View Categories

Ransomware protection on Windows with Argus

31 min read

Protecting endpoints against ransomware is crucial, as these attacks have become one of the most widespread and damaging cyber threats faced by organizations and individuals. The rise in ransomware incidents is driven by the profitability of ransom payments and the increasing accessibility of attack tools.

Modern ransomware employs sophisticated tactics, including advanced encryption algorithms and social engineering techniques, to evade detection and increase attack success. The emergence of Ransomware-as-a-Service (RaaS) has further lowered the entry barrier for cybercriminals, enabling even inexperienced attackers to launch ransomware campaigns.

To combat ransomware, we integrate VirusTotal with Argus to detect malware as soon as it is written to disk. Argus Active Response automatically removes detected malware before it can be executed. For ransomware that VirusTotal does not detect, we create custom rules to identify suspicious behaviors typically associated with ransomware during its execution.

REQUIREMENTS

  • Argus server or Argus manager
  • A windows victim endpoint with Argus agent installed

Windows endpoint

On the Windows endpoint, we configure the Argus FIM module and Argus Active Response script that removes malicious files.

File Integrity Monitoring Configuration

Steps to configure the Argus FIM module to monitor near real-time changes in the folders.

  1. Add the below commands within the <syscheck> block to monitor the Downloads, Documents, and Desktop folders of all users for changes:

<directories realtime=”yes”>C:\Users\*\Downloads</directories>

<directories realtime=”yes”>C:\Users\*\Documents</directories>

<directories realtime=”yes”>C:\Users\*\Desktop</directories>

Active Response Script

Steps to create a Argus Active Response script that removes files detected as malicious by VirusTotal.

  1. Download the Python installer from the official Python website.
  2. Run the Python installer once downloaded, and make sure to check the following boxes:
  3. Install launcher for all users
  4. Add python.exe to PATH. This places the Python interpreter in the execution path.
  5. Create a Argus Active Response script remove-threat.py in the C:\Program Files (x86)\ossec-agent\active-response\bin\ directory. This script removes any file detected as malicious by the VirusTotal integration:

#!/usr/bin/python3

# Copyright (C) 2015-2022, Wazuh Inc.

# All rights reserved.

import os

import sys

import json

import datetime

if os.name == ‘nt’:

    LOG_FILE = “C:\\Program Files (x86)\\ossec-agent\\active-response\\active-responses.log”

else:

    LOG_FILE = “/var/ossec/logs/active-responses.log”

ADD_COMMAND = 0

DELETE_COMMAND = 1

CONTINUE_COMMAND = 2

ABORT_COMMAND = 3

OS_SUCCESS = 0

OS_INVALID = -1

class message:

    def __init__(self):

        self.alert = “”

        self.command = 0

def write_debug_file(ar_name, msg):

    with open(LOG_FILE, mode=”a”) as log_file:

        log_file.write(str(datetime.datetime.now().strftime(‘%Y/%m/%d %H:%M:%S’)) + ” ” + ar_name + “: ” + msg +”\n”)

def setup_and_check_message(argv):

    # get alert from stdin

    input_str = “”

    for line in sys.stdin:

        input_str = line

        break

    try:

        data = json.loads(input_str)

    except ValueError:

        write_debug_file(argv[0], ‘Decoding JSON has failed, invalid input format’)

        message.command = OS_INVALID

        return message

    message.alert = data

    command = data.get(“command”)

    if command == “add”:

        message.command = ADD_COMMAND

    elif command == “delete”:

        message.command = DELETE_COMMAND

    else:

        message.command = OS_INVALID

        write_debug_file(argv[0], ‘Not valid command: ‘ + command)

    return message

def send_keys_and_check_message(argv, keys):

    # build and send message with keys

    keys_msg = json.dumps({“version”: 1,”origin”:{“name”: argv[0],”module”:”active-response”},”command”:”check_keys”,”parameters”:{“keys”:keys}})

    write_debug_file(argv[0], keys_msg)

    print(keys_msg)

    sys.stdout.flush()

