How to detect ransomware-locked file systems

gateguard used Ask the Experts™
I regularly back up a lot of computers and what I'm looking for is a way to avoid running the backup (or more importantly, the synchronization program) on computers that have been hit with any of the ransomware variants.

Is there a way to detect that a large number of files on a given computer are encrypted?

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Infrastructure Manager
There is no GOOD way of doing this.  Microsoft doesn't see Encryption taking place, it just sees an executable file changing another files contents.  

The easiest way to prevent any of this from ever happening is to have a firewall with an HTTPS and HTTP packet filter to block out any executable content from crossing over into your network and a good SMTP spam appliance which will filter out any executable attachments.  This is the only method I stand by and it has worked for over a decade.

You could, however, take incremental backups.  If your average incremental is 5% and one day you start backing up 95% of your files, it could indicate something has modified 95% of your files...  Other than hash/file contents comparison, there's no good way of doing what you want.
Most Valuable Expert 2015
Most ransomware changes the extensions of the encrypted files to something unusual, like xabefsd. So you could make sure your backup tool is set to only backup known file types which you client saves their dos as.

Personally I don't recommend syncing files to your backup location, but rather do a real backup, where you rotate your backup destination so you have several versions of your files on different media, and then retain those backups for at least a certain time frame.
Chris HInfrastructure Manager

We created a free scan tool that finds CryptoLocker encrypted files dumps the list into a CSV file. This is handy when trying to figure out what files need restored from backup.


Thanks, everyone!  Really appreciate the responses.
Preston CooperDatabase Administrator

I wrote a program to detect missing and changed files caused by ransomware.

You can monitor any UNC path or local folder.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial