Since many companies out there still maintaining unsecured NAS systems or file servers, it is simple for an encryption virus to start working as soon as computer got infected which has access to these file servers. Apart from that, in case such a infection happens, it is also difficult to delimit the source of the attack. Of course, in the meanwhile there are countless possible solutions out there to solve this problem, but there is also a quick and elegant way to tackle this problem with the help of vRealize Log Insight (vRLI)! But as always, please read my Disclaimer first and consider, this haven’t been tested in an productive environment.
Alerts based on Queries
In vRLI, you have the possibility to create alerts based on custom queries. That means, you can create a query and fire an alert when certain defined criteria’s have been met. Now, to understand how vRLI could help us against an encryption attack, we need to have a closer look at the behavior of such a virus… Usually, as soon as a system is infected, the virus or malware starts to encrypt all files which are accessible from this particular computer with this specific user. This results in numerous file write operations on the file share. To sum this up, whenever a single user is opening and changing hundreds of files per minute, the chance is high that this is caused by an attack.
To detect such a situation, we first need to make sure, that we forward all logs from our NAS system to the vRLI instance. This can by accomplished either by configuring syslog on the system or by installing the Log Insight Agent in case the system is a windows file server. Of course, depending on the vendor, the logs will have a different format. In my lab, I used a windows server, but NetApp for example uses the same log format as far as I know. However, try to configure your Filesever or NAS system to only forward the relevant file audit logs like file writes to limit the amount of data. Afterwards, I searched for the specific log message which showed me that a file was created or modified. In my query, I then limited the results to the source of my file server and the EventID of this specific operation:
Now, just a lot of file operations doesn’t necessarily mean there is an attack going on, but when we have a lot of file writes from one single user, the chance is high. Therefore, we need to distinguish between different users… For that reason, select “Non-rime series” and group the output by the field which shows the user who did the change:
Side note: In my lab, I installed the content pack for windows systems which extracts the needed fields for this query.
Now we have already a filtered list of all file writes and changes grouped by users. What we have to do next, is to create an alert based on this query. Select “Create or manage alerts” and choose “Create Alert from Query”. In the section “Raise an alert” you can now define your criteria’s for the alert to be raised. In my example, I’ve chosen to fire the alert when more than 10 events per user group occur in 1 minute:
At last but not least, you can decide what type the alert should be. Either you just send an e-mail, raise an alert in vROps on the corresponding object, or you could also fire a REST-API notification and pick it up by vRealize Orchestrator or another tool to trigger an action like to disable this specific user which would be the most appropriate action in this case.
With vRLI you can identify and even take action against encryption attacks. But of course, with the same procedure, you can also also identify other types of events.