    # read the response of previous message

    input_str = “”

    while True:

        line = sys.stdin.readline()

        if line:

            input_str = line

            break

    # write_debug_file(argv[0], input_str)

    try:

        data = json.loads(input_str)

    except ValueError:

        write_debug_file(argv[0], ‘Decoding JSON has failed, invalid input format’)

        return message

    action = data.get(“command”)

    if “continue” == action:

        ret = CONTINUE_COMMAND

    elif “abort” == action:

        ret = ABORT_COMMAND

    else:

        ret = OS_INVALID

        write_debug_file(argv[0], “Invalid value of ‘command'”)

    return ret

def main(argv):

    write_debug_file(argv[0], “Started”)

    # validate json and get command

    msg = setup_and_check_message(argv)

    if msg.command < 0:

        sys.exit(OS_INVALID)

    if msg.command == ADD_COMMAND:

        alert = msg.alert[“parameters”][“alert”]

        keys = [alert[“rule”][“id”]]

        action = send_keys_and_check_message(argv, keys)

        # if necessary, abort execution

        if action != CONTINUE_COMMAND:

            if action == ABORT_COMMAND:

                write_debug_file(argv[0], “Aborted”)

                sys.exit(OS_SUCCESS)

            else:

                write_debug_file(argv[0], “Invalid command”)

                sys.exit(OS_INVALID)

        try:

            file_path = msg.alert[“parameters”][“alert”][“data”][“virustotal”][“source”][“file”]

            if os.path.exists(file_path):

                os.remove(file_path)

            write_debug_file(argv[0], json.dumps(msg.alert) + ” Successfully removed threat”)

        except OSError as error:

            write_debug_file(argv[0], json.dumps(msg.alert) + “Error removing threat”)

    else:

        write_debug_file(argv[0], “Invalid command”)

    write_debug_file(argv[0], “Ended”)

    sys.exit(OS_SUCCESS)

if __name__ == “__main__”:

    main(sys.argv)

  • Run the following commands to install pyinstaller and convert the remove-threat.py Argus Active Response script to a Windows executable:

pip install pyinstaller

pyinstaller -F “C:\Program Files (x86)\ossec-agent\active-response\bin\remove-threat.py”

The second command creates a remove-threat.exe executable in a folder called dist in your working directory.

  • Restart the Argus agent using PowerShell with administrative privilege to apply the configuration changes:

 Restart-Service -Name wazuh

Argus server

We configure the Argus VirusTotal integration to scan modified or added files. We also configure the Argus Active Response module to trigger the remove-threat.exe executable.

Argus VirusTotal integration

Perform the following step on the Argus server to configure the VirusTotal integration.

1. Add the following configuration within the <ossec> block of the /var/ossec/etc/ossec.conf file to enable the VirusTotal integration. Replace <YOUR_VIRUS_TOTAL_API_KEY> with your VirusTotal API key. This allows Argus to trigger a VirusTotal query on the file whenever a file addition or modification is detected:

  <integration>

    <name>virustotal</name>

    <api_key><YOUR_VIRUS_TOTAL_API_KEY></api_key>

    <rule_id>554,550</rule_id>

    <alert_format>json</alert_format>

  </integration>

Argus Active Response module configuration

Perform the following steps on the Argus server to configure the Argus Active Response module.

  1. Add the following configuration within the <ossec> block of the /var/ossec/etc/ossec.conf file to configure the Argus Active Response command:

  <command>

    <name>remove-threat</name>

    <executable>remove-threat.exe</executable>

    <timeout_allowed>no</timeout_allowed>

  </command>

  <active-response>

    <disabled>no</disabled>

    <command>remove-threat</command>

    <location>local</location>

    <rules_id>87105</rules_id>

  </active-response>

When VirusTotal detects malware written to disk, remove-threat.exe is triggered to remove the malware from the monitored endpoint.

