Community discussions

 
sasbibic
just joined
Topic Author
Posts: 8
Joined: Mon Mar 17, 2014 11:12 am

How I fight ransomware (crypto viruses) with Mikrotik

Wed Mar 23, 2016 12:49 pm

Maybe someone gets Idea how to improve chances in fight with these Criminals. Enterprise solutions like RedEye and Co. are too expensive for my budget. This method proved it self quite useful and effective, there are thousands mutations of viruses each day but few hundred (known) active C&C servers on any given time. So blocking them is quite effective.

/Sas

Configuration steps

Used Components
1. Mikrotik as default gateway & firewall
2. Windows server as DNS server, running scheduled powershell scripts
3. Linux ControlAndAlert server with nagios
3. Linux LogCollector server with logstash, elasticsearch, kibana

RansomWareTracker https://ransomwaretracker.abuse.ch/blocklist/

Prepare components:
Setup ControlAndAlert
1. add passive service for router to allert

Setup Mikrotik
1. firewall rules to block traffic towards blacklisted addresses including special address form DNS 10.254.254.254
2. add source address of client to infected-blocklist
3. block any communication to/from infected clients (IMPORTANT virus remains inactive until connecting to C&C)
4. add remote logging to linux LogCollector (forwarding firewall log)

Setup Linux LogCollector
1. logstash listens and parses log messages from Mikrotik
2. check log-prefix in log message (from FW rule adding client to infected-blocklist)
- forward passive check critical status to ControlAndAlert nagios with client address

Scheduled method:
On Windows
1. Download block lists form RansomWareTracker
2. insert blocked domains in local DNS, with address 10.254.254.254
3. convert IP address list to ROS script (example):
/ip firewall address-list
:if ([find list="blacklist" and address=104.238.173.18] != "") do={
set [find list="blacklist" and address=104.238.173.18] timeout=12:00
} else={
add list=blacklist address=104.238.173.18 timeout=12:00}
:if ([find list="blacklist" and address=109.162.46.179] != "") do={
set [find list="blacklist" and address=109.162.46.179] timeout=12:00
} else={
add list=blacklist address=109.162.46.179 timeout=12:00}
...
On Mikrotik
1. download & execute blocked IP address script

Who is online

Users browsing this forum: Bing [Bot] and 58 guests