ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Main Area and Open Discussion > Living Room

Be prepared against ransomware viruses..

<< < (4/15) > >>

mouser:
Does anyone know of any mainstream security software that uses a "honeypot" approach of watching for certain files being modified?  i.e. which tries to catch these kinds of ransomware evils by catching and killing them as soon as they try to modify a document that the security software knows should never be changed/deleted.

x16wda:
Does anyone know of any mainstream security software that uses a "honeypot" approach of watching for certain files being modified?
-mouser (June 27, 2015, 01:22 PM)
--- End quote ---

Our largest client got hit several times with Cryptowall, and another one got hit on a large file server -- that took over 24 hours to encrypt. After I thought about that, I sprinkled several test files (jpg, doc & xls) with known checksums in various places in the shares, and wrote a script to look for flag files (HOW_DECRYPT etc) and compare the checksums. If it finds any flag files or modified honeypot files, it looks at the owner of the flag files (since that's whose box is doing it) and spits out emails to get the box pulled and start remediation.

Mainstream stuff ought to be watching file creation, and as soon as it sees a flag file created it should shut down the remote client and start ringing alarm bells.

TaoPhoenix:

Are there any fast global checks? Like are the ransomed files renamed to some bizarre file extension, or just ".zip" (that happens not to be unzippable)? So then you could put a list of all sane file extensions somewhere, and then some kind of deep background process that says "hey, if you find yourself creating anything evil, stop all activity and holler"?

Giampy:
With regard to the last comments: what you ask is just what any antivirus should do...

TaoPhoenix:
With regard to the last comments: what you ask is just what any antivirus should do...
-Giampy (June 27, 2015, 02:12 PM)
--- End quote ---

So maybe I walked into that one! But in a bit of odd logic, since this thing happens and the AV's aren't working, I was wondering if a low level script could help, unless the malware hijacks the file creation registry first or something?

In some ways I'm thinking of things like a Rootkit Revealer upside down, where that takes some kind of raw dump of whatever bypassing normal Windows thingies, (which is how rootkits get to hide), and hopefully it would notice a malware performing similar nasty tricks when the script checks in and goes "hey! user! you were fine an hour ago! What did you do?"

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version