Custom rules configuration

Perform the following steps to create custom rules that trigger alerts when the Argus Active Response script successfully or unsuccessfully removes a threat file. 

  1.  Add the following custom rules to the /var/ossec/etc/rules/virustotal_rules.xml rule file:

<group name=”virustotal,”>

  <rule id=”100092″ level=”12″>

      <if_sid>657</if_sid>

      <match>Successfully removed threat</match>

      <description>$(parameters.program) removed threat located at $(parameters.alert.data.virustotal.source.file)</description>

  </rule>

  <rule id=”100093″ level=”12″>

    <if_sid>657</if_sid>

    <match>Error removing threat</match>

    <description>Error removing threat located at $(parameters.alert.data.virustotal.source.file)</description>

  </rule>

</group>

2 . Restart the Argus manager to apply the configuration changes:

        systemctl restart wazuh-manager

Monitoring the Alerts

Rule ID 554 is triggered when Argus FIM module detects a newly added file to the monitored directory.

Rule ID 87105 is triggered when VirusTotal detects a malicious file.

Ransomware execution detection

Windows endpoint

Sysmon configuration

  1.  Run the following commands on PowerShell with admin privileges to install and configure Sysmon

 # Set Variables

$url = “https://download.sysinternals.com/files/Sysmon.zip”

$outputPath = “C:\Temp\Sysmon.zip”

$extractPath = “C:\Temp”

$configUrl = “https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml”

$configPath = “$extractPath\sysmonconfig.xml”

# Install Sysmon

New-Item -ItemType Directory -Path C:\Temp

Invoke-WebRequest -Uri $url -OutFile $outputPath

Expand-Archive -Path $outputPath -DestinationPath $extractPath

wget -Uri $configUrl -OutFile $configPath

& “$extractPath\Sysmon64.exe” -accepteula -i $configPath

  • Add the following configuration within the <ossec_config> block of the C:\Program Files (x86)\ossec-agent\ossec.conf file to collect Sysmon logs and forward them to the Argus server for analysis

 <localfile>

      <location>Microsoft-Windows-Sysmon/Operational</location>

      <log_format>eventchannel</log_format>

</localfile>

  • Restart the Argus agent

     Restart-Service -Name wazuh

Argus server

Custom rules configuration

1. Create a ransomware_rules.xml rule file in the /var/ossec/etc/rules/ directory:

2.  Add the following custom rules to the /var/ossec/etc/rules/ransomware_rules.xml rule file. These rules are made up of a group of likely ransomware actions observed on affected endpoints and are not specific to one type of malware. The rules may trigger or not trigger depending on the ransomware

<group name=”malware,ransomware,ransomware_pre_detection”>

   <!– Rules to detect Ransomware attack –>

 <!– Suspicious command execution –>

 <rule id=”100600″ level=”12″>

    <if_sid>61603</if_sid>

    <field name=”win.eventdata.parentCommandLine” type=”pcre2″>(?i)[c-z]:\\\\Windows\\\\System32\\\\svchost\.exe\s-k\sWerSvcGroup</field>

    <field name=”win.eventdata.commandLine” type=”pcre2″>(?i)[c-z]:\\\\Windows\\\\system32\\\\WerFault\.exe\s-pss\s-s\s\d+\s-p\s\d+\s-ip\s\d+</field>

    <description>Possible WerFault DLL Sideloading $(win.eventdata.commandLine).</description>

    <mitre>

      <id>T1546.008</id>

    </mitre>

 </rule>

 <rule id=”100601″ level=”10″ >

    <if_sid>61603</if_sid>

    <field name=”win.eventdata.parent.image.path” type=”pcre2″>(?i)regedit.exe</field>

    <field name=”win.eventdata.commandLine” type=”pcre2″>(?i)schtasks.exe \/create.*\\cmd.exe.*start wordpad.exe.*.dll</field>

