Seems like a common question I get asked doing demos is "How would this detect CryptoLocker?" That's a complicated question, but someone was kind enough to point me to an article that broke down what CW3 does. I've spent some time putting a rule together.
- I haven't (to my knowledge) been infected by CW3, so I don't know if this rule will actually work
- If you have this rule in place, even if it alerts correctly, it doesn't prevent crypto ransomeware. We're just trying to make you aware faster
You can import the swrul file into your LEM by going to Build --> Rules, clicking the gear in the upper-right corner and then selecting Import. You'll need the file downloaded to bring the rule in. The rule will appear in several categories, but you can find it under Custom --> THWACK!
If you do have the chance to test this, and can tell me how to improve it, please let me know!
This rule assumes that:
- You are auditing process creation on your systems
- You are auditing registry changes on your systems
- You are auditing service events (start, stop, changes)
- You are auditing network traffic in your environment (Usually a given)