I have been following the IT news sites and the new Malware CryptoLocker (Cryptolocker Hijack program - General Security). We have already informed our users of the damage that can be done by attachments, verified out AV software is up to date, increased our backup frequency, and enabled shadow copies on key drives. The one thing I would like to do is setup some type of monitoring using SAM so that I can see if a user gets infected and starts to encrypt a file share.
Any ideas on how I could monitor if a user has opened/change more than X number of files over a given period of time? My other thought was setting up dummy files that no one would be modifying and monitoring to see if they have been changed.
Got any other ideas? My goal would be to send out an alert so we could quickly switch the share to read-only, while we track down the offending workstation.
Nerdcentric, I know this is an Old thread and wondered if you or anyone has configured LEM to detect such an attack, I've noticed that this does provide some useful footprints when triggered such as creating Help_*.txt files in every folder it encrypts, so in my thinking if someone started reading files saving files and creating a help*.txt file would be a good way to detect such activity.