes) for analysis
$HeaderAsHexString = $null
[Byte[]]$fileheader = Get-Content -Path $file.fullname -TotalCount 4 -Encoding Byte
ForEach($_ in $fileheader) {
if(("{0:X}" -f $_).length -eq 1)
{
$HeaderAsHexString += "0{0:X}" -f $_
}else{
$HeaderAsHexString += "{0:X}" -f $_
}
}
# Validate file header
if (@($pdf, $doc, $docx, $xls, $xls2, $xlsx) -contains $HeaderAsHexString){
#do nothing
}else{
$file
Write-Verbose -message $HeaderAsHexString
}
}
}
No comments:
Post a Comment