How to remotely test virtual machines for ransomware infection?

I have a lot of VMs running on my network that I don't often look at, VMs that other people use, VMs that are web servers, VMs that are running automatic tasks. All these VMs are running Microsoft OS's, mostly Windows 8.1 and Server 2012r2.

Right now I run a simple file-search utility that remotely looks for files with the words "instruct", "crypt", "restore" in the filename (txt and html files) because most ransomware in the past has left new files in every infected folder with names like Instructions_to_decrypt.txt, how_to_restore_your_files.html, and other similar names that are mostly covered in my file-search utility.

But things can change and I would like a better way of doing this.  What I want to do is prevent my automatic, nightly vm-replication jobs from replicating an infected vm to its replica partner.

Anybody have any ideas on how to test for ransomware-infected machines remotely over the network other than searching for these instruction-type files?

Thanks.
gateguardAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Eng. Nidal KamalInformation ConsultantCommented:
Good day,

I recommend installing https://www.malwarebytes.org/ on each VM to protect from ransomware-infections and other malware.

BTW,  If you have already Antivirus installed in each VM, Malwarebytes application runs perfectly with almost any other Antivirus.
gateguardAuthor Commented:
Thanks, Nidal.  We do have AV software and I will look into adding this tool to our yearly subscriptions on all our VMs, but in the meantime, I still would like to know if there is a quick-and-dirty way to look at a VM remotely and test it for this type of infection --- "in general".

No AV/malware tool is perfect.  What I want to do is NOT REPLICATE an infected VM.  Right now I'm looking for those tell-tale "instruction" files.  Is there anything else I can look for, from a distance?

Thanks.
McKnifeCommented:
Just how can you tell you are infected? Just write a script, that programmatically compares one of the file types that will definitely be encrypted, like .docx, to a known good copy.
If not identical, an errorlevel will be set and your script ca turn off replication.
This is possible, it's not too hard.

But why not rely on backups and proactive measures? Look at applocker, it can do whitelisting, only known code will run.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Thomas Zucker-ScharffSolution GuideCommented:
You have another problem.  There are Ransomware variants that will not execute if they detect that they are within a VM.  They will remain dormant until they are given the chance to execute outside of the VM.  So those telltale signs of infection would never appear. (If opened, CryptoWall doesn’t decrypt its whole binary but instead just a small part, which then checks to see if it is running in a virtual environment, Carter said. CryptoWall won’t continue to decrypt itself if it is running in a virtual machine. Files are sometimes analyzed in a sandbox within a virtual machine to check if they’re possibly malicious. - click for rest of article)

Your best bet is to monitor the traffic either with a remote administration tool or install something like RUBotted on each VM to detect if the machine attempts to communicate with undesirable servers.  Another option is to innoculate each VM with something similar to CryptoPrevent and/or HitmanPro.Alert.  I am not all that familiar with virtual machines, so please take this into consideration.  

For further treatment of ransomware (with some information about VMs) see these articles (the first 2 are mine):

http://www.experts-exchange.com/articles/20879/Ransomware-is-rampant-don't-be-caught-out.html
http://www.experts-exchange.com/articles/18086/Ransomware-Prevention-is-the-only-solution.html
http://www.experts-exchange.com/articles/21199/Ransomware-Beware.html

Note that there are many other article on EE about ransomware, just do a search on the word in the EE search bar and choose articles as the filter.
Eng. Nidal KamalInformation ConsultantCommented:
Good day,

Thanks for your feedback. One can look for ever on new ways to detect if any of the VMs has an infection or not, may or may not succeed by using this hard work method.
Or use others software and specialty to find and clean these  Ransomware and other malware for Free.
A comparison of Free and paid versions can be found https://www.malwarebytes.org/antimalware/.

In short, paid version can prevent infections but the Free version can also scan and clean.
Maidine FouadEngineerCommented:
I have played with some Malware in the past ,Using a vm , and Back Track 5 suite , Some Malware are Polymorphic , they change on a binary level, making it harder to detect by Most Normal / Commercial Anti-malware products  , others Sleep and wait till they can infect The VM host (they do this by checking the mac adress , or they run Red pill ,...).


The main problem you should worry about , is not the infection of the VM , But of the VM Host !

In order to prevent this :

You should be heavily monitoring the Network (Most Tools will do the job) , configuring the firewall , IDS as well... , and when backing up you should hash the backup files , so in case they are infected you would notice the change.

Keeping up with updates is a must , especially for the VM products you use, Some exploits Did come from VMware tools , so perhaps a good move would be not to use it .

They are some Products that can prevent ransomware from the Network level , you can Check out Watch Guard's XTM :    https://www.youtube.com/watch?v=uifwqLHYGsk

I do not work for watch Guard , but their product Did a good job Blocking most of cryptolocker variances  ...


Some Tools and Web sites you should visit, and i strongly suggest checking Threat Expert :

http://threatexpert.com

And Scanning any suspicious file using With Meta Scan (it scans File with 43 different malware engines):

https://www.metascan-online.com/

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gateguardAuthor Commented:
Thanks.  Really appreciate all the help.
Preston CooperDatabase AdministratorCommented:
I wrote a windows service to detect ransomware changes to files in a windows file share or local directory.  I'm in the middle of beta testing.
http://www.questiondriven.com/2016/02/18/beta-testing-for-ransomware-detection-in-file-share/
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.