Detecting Cryptowall, Cryptolocker, and Other Malware



On a previous incarnation of the forum, there was some discussion about detecting crypto malware on your network. The proposed trigger mostly used lists of known offending IP addresses, which works fine for a while. But IP blacklists get stale and require a lot of upkeep to stay current and you could be lulled into a false sense of security if attacker IP addresses change but your trigger code doesn’t.

Has anyone written any more-robust triggers or have any strategies for detecting crypto malware activity on your network?


I haven’t seen anything specific to malware come across the forums that I can recall, @anoryx. Is there some set of functionality you’re looking for in particular? Something that perhaps we could workshop a bit?



Ideally, I’d be looking for some bundle with a trigger that fires on CryptoWall-esque activity, in the same way we have bundles for Backoff and Turla.


I wrote the original trigger for crypto detection. I agree the downfall with my trigger is the upkeep of blacklisted IP’s. If there was a way to query external databases of IP’s could be helpful. One way I have been looking is what the payloads of intrusions actually look like when Crypto is happening. I have it setup in a lab but still working on a finished reliable product.

Machine learning could really help in this situation.