    <description>Suspicious scheduled task created.</description>

    <mitre>

      <id>T1546.008</id>

    </mitre>

 </rule>

 <rule id=”100602″ level=”7″>

   <if_sid>92027</if_sid>

   <field name=”win.eventdata.CommandLine” type=”pcre2″>Install-WindowsFeature.*RSAT-ADPowerShell</field>

   <description>Remote Server Administration Tools installed.</description>

   <mitre>

     <id>T1562</id>

   </mitre>

  </rule>

<!– Impair defenses –>

  <rule id=”100603″ level=”10″>

    <if_sid>92042</if_sid>

    <field name=”win.eventdata.CommandLine” type=”pcre2″>netsh advfirewall set currentprofile state off</field>

    <description>Windows firewall disabled.</description>

    <mitre>

      <id>T1562</id>

    </mitre>

  </rule>

  <rule id=”100604″ level=”10″>

    <if_sid>61614</if_sid>

    <field name=”win.eventdata.targetObject” type=”pcre2″ >HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\WinDefend</field>

    <field name=”win.eventdata.eventType” type=”pcre2″>^DeleteKey$</field>

    <field name=”win.eventdata.user” type=”pcre2″ >NT AUTHORITY\\\\SYSTEM</field>

    <description>Windows defender service $(win.eventdata.user) has been deleted on $(win.system.computer). Possible malicious activity.</description>

    <mitre>

      <id>T1562.001</id>

    </mitre>

  </rule>

  <rule id=”100605″ level=”10″>

    <if_sid>92027,92021</if_sid>

    <field name=”win.eventdata.CommandLine” type=”pcre2″>(?i)powershell.*New-ItemProperty.*Windows Defender.*DisableAntiSpyware.*-Value 1.*</field>

    <description>Windows defender service has been deleted on $(win.system.computer). Possible malicious activity.</description>

    <mitre>

      <id>T1562.001</id>

    </mitre>

  </rule>

  <rule id=”100606″ level=”10″>

    <if_sid>92008,92027</if_sid>

    <field name=”win.eventdata.CommandLine” type=”pcre2″>(?i)powershell.*Set-MpPreference.*-DisableRealTimeMonitoring.*true</field>

    <description>Windows defender realtime protection has been disabled on $(win.system.computer). Possible malicious activity.</description>

    <mitre>

      <id>T1562.001</id>

    </mitre>

  </rule>

  <rule id=”100607″ level=”10″>

    <if_sid>92042</if_sid>

    <field name=”win.eventdata.CommandLine” type=”pcre2″>reg.exe .*Windows Defender\\Real-Time Protection.*Disable|\/d</field>

    <description>Windows defender realtime protection has been disabled on $(win.system.computer). Possible malicious activity.</description>

    <mitre>

      <id>T1562</id>

    </mitre>

  </rule>

  <rule id=”100608″ level=”10″>

    <if_sid>92042</if_sid>

    <field name=”win.eventdata.ruleName” type=”pcre2″>(?i)Disabling Security Tools</field>

    <field name=”win.eventdata.targetObject” type=”pcre2″>(?i)Windows Defender</field>

    <description>Windows Defender feature disabled on $(win.system.computer). Possible malicious activity</description>

    <mitre>

      <id>T1562</id>

    </mitre>

  </rule>

  <rule id=”100609″ level=”10″>

    <if_sid>92042</if_sid>

    <field name=”win.eventdata.CommandLine” type=”pcre2″>dism .* \/Disable-feature \/FeatureName:Windows-Defender</field>

    <description>Windows Defender disabled.</description>

    <mitre>

      <id>T1562</id>

    </mitre>

  </rule>

  <rule id=”100610″ level=”10″>

    <field name=”win.system.providerName” type=”pcre2″>(?i)SecurityCenter</field>   

    <field name=”win.eventdata.data” type=”pcre2″>(?i)Windows Defender, SECURITY_PRODUCT_STATE_SNOOZED</field>   

