如何透過DDI監控正在被加密電腦?
DDI透過自動更新機制,持續加強勒索病毒的偵測,勒索病毒偵測的相關規則可以在下列位置確認:
開啟DDI網頁主控台Administration > Monitoring / Scanning > Detection Rules
勒索病毒規則列表如下,若DDI偵測到電腦出現這些連線,代表可能已經中勒索病毒或正在執行加密動作,可以設定”高風險主機通知”即時通知管理者進行緊急處置:
ID
風險類型
風險
規則名稱
1043
MALWARE
High
RANSOM HTTP REQUEST - Type 1
1096
MALWARE
High
RANSOM HTTP request - Class 2
1097
MALWARE
High
RANSOM HTTP request - Class 3
1164
MALWARE
High
RANSOM HTTP Request - Class 4
1172
MALWARE
High
RANSOM HTTP request - Class 5
1213
MALWARE
High
RANSOM HTTP request - Class 6
1295
MALWARE
High
RANSOM HTTP request - Class 9
1302
MALWARE
High
RANSOM HTTP request - Class 7
1344
MALWARE
High
RANSOM HTTP Request - Class 10
1479
MALWARE
High
RANSOM HTTP Request - Class 11
1500
MALWARE
High
RANSOM TCP Request - Class 1
1518
MALWARE
High
RANSOM HTTP Request - Class 12
1614
MALWARE
High
RANSOM HTTP REQUEST - Class 13
1734
MALWARE
High
RANSOM CRYPCTB DNS Connection detected
1771
MALWARE
High
RANSOM TCP Request - Class 2
1779
MALWARE
High
RANSOM CRILOCK DNS Connection
1809
MALWARE
High
RANSOM CRYPTESLA HTTP Response
1845
MALWARE
High
RANSOM CRYPRAAS DNS Connection detected
1860
MALWARE
High
RANSOM CRYPTESLA HTTP Request - Class 3
2020
MALWARE
High
RANSOM LECTOOL HTTP Request
2028
MALWARE
High
LOCKY - Ransomware - HTTP (Request)
2031
MALWARE
High
RANSOM HYDRA - HTTP (Request)
2032
MALWARE
High
RANSOM CRYPTESLA - HTTP(Request) - Variant 4
2034
MALWARE
High
RANSOM CRYPTESLA - HTTP (Request) - Variant 5
2057
MALWARE
High
CRYDAP - Ransomware - HTTP (Request)
2061
MALWARE
High
CRYPWALL - Ransomware - HTTP (Request)
2071
MALWARE
High
CERBER - Ransomware - UDP
2074
MALWARE
High
SURPRISE - Ransomware - HTTP (Request)
2075
MALWARE
High
CRYPRADAM - Ransomware - HTTP (Request)
2076
MALWARE
High
CRYPZUQUIT - Ransomware - HTTP (Request)
2077
MALWARE
High
CRYPNISCA - Ransomware - UDP
2080
MALWARE
High
CRYPSALAM - Ransomware - HTTP (Request)
2081
MALWARE
High
CRYPTEAR - Ransomware - HTTP (Request)
2082
MALWARE
High
COVERTON - Ransomware - HTTP (Request)
2083
MALWARE
High
CRYPAURA - Ransomware - HTTP (Request)
2085
MALWARE
High
CRYPTRITU - Ransomware - HTTP (Request)
2086
MALWARE
High
WALTRIX - Ransomware - TCP
2093
MALWARE
High
CRYPVAULT - Ransomware - HTTP (Request)
2094
MALWARE
High
CRYPCORE - Ransomware - HTTP (Request)
2096
MALWARE
High
CRYPAPLHA - Ransomware - HTTP (Request)
2097
MALWARE
High
EMPER - Ransomware - HTTP (Request)
2103
MALWARE
High
ENIGMA - Ransomware - HTTP (Request)
2106
MALWARE
High
AUTOLOCKY - Ransomware - HTTP (Request)
2112
MALWARE
High
MADLOCKER - Ransomware - HTTP (Request)
如何發送通知信件?
“高風險主機通知”包含勒索病毒威脅事件、其他APT事件與弱點攻擊等高風險類型的事件通知,可加快使用者與資訊人員反應與處理時間:
設定郵件主機與寄件者、收件者
Administration > Notifications > Delivery Options > Email Settings
並在欄位輸入收件者、寄件者、郵件主機IP、郵件主機port 等資訊
Test Mail確認通訊是否正常後儲存
設定高風險主機通知
點選High Risk Hosts Detections,確認勾選通知,選擇通知頻率:
每30分鐘通知一次偵測立即通知(建議立即通知)
如何查詢勒索病毒連線記錄?
1. Detections > All Detections
2.Advanced>Detection Rule ID,輸入要查詢的Rule ID(多個規則以逗號分隔),再點選Search。
勒索病毒規則ID整理如下:
1043,1096,1097,1164,1172,1213,1295,1302,1344,1479,1500,1518,1614,1734,1771,1779,1809,1845,1860,2020,2028,2031,2032,2034,2057,2061,2071,2074,2075,2076,2077,2080,2081,2082,2083,2085,2086,2093,2094,2096,2097,2103,2106,2112
或透過勒索病毒威脅名稱進行查詢,
Advanced> Threat/Detection/Reference,輸入要查詢的威脅名稱(多個名稱以逗號分隔),再點選Search。
勒索病毒威脅名稱整理如下:
ANDROIDOS_LOCKER,BAT_CRYPTOR,BAT_CRYPVAULT,CRILOCK,CRYPCTB,CRYPDEF,CRYPSHED,CRYPTESLA,CRYPTFILE,JS_DOWNCRYPT,KRYPTOVOR,MATSNU,PE_VIRLOCK,PHP_CRYPWEB,RANSOM,REVETON,SYNOLOCK,TROJ_ACCDFISA,TROJ_CRIBIT,TROJ_CRITOLOCK,TROJ_CRYPAURA,TROJ_CRYPDIRT,TROJ_CRYPFORT,TROJ_CRYPMLOCK,TROJ_CRYPOLLO,TROJ_CRYPTCOIN,TROJ_CRYPTED,TROJ_CRYPTLOCK,TROJ_CRYPTOP,TROJ_CRYPTORBIT,TROJ_CRYPTOX,TROJ_CRYPTROLF,TROJ_CRYPTTOR,TROJ_CRYPWALL,TROJ_GULCRYPT,TROJ_KOLLAH,TROJ_KOVTER,TROJ_PGPCODER,TROJ_POSHCODER,VBUZKY
3.查詢結果點選show可展開詳細資訊
儲存查詢條件
查詢條件可儲存,以便後續快速查詢、確認、維護。
點選右上儲存圖示>Save,並輸入名稱例如Ransomware-ID或Ransomware-Name
點選下拉式選單,即可看到先前儲存的查詢條件名稱
中了勒索病毒怎麼辦?
若發現相關記錄或收到通知信件後,根據下列緊急處理原則進行處置:
通知使用者立即確認電腦感染症狀並執行建議緊急處理措施,詳細說明參考:RANSOM_Waltrix( CryptXXX)勒索病毒 主要感染症狀及建議緊急處理措施將DDI上查詢到的加密使用URL或IP加入閘道封鎖清單透過趨勢科技產品提升防護勒贖軟體的能力,詳細說明參考:2016 技術通報 -- 趨勢科技產品針對 Ransomware 勒贖軟體防護建議