Nagios Cryptolock probe

Last large-scale attacks of cryptolocker viruses, have inspired me and my friend Marco to create
something though cannot block them upstream, at least recognizes what is happening
downstream and warns IT staff.

It's really bad when someone encrypts all files in a share without noticing for many days, far
beyond the retention of backups limit. An hard problem for recovery.

For this reason, we design a nagios probe that alerts IT staff for the problem, in order to
immediately intervene with shadow copy, without try slow recovery from backups.

I wrote a first probe (very simple) that exploits the NTFS ownership of the Sentinel (or canary in
the coal mine) files distribuited in folders to check: in case of attack of Cryto virus, it generates an
alert complete with account of the user.

After, this type of virus has changed behavior and this mode is no longer enough to recognize the
adverse event. Then I passed to a version that checks the sentinel files using 128-bit MD5 hashes
(md5sum command).

Starting from this idea, Marco wrote a complete version (published), that can automate a few
setup steps and management (in the first version were standalone bash script).

What probe can do

You can use directly this probe for :
• generate cache or landmark file with share path to check, with acl euristic search or one
level path (only first level is checked)
• copy sentinel/canary file in shares to check
• generates exceptions list based on not found canaries
• check share (obviously)
• reinstall canaries into a consistent state after an alarm (uses cache, without discovery)

Installation
The probe must be able to achieve share folders to be kept under control. For this reason it must
be mounted directly from Nagios server. You need to mount the share as shown below.

Edit /etc/fstab (with root privileges), add a line like this (modify capitalized word for your
environment):

//SERVER.DOMAIN/SHARE /usr/local/nagios/libexec/check_krypto/mounts/share
cifs domain=DOMAIN,credentials=/etc/samba/krypto.cred,uid=nagios

Create /etc/samba/krypto.cred file with account and password:

username=DOMAIN\USERNAME
password=PASSWORD

for more secure usage of credential file:

chmod 0600 /etc/samba/krypto.cred
copy and unzip check_krypto.zip in /usr/local/nagios/libexec/ (o in nagios probes folder).
unzip check_krypto.zip -d /usr/local/nagios/libexec/

create share path in check_krypto folder:

mkdir /usr/local/nagios/libexec/check_krypto/mounts/share

Modify included file canary.doc or canary.odt; add your company logo and readable message
for curious users (Warning! You're copying an alien file into all users and area/office folders).
We recommend an official mail to everyone: “In order to protect company's information assets,
we have set up an automatic monitoring system that use a canary file with .. “.

DO NOT CREATE A LARGE FILE!! (probe checks file with a md5 control every N minutes).
Save as pdf file (is more convenient because usually not modifiable from users).

Copy canary.pdf file in /usr/local/nagios/libexec/check_krypto/etc

or in folder pointed by CANARY_ORIGINAL_FILE script variable; this is the reference canary file.

cp PATH/canary.pdf /usr/local/nagios/libexec/check_krypto/etc

Then mount share with following command:

sudo mount -a

Now, edit check_krypto.sh file and update variable at top of code, like:

# In a production environment, it is supposed to mount file systems in

# read only mode and switch to read-write only when it's time to add canaries.
# Set this value to 'false' if you mount the file systems to check in read-write mode.
READ_ONLY_MOUNTS="true"

# Domain name or workgroup of the ACLs to check in acl-discovery mode

DOMAIN_NAME="DOMAIN"

# Domain credentials file (domain,user,pwd) of a user that can read the ACLs
DOMAIN_CREDENTIALS="/etc/samba/krypto.cred"

# Base path of the probe installation

PROBE_BASEPATH="/usr/local/nagios/libexec/check_krypto"

# Base path where shares are mounted (must be configured into /etc/fstab)
MOUNTS_BASEPATH="${PROBE_BASEPATH}/mounts"

# Full path of the canary original file

CANARY_ORIGINAL_FILE=${PROBE_BASEPATH}/etc/canary.pdf

# Canary file name when it will be installed into the target directories
# (is better use first underscore char for semplify user view)
CANARY_FILENAME="_Canary_file_DO_NOT_DELETE.pdf"

# File that contains a list of paths (directories) that shouldn't have a canary
EXCEPTIONS_BASEPATH="${PROBE_BASEPATH}/mount/exceptions"
If necessary, you can customize other variables like FIND, SMBCACLS, MD5SUM and so on.

To check probe functionality, try with help:

./check_krypto.sh -h
or /usr/local/nagios/libexec/check_krypto/bin/check_krypto.sh -h

To generates cache file using ACLs euristic mode, use:

./check_krypto.sh SHARE -a

In this way, krypto probe verifies if the folders in SHARE have identical ACL; if a folder has different
ACL, runs folders recursively until it finds identical ACL to parent folder. the probe also creates
/usr/local/nagios/libexec/check_krypto/mounts/share_canarys.cache
that contains paths list of the canary files copied during scanning. Please DO NOT MODIFY this file.

But, if you want to check only first level folders of a share, you can use one-level-discovery mode
with option -o
./check_krypto.sh SHARE -o
krypto probe list only first level of folders in SHARE and creates share_canarys.cache.

At this point, you have a reference cache file and canaries copied in folders to check. Now, you can
run:
./check_krypto.sh share -c
that uses cache file to check directories without any discovery (faster option).
If everything is ok:
OK - Verified 6 Canaries, 0 Problems Found | All the 6 Canaries on //share are in their original
state
try to delete or modify one canary file and result:
WARNING: Anomaly Detected - Verified 6 Canaries, 1 Problems Found | Canary NOT found on //share/DIR1

Now, reinstall canaries into a consistent state after an alarm (using cache file, without any
discovery) use rebuild option:
./check_krypto.sh share -r
(Note: second run reports OK state)
now, retry normal check:
./check_krypto.sh share -c
to obtain OK state.
If you need to manage an exception, you can use:
./check_krypto.sh share -e
that creates
/usr/local/nagios/libexec/check_krypto/mounts/share_exceptions.list
a file with path folder which should not be controlled.

Nagios Command and Service

# Simple define command for the krypto checker

define command {
command_name check_krypto_cache
command_line /usr/local/nagios/libexec/check_krypto/bin/check_krypto.sh $ARG1$ -c
}

define command {
command_name check_krypto_acl
command_line /usr/local/nagios/libexec/check_krypto/bin/check_krypto.sh $ARG1$ -a
}
define command {
 command_name check_krypto_onelevel
command_line /usr/local/nagios/libexec/check_krypto/bin/check_krypto.sh $ARG1$ -o
}

# Check samba network filesystems for crypto lockers activity

define service{
host srv-nagios
use generic-service
service_description KryptoChk_SHARE
normal_check_interval 10
retry_check_interval 5
check_command check_krypto_cache!SHARE
}