    <description>Windows Defender snoozed on $(win.system.computer). Possible malicious activity</description>

    <mitre>

      <id>T1562</id>

    </mitre>

  </rule>

<!– System recovery inhibition –> 

  <rule id=”100611″ level=”10″>

    <if_sid>61603</if_sid>

    <field name=”win.eventdata.CommandLine” type=”pcre2″>(?i)bcdedit\s\s\/set\s{default}\sbootstatuspolicy\signoreallfailures</field>

    <description>Boot configuration data edited.</description>

    <mitre>

      <id>T1059</id>

    </mitre>

  </rule>

<!– Persistence detection –>

  <rule id=”100612″ level=”10″>

    <if_sid>92300</if_sid>

    <field name=”win.eventdata.image” type=”pcre2″>(?i)\.exe</field>

    <field name=”win.eventdata.eventType” type=”pcre2″>(?i)SetValue</field>

    <field name=”win.eventdata.targetObject” type=”pcre2″>(?i)HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\[A-Za-z0-9]+</field>

    <description>New run key added to registry by $(win.eventdata.image).</description>

    <mitre>

      <id>T1547.001</id>

    </mitre>

  </rule>

 <rule id=”100613″ level=”10″>

    <if_sid>61613</if_sid>

    <field name=”win.eventdata.image” type=”pcre2″>\.exe</field>

    <field name=”win.eventdata.targetFilename” type=”pcre2″>(?i)ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\.+\.exe</field>

    <description>$(win.eventdata.targetFilename) added to Startup programs by $(win.eventdata.image).</description>

    <mitre>

      <id>T1547.001</id>

    </mitre>

  </rule>

  <rule id=”100614″ level=”10″>

    <field name=”win.eventdata.ruleName” type=”pcre2″>(?i)Credential Dumping</field>

    <field name=”win.eventdata.sourceImage” type=”pcre2″>WerFault.exe</field>

    <description>WerFault abused to dump credentials.</description>

    <mitre>

      <id>T1003</id>

    </mitre>

  </rule>

<!– System recovery inhibition –>

  <rule id=”100615″ level=”12″>

    <if_sid>61603</if_sid>

    <field name=”win.eventdata.CommandLine” type=”pcre2″>(?i)vssadmin\s\sdelete\sshadows\s\/all\s\/quiet</field>

    <description>Volume shadow copy deleted using $(win.eventdata.originalFileName). Potential ransomware activity detected.</description>

    <mitre>

      <id>T1490</id>

      <id>T1059.003</id>

    </mitre>

  </rule>

  <rule id=”100616″ level=”12″>

    <if_sid>92032</if_sid>

    <field name=”win.eventdata.parentCommandLine” type=”pcre2″>(?i)vssadmin.*delete.*shadow</field>

    <description>Volume shadow copy deleted using $(win.eventdata.originalFileName). Potential ransomware activity detected.</description>

    <mitre>

      <id>T1490</id>

      <id>T1059.003</id>

    </mitre>

  </rule>

  <rule id=”100617″ level=”12″>

    <if_sid>61603</if_sid>

    <field name=”win.eventdata.CommandLine” type=”pcre2″>(?i).*Shadowcopy .*Delete</field>

    <description>Volume shadow copy deleted using $(win.eventdata.originalFileName). Potential ransomware activity detected.</description>

    <mitre>

      <id>T1490</id>

      <id>T1059.003</id>

    </mitre>

  </rule>

  <rule id=”100618″ level=”12″>

    <if_sid>61603</if_sid>

    <field name=”win.eventdata.CommandLine” type=”pcre2″>wmic shadowcopy delete</field>

    <description>$(win.eventdata.originalFileName) invoked to delete shadow copies. Potential ransomware activity detected.</description>

