Catch Ransomware With a Hand in the SMB Share

There are many ways to detect ransomware at the network level: some families check-in to their C&C before encrypting files, some send a report when they're done encrypting; other samples can be detected by the hash of a known SSL certificate, or by their .onion domain used to pay the ransom.

Some more indicators of compromise (IoC) could be used on the endpoint: ransomware often has a custom file extension for encrypted files (even if latest variants avoid doing so), and in addition leaves a trail of instruction files for the victim.

Those same endpoint IoCs can be used on the network to detect if the ransomware is encrypting files on mapped and unmapped SMB shares. Here are some template Snort/Suricata signatures valid for both SMB ( 0xA2 SMB_COM_NT_CREATE_ANDX command) and SMB2 (0x05 SMB2/Create command). SMB3 can not be covered because "unfortunately" it adds an encryption layer.

alert tcp $HOME_NET any -> $HOME_NET 445 (msg:"CERTEGO TROJAN Possible FAMILYNAME Ransomware Writing Encrypted File over SMBv1 (.EXT ASCII)"; flow:established,to_server; content:"|FF|SMB|A2|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:".EXT"; threshold: type limit, track by_src, count 1, seconds 600; reference:url,www.certego.net/en/news/catch-ransomware-smb-share/; classtype:trojan-activity; sid:9000001; rev:1;)
alert tcp $HOME_NET any -> $HOME_NET 445 (msg:"CERTEGO TROJAN Possible FAMILYNAME Ransomware Writing Encrypted File over SMBv1 (.EXT Unicode)"; flow:established,to_server; content:"|FF|SMB|A2|"; offset:4; depth:5; byte_test:1,&,0x80,6,relative; content:".|00|E|00|X|00|T|00|"; threshold: type limit, track by_src, count 1, seconds 600; reference:url,www.certego.net/en/news/catch-ransomware-smb-share/; classtype:trojan-activity; sid:9000002; rev:1;)
alert tcp $HOME_NET any -> $HOME_NET 445 (msg:"CERTEGO TROJAN Possible FAMILYNAME Ransomware Writing Instructions File over SMBv1 (FILENAME.EXT ASCII)"; flow:established,to_server; content:"|FF|SMB|A2|"; offset:4; depth:5; byte_test:1,!&,0x80,6,relative; content:"FILENAME.EXT"; threshold: type limit, track by_src, count 1, seconds 600; reference:url,www.certego.net/en/news/catch-ransomware-smb-share/; classtype:trojan-activity; sid:9000003; rev:1;)
alert tcp $HOME_NET any -> $HOME_NET 445 (msg:"CERTEGO TROJAN Possible FAMILYNAME Ransomware Writing Instructions File over SMBv1 (FILENAME.EXT Unicode)"; flow:established,to_server; content:"|FF|SMB|A2|"; offset:4; depth:5; byte_test:1,&,0x80,6,relative; content:"F|00|I|00|L|00|E|00|N|00|A|00|M|00|E|00|.|00|E|00|X|00|T|00|"; threshold: type limit, track by_src, count 1, seconds 600; reference:url,www.certego.net/en/news/catch-ransomware-smb-share/; classtype:trojan-activity; sid:9000004; rev:1;)
alert tcp $HOME_NET any -> $HOME_NET 445 (msg:"CERTEGO TROJAN Possible FAMILYNAME Ransomware Writing Encrypted File over SMBv2 (.EXT)"; flow:established,to_server; content:"|FE|SMB|40 00|"; offset:4; depth:6; content:"|05 00|"; distance:0; content:".|00|E|00|X|00|T|00|"; threshold: type limit, track by_src, count 1, seconds 600; reference:url,www.certego.net/en/news/catch-ransomware-smb-share/; classtype:trojan-activity; sid:9000005; rev:1;)
alert tcp $HOME_NET any -> $HOME_NET 445 (msg:"CERTEGO TROJAN Possible FAMILYNAME Ransomware Writing Instructions File over SMBv2 (FILENAME.EXT)"; flow:established,to_server; content:"|FE|SMB|40 00|"; offset:4; depth:6; content:"|05 00|"; distance:0; content:"F|00|I|00|L|00|E|00|N|00|A|00|M|00|E|00|.|00|E|00|X|00|T|00|"; threshold: type limit, track by_src, count 1, seconds 600; reference:url,www.certego.net/en/news/catch-ransomware-smb-share/; classtype:trojan-activity; sid:9000006; rev:1;)

What follows is just an example of how those template signatures could be used for older Locky and CryptoFortress samples. More ransomware families could be easily added or updated to reflect latest changes (the old cat and mouse game).

CERTEGO TROJAN Possible Locky Ransomware Writing Encrypted File over SMBv1 (.locky ASCII)
CERTEGO TROJAN Possible Locky Ransomware Writing Encrypted File over SMBv1 (.locky Unicode)
CERTEGO TROJAN Possible Locky Ransomware Writing Instructions File over SMBv1 (_HELP_instructions.txt ASCII)
CERTEGO TROJAN Possible Locky Ransomware Writing Instructions File over SMBv1 (_HELP_instructions.txt Unicode)
CERTEGO TROJAN Possible Locky Ransomware Writing Encrypted File over SMBv2 (.locky)
CERTEGO TROJAN Possible Locky Ransomware Writing Instructions File over SMBv2 (_HELP_instructions.txt)
CERTEGO TROJAN Possible CryptoFortress Ransomware Writing Encrypted File over SMBv1 (.frtrss ASCII)
CERTEGO TROJAN Possible CryptoFortress Ransomware Writing Encrypted File over SMBv1 (.frtrss Unicode)
CERTEGO TROJAN Possible CryptoFortress Ransomware Writing Instructions File over SMBv1 (READ IF YOU WANT YOUR FILES BACK.html ASCII)
CERTEGO TROJAN Possible CryptoFortress Ransomware Writing Instructions File over SMBv1 (READ IF YOU WANT YOUR FILES BACK.html Unicode)
CERTEGO TROJAN Possible CryptoFortress Ransomware Writing Encrypted File over SMBv2 (.frtrss)
CERTEGO TROJAN Possible CryptoFortress Ransomware Writing Instructions File over SMBv2 (READ IF YOU WANT YOUR FILES BACK.html)