How to detect ransomware-locked file systems
I regularly back up a lot of computers and what I'm looking for is a way to avoid running the backup (or more importantly, the synchronization program) on computers that have been hit with any of the ransomware variants.
Is there a way to detect that a large number of files on a given computer are encrypted?
Thanks
Is there a way to detect that a large number of files on a given computer are encrypted?
Thanks
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
There is no GOOD way of doing this. Microsoft doesn't see Encryption taking place, it just sees an executable file changing another files contents.
The easiest way to prevent any of this from ever happening is to have a firewall with an HTTPS and HTTP packet filter to block out any executable content from crossing over into your network and a good SMTP spam appliance which will filter out any executable attachments. This is the only method I stand by and it has worked for over a decade.
You could, however, take incremental backups. If your average incremental is 5% and one day you start backing up 95% of your files, it could indicate something has modified 95% of your files... Other than hash/file contents comparison, there's no good way of doing what you want.
The easiest way to prevent any of this from ever happening is to have a firewall with an HTTPS and HTTP packet filter to block out any executable content from crossing over into your network and a good SMTP spam appliance which will filter out any executable attachments. This is the only method I stand by and it has worked for over a decade.
You could, however, take incremental backups. If your average incremental is 5% and one day you start backing up 95% of your files, it could indicate something has modified 95% of your files... Other than hash/file contents comparison, there's no good way of doing what you want.
Most ransomware changes the extensions of the encrypted files to something unusual, like xabefsd. So you could make sure your backup tool is set to only backup known file types which you client saves their dos as.
Personally I don't recommend syncing files to your backup location, but rather do a real backup, where you rotate your backup destination so you have several versions of your files on different media, and then retain those backups for at least a certain time frame.
Personally I don't recommend syncing files to your backup location, but rather do a real backup, where you rotate your backup destination so you have several versions of your files on different media, and then retain those backups for at least a certain time frame.
http://security.stackexchange.com/questions/44387/scanning-for-files-than-have-been-encrypted-by-cryptolocker
http://omnispear.com/tools/cryptolocker-scan-tool
We created a free scan tool that finds CryptoLocker encrypted files dumps the list into a CSV file. This is handy when trying to figure out what files need restored from backup.
http://omnispear.com/tools/cryptolocker-scan-tool
I wrote a program to detect missing and changed files caused by ransomware.
http://www.questiondriven.com/2016/02/18/beta-testing-for-ransomware-detection-in-file-share/
You can monitor any UNC path or local folder.
http://www.questiondriven.com/2016/02/18/beta-testing-for-ransomware-detection-in-file-share/
You can monitor any UNC path or local folder.
Premium Content
You need an Expert Office subscription to comment.Start Free Trial