How to detect ransomware-locked file systems

I regularly back up a lot of computers and what I'm looking for is a way to avoid running the backup (or more importantly, the synchronization program) on computers that have been hit with any of the ransomware variants.

Is there a way to detect that a large number of files on a given computer are encrypted?

Thanks
gateguardAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Chris HInfrastructure ManagerCommented:
There is no GOOD way of doing this.  Microsoft doesn't see Encryption taking place, it just sees an executable file changing another files contents.  

The easiest way to prevent any of this from ever happening is to have a firewall with an HTTPS and HTTP packet filter to block out any executable content from crossing over into your network and a good SMTP spam appliance which will filter out any executable attachments.  This is the only method I stand by and it has worked for over a decade.

You could, however, take incremental backups.  If your average incremental is 5% and one day you start backing up 95% of your files, it could indicate something has modified 95% of your files...  Other than hash/file contents comparison, there's no good way of doing what you want.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rindiCommented:
Most ransomware changes the extensions of the encrypted files to something unusual, like xabefsd. So you could make sure your backup tool is set to only backup known file types which you client saves their dos as.

Personally I don't recommend syncing files to your backup location, but rather do a real backup, where you rotate your backup destination so you have several versions of your files on different media, and then retain those backups for at least a certain time frame.
Chris HInfrastructure ManagerCommented:
http://security.stackexchange.com/questions/44387/scanning-for-files-than-have-been-encrypted-by-cryptolocker

We created a free scan tool that finds CryptoLocker encrypted files dumps the list into a CSV file. This is handy when trying to figure out what files need restored from backup.

http://omnispear.com/tools/cryptolocker-scan-tool
gateguardAuthor Commented:
Thanks, everyone!  Really appreciate the responses.
Preston CooperDatabase AdministratorCommented:
I wrote a program to detect missing and changed files caused by ransomware.
http://www.questiondriven.com/2016/02/18/beta-testing-for-ransomware-detection-in-file-share/

You can monitor any UNC path or local folder.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.