    <mitre>

      <id>T1490</id>

      <id>T1059.003</id>

    </mitre>

  </rule>

  <rule id=”100619″ level=”12″>

    <field name=”win.system.providerName” type=”pcre2″>(?i)Microsoft-Windows-Sysmon</field>

    <field name=”win.eventdata.CommandLine” type=”pcre2″>(?i)delete shadows</field>

    <description>Volume Shadow copy deleted on $(win.system.computer). Potential ransomware activity detected.</description>

    <mitre>

      <id>T1490</id>

      <id>T1059.003</id>

    </mitre>

  </rule>

  <rule id=”100620″ level=”12″>

    <if_sid>61603</if_sid>

    <field name=”win.eventdata.CommandLine” type=”pcre2″>(?i)bcdedit\s\s\/set\s{default}\srecoveryenabled\sNo</field>

    <description>System recovery disabled. Possible ransomware activity detected.</description>

    <mitre>

      <id>T1059</id>

    </mitre>

  </rule>

  <rule id=”100621″ level=”12″>

    <if_sid>61603</if_sid>

    <field name=”win.eventdata.CommandLine” type=”pcre2″>(?i)wbadmin\s\sdelete\scatalog\s-quiet</field>

    <description>System catalog deleted. Possible ransomware activity detected.</description>

    <mitre>

      <id>T1059</id>

    </mitre>

  </rule>

  <rule id=”100622″ level=”12″>

    <if_sid>61603</if_sid>

    <field name=”win.eventdata.CommandLine” type=”pcre2″>(?i)bcdedit\s\s\/set\s{default}\srecoveryenabled\sNo</field>

    <description>System recovery disabled. Possible ransomware activity detected.</description>

    <mitre>

      <id>T1059</id>

    </mitre>

  </rule>

  <rule id=”100623″ level=”12″>

    <if_sid>92032</if_sid>

    <field name=”win.eventdata.CommandLine” type=”pcre2″>(?i)wevtutil.*cl</field>

    <description>Windows event logs deleted. Possible malicious activity detected.</description>

    <mitre>

      <id>T1070.001</id>

    </mitre>

  </rule>

<!– Ransom note file creation –>

  <rule id=”100626″ level=”10″ timeframe=”50″ frequency=”3″ ignore=”300″>

    <if_matched_sid>554</if_matched_sid>

    <same_field>md5</same_field>

    <different_field>file</different_field>

    <description>The file $(file) has been created in multiple directories in a short time. Possible ransomware activity.</description>

  </rule>

  <rule id=”100627″ level=”7″ timeframe=”30″ frequency=”10″ ignore=”300″>

    <if_matched_sid>550</if_matched_sid>

    <field name=”file” type=”pcre2″>(?i)C:\\Users</field>

    <description>Multiple Files modified in the User directory in a short time.</description>

  </rule>

  <rule id=”100629″ level=”7″ timeframe=”300″ frequency=”2″ ignore=”300″>

    <if_matched_sid>63104</if_matched_sid>

    <field name=”win.system.message” type=”pcre2″>(?i)log file was cleared</field>

    <description>Windows Log File Cleared.</description>

    <mitre>

      <id>T1070.001</id>

    </mitre>

  </rule>

</group>

<group name=”ransomware,ransomware_detection”>

  <rule id=”100628″ level=”12″ timeframe=”300″ frequency=”2″ ignore=”300″>

    <if_matched_group>ransomware_pre_detection</if_matched_group>

    <if_sid>100626,100627,100615,100616,100617,100618,100619</if_sid>

    <description>Ransomware activity detected.</description>

  </rule>

</group>

3.Restart the Argus manager 

    systemctl restart wazuh-manager

Monitoring the Alerts

rule IDs 100630, 100616, 100617, and 100623 are triggered when a ransomware execution is detected. Activities such as ransomware attempting to delete volume shadow copies or clearing Windows event logs are detected.

