I have a lot of VMs running on my network that I don't often look at, VMs that other people use, VMs that are web servers, VMs that are running automatic tasks. All these VMs are running Microsoft OS's, mostly Windows 8.1 and Server 2012r2.
Right now I run a simple file-search utility that remotely looks for files with the words "instruct", "crypt", "restore" in the filename (txt and html files) because most ransomware in the past has left new files in every infected folder with names like Instructions_to_decrypt.txt, how_to_restore_your_files.html, and other similar names that are mostly covered in my file-search utility.
But things can change and I would like a better way of doing this. What I want to do is prevent my automatic, nightly vm-replication jobs from replicating an infected vm to its replica partner.
Anybody have any ideas on how to test for ransomware-infected machines remotely over the network other than searching for these instruction-type files?