Ransomware Quarantine Using ExtraHop

One of ExtraHop’s key differentiators is its ability to detect Ransomware attacks as they are occurring. It does this by analyzing all of the CIFS traffic over the wire in real-time and determines if the activity is malicious based on four different rules. 

Ransomware Type Definitions:

BLACKLIST

This approach checks file extensions against a listing of known “bad” file extensions. In other words, many Ransomware variants, when encrypting files, will modify file extensions using a known pattern (e.g. renaming resume.doc to resume.doc.encrypted). TYPE 1 detection employs the use of a file extension blacklist, which is configurable. 

WHITELIST

More recent variants of Ransomware (such as Cryptowall) will rewrite filenames (and file extensions) at random (e.g. resume.doc could be renamed resume.doc.3yur5). Detection of these attacks employs the use of a file extension whitelist. In other words, for all CIFS WRITE/DELETE/MODIFY operations the appliance will extract the full filename and file extension, and then compare the file extension against a known list of “good” file extensions. This technique ultimately counts the occurrence of unique invalid file extensions observed per client IP over a configurable time period. 

FILE TOTALS

Type 3 looks for the total number of invalid files (with invalid file extensions) during a “y” time interval. Type 3 does not care if the invalid file extensions are unique or all the same, so long as the file extensions do not match the whitelist. In this case the data structure looks like this (clientip, [“tomfile1.qqq”, “tomfile2.qqq”, “tomfile3.qqq”, “tomfile4.yyy”, tomfile5.zzz]) 

KNOWN FILES

Lastly, a separate blacklist intended to detect “ransom notes” that typically get left behind by most crypto ransomware variants. As most Ransomware variants leave behind filenames with instructions on how to decrypt, we can search for well known file names such as “HOW TO DECRYPT.TXT” 


ExtraHop will send an alert when it detects ransomware that corresponds to these definitions. This is excellent, but then there is still the question of response – an important consideration in the event that a ransomware event is alerted on at 3:00 am. 

While ExtraHop doesn’t automate response actions natively, it makes it easy to do so. In addition to integrations with tools like ServiceNow, Phantom and IBM QRadar, the extensibility and flexibility of the platform makes it possible to create custom triggers for response action. In this case, I was able to create a Powershell script that would be triggered by a Ransomware alert to quarantine the infected machine for further forensic analysis and to protect the rest of the network. 

That script calls the ExtraHop Rest API to extract details about the infected machine. 

The first thing I did was to craft the API calls for each of the different Ransomware Types.

**Note that ​$uri2​ is related to the quarantine action performed later in this script via vCenter.

After some testing with the ExtraHop Rest API calls, I noticed that it spits out a large amount of information. This normally would be great but if we want to then put that information in a variable for use when isolating, we’ll need to extract specific information like the IP Address. I used a very basic regex to accomplish this. 


At this point, we just have to put it all together and quarantine the infected host. 

This is the engine of the script. Essentially, once ExtraHop sends a Ransomware Alert the script makes four API calls for each of the Ransomware Types to determine which it is. Once ExtraHop finds a result, it extracts the IP Address of the infected machine and passes that to a vCenter API call. That API call “unplugs” the virtual ethernet cord of that virtual machine to ensure no spread of infection. It also takes a snapshot of the machine to preserve its state at that time. 

We can perform quarantine actions in other ways as well. 

● Change the vLAN of the virtual machine to make it segmented from the rest of the network. 

● Perform a switch API call to shutdown a specific port if there are only physical machines in the environment. 


Finally the script outputs information about the last time it ran, as well as which of the clients were quarantined. 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s