Ransomware protection with Argus Active Response

Windows endpoint

On the Windows endpoint, we configure a Argus Active Response script and Command module.

  1. Append the following configuration to the  C:\Program Files (x86)\ossec-agent\ossec.conf local configuration file:

<ossec_config>

  <wodle name=”command”>

    <disabled>no</disabled>

    <tag>vss</tag>

    <command>C:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe -c “net stop VSS ; sc.exe config VSS start=Demand ; net start VSS ; WMIC shadowcopy call create Volume=C:\ ; net stop VSS ; sc.exe config VSS start=disabled”</command>

    <interval>12h</interval>

    <run_on_start>yes</run_on_start>

    <timeout>300</timeout>

  </wodle>

</ossec_config>

Argus Active Response script configuration

To recover encrypted files, we use a custom Argus Active Response script rollback.ps1 that recovers our files into a backup folder.

  1. Create a rollback.ps1 script in the C:\Program Files (x86)\ossec-agent\active-response\bin\ directory and add the below script to it. This script recovers files from the volume shadow copies

# Define the base paths

$EncryptedPath = “C:\users”

$RecoveryPath = “C:\Recovered_Files”  # Default recovery path, change as needed

# Paths to ignore during restoration and deletion

$IgnorePaths = @(

    “C:\Windows”,

    “C:\Program Files”,

    “C:\Program Files (x86)”,

    “C:\C:\Recovered_Files”  # Add more paths as needed

)

# Log file location

$LogFile = “$RecoveryPath\RecoveryLog.txt”

# Ensure the log file directory exists

$LogFileDirectory = [System.IO.Path]::GetDirectoryName($LogFile)

if (-not (Test-Path -Path $LogFileDirectory)) {

    New-Item -Path $LogFileDirectory -ItemType Directory -Force

}

# Clear or create the log file

if (Test-Path -Path $LogFile) {

    Clear-Content -Path $LogFile

} else {

    New-Item -Path $LogFile -ItemType File

}

# Function to log messages

function Log-Message {

    param (

        [string]$Message

    )

    $Timestamp = Get-Date -Format “yyyy-MM-dd HH:mm:ss”

    Add-Content -Path $LogFile -Value “$Timestamp – $Message”

    Write-Host “$Timestamp – $Message”

}

try {

    Log-Message “Starting recovery process…”

    # Run vssadmin list shadows and capture the output

    start-sleep 120

    cmd /c sc config VSS start=Demand

    cmd /c net start VSS

    start-sleep 5

    Log-Message “Listing shadow copies…”

    # Extract the shadow copy volume path using Select-String

    $ShadowCopyVolumes = C:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe -c “Get-WmiObject -Query ‘SELECT * FROM Win32_ShadowCopy’ | Select-Object -ExpandProperty DeviceObject”

    if ($ShadowCopyVolumes.Count -gt 0) {

        $ShadowCopyVolume = $ShadowCopyVolumes[-1]  # Select the last shadow copy volume

        Log-Message “Latest Shadow Copy Volume found: $ShadowCopyVolume”

    } else {

        throw “Unable to find Shadow Copy Volume path in vssadmin output.”

    }

    # Ensure ShadowCopyVolume ends with a backslash

    if (-not $ShadowCopyVolume.EndsWith(“\”)) {

        $ShadowCopyVolume += “\”

    }

    # Log the adjusted ShadowCopyVolume path

    Log-Message “Adjusted Shadow Copy Volume path: $ShadowCopyVolume”

    # Create symbolic link between shadow copy and backup folder

    $LinkPath = Join-Path -Path $RecoveryPath -ChildPath “backup”

    Log-Message “Creating symbolic link at $LinkPath…”

    # Remove any existing symbolic link or folder

    if (Test-Path -Path $LinkPath) {

        Remove-Item -Path $LinkPath -Recurse -Force

        Log-Message “Existing symbolic link or folder removed at $LinkPath”

    }

    # Create the symbolic link

    $linkCmdOutput = cmd /c mklink /d “$LinkPath” “$ShadowCopyVolume”

    Log-Message “Symbolic link command output: $linkCmdOutput”

    # Verify symbolic link creation

    if (-not (Test-Path -Path $LinkPath)) {

        throw “Failed to create symbolic link at $LinkPath”

    }

    Log-Message “Symbolic link created successfully: $LinkPath -> $ShadowCopyVolume”

    Write-Host “Files restore completed.”

