Maybe someone gets Idea how to improve chances in fight with these Criminals. Enterprise solutions like RedEye and Co. are too expensive for my budget. This method proved it self quite useful and effective, there are thousands mutations of viruses each day but few hundred (known) active C&C servers on any given time. So blocking them is quite effective.
/Sas
Configuration steps
Used Components
1. Mikrotik as default gateway & firewall
2. Windows server as DNS server, running scheduled powershell scripts
3. Linux ControlAndAlert server with nagios
3. Linux LogCollector server with logstash, elasticsearch, kibana
RansomWareTracker https://ransomwaretracker.abuse.ch/blocklist/
Prepare components:
Setup ControlAndAlert
1. add passive service for router to allert
Setup Mikrotik
1. firewall rules to block traffic towards blacklisted addresses including special address form DNS 10.254.254.254
2. add source address of client to infected-blocklist
3. block any communication to/from infected clients (IMPORTANT virus remains inactive until connecting to C&C)
4. add remote logging to linux LogCollector (forwarding firewall log)
Setup Linux LogCollector
1. logstash listens and parses log messages from Mikrotik
2. check log-prefix in log message (from FW rule adding client to infected-blocklist)
- forward passive check critical status to ControlAndAlert nagios with client address
Scheduled method:
On Windows
1. Download block lists form RansomWareTracker
2. insert blocked domains in local DNS, with address 10.254.254.254
3. convert IP address list to ROS script (example):
/ip firewall address-list
:if ([find list="blacklist" and address=104.238.173.18] != "") do={
set [find list="blacklist" and address=104.238.173.18] timeout=12:00
} else={
add list=blacklist address=104.238.173.18 timeout=12:00}
:if ([find list="blacklist" and address=109.162.46.179] != "") do={
set [find list="blacklist" and address=109.162.46.179] timeout=12:00
} else={
add list=blacklist address=109.162.46.179 timeout=12:00}
...
On Mikrotik
1. download & execute blocked IP address script