    “Wazuh_Ransomware_Protection: File restore completed for $($env:computername) at $(Get-Date)” | Out-File -FilePath “C:\Program Files (x86)\ossec-agent\active-response\active-responses.log” -Append -Encoding UTF8

}

catch {

    $ErrorMsg = $Error[0].ToString()

    Log-Message “Error: $ErrorMsg”

    Write-Error “An error occurred: $ErrorMsg”

}

    # Stop VSS service

    cmd /c sc config VSS start=disabled

    cmd /c net stop VSS

    start-sleep 5

    Log-Message “Turned off VSS service…”

  • Create a rollback.bat script in the C:\Program Files (x86)\ossec-agent\active-response\bin\ directory and add the below script to it. This script executes the rollback.ps1 script via Windows Batch launcher as the Argus Active Response module cannot execute PowerShell scripts directly

@echo off

Powershell -ExecutionPolicy bypass -File “C:\Program Files (x86)\ossec-agent\active-response\bin\rollback.ps1”

  • Restart the Argus agent 

   Restart-Service -Name wazuh

Argus server

Custom decoders configuration

We add the following decoders to decode logs generated by the rollback.bat Argus Active Response script.

  1. Add the following decoders to the /var/ossec/etc/decoders/local_decoder.xml file to decode the logs generated by the rollback.ps1 Wazuh Active Response script

<decoder name=”Wazuh_Ransomware”>

  <prematch>Wazuh_Ransomware_Protection:</prematch>

</decoder>

<decoder name=”Wazuh_Ransomware_child”>

  <parent>Wazuh_Ransomware</parent>

  <regex type=”pcre2″>Wazuh_Ransomware_Protection: (.*)</regex>

  <order>rollback_status</order>

</decoder>

Custom rules configuration

  1. Add the following custom rule to the /var/ossec/etc/rules/ransomware_rules.xml rule file.

<group name=”ransomware,ransomware_rollback,”>

  <rule id=”100800″ level=”5″>

    <field name=”rollback_status”>completed</field>

    <description>Wazuh_Ransomware_Protection: Files restored successfully.</description>

  </rule>

</group>

Argus Active Response module configuration

  1. Add the following configuration within the <ossec> block of the /var/ossec/etc/ossec.conf file to configure the Argus Active Response command:

   <command>

    <name>rollback_windows</name>

    <executable>rollback.bat</executable>

    <timeout_allowed>no</timeout_allowed>

  </command>

  <active-response>

    <command>rollback_windows</command>

    <location>local</location>

    <rules_id>100628</rules_id>

  </active-response>

2.  The rollback_windows command is triggered when our custom rules detect a ransomware execution. This triggers the Argus Active Response script to recover our files from the last stored volume shadow copy. The recovered files are stored in a folder located at C:\Recovered_Files.

3. Restart the Argus manager 

            systemctl restart wazuh-manager

Monitoring the alerts

Running ransomware samples on the monitored Windows endpoint generates alerts on the Argus dashboard. Once the ransomware execution is detected, the Argus Active Response script triggers and recovers the encrypted files.

Rule ID 100628 is triggered when multiple ransomware execution activities are detected, denoting a ransomware activity.

Conclusion

In this use case we demonstrated how we use Argus to detect some strains of ransomware. We also show how you can protect your backups and recover files encrypted by ransomware on Windows endpoints.

Leave a Reply

Your email address will not be published. Required fields are marked *