Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware Detection Service


  • Please log in to reply
1 reply to this topic

#1 peej228

peej228

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 15 March 2016 - 02:28 PM

Ransomware Detection Service is open source/free and in beta, use of the program is done so at the user's own risk please see the license at the bottom.

 

Main Description:

 

This program detects all present and future ransomware in Windows file shares.

 

When staff members get ransomware, you need to respond quickly to get their computer shutdown as soon as possible.  If you respond quickly enough, you can shut down the offending computer before other file shares become encrypted.  Anti-virus programs currently do not detect encrypted files written by ransomware.  Not knowing that a ransomware virus is on your network is a big problem.  The sooner you get the offending computer shutdown and restore your backups of files shares the better.  

 

File servers do not get the virus, the virus encrypts the files stored on the file server. This makes knowing the damage caused by a ransomware difficult. If you do not notice an encrypted file share, you can lose your opportunity to restore from backup or cause your users to use a much older backup than necessary.  Anti-virus programs are always a few days behind in detecting new viruses.  

 

I added the ability to search (during off hours) for ransomware specific files to help determine damage caused by a previous uncaught infection.  I just added the ability to delete any ransomware created files for cleanup purposes after an infection to a file share.

 

Caveat:

  • Train or notify users to not delete the files/folders that get copied from the SourcePath.  Deleted files will cause a false positive missing files error message or email.
  • If you are using the important files method then you will receive error messages for all changed files (even when changed normally).
  • Find Ransomware Files tab for large directories with many files will be slow and should be run during off hours.  The Compare (Detect Ransomware) tab is fast and can be run during business hours.

System Requirements:

  • Windows Server 2008 or newer or Windows 7 or newer and both 32 bit and 64 bit OS’s are supported
  • At least .Net 4.0

Installation:

  1. Download both Installer Files (setup.exe and RansomwareDetectionServiceInstaller.msi) into the same directory and run setup.exe as administrator  http://ransomwaredetectionservice.codeplex.com
  2. Run the installation setup.exe downloaded from step 1  (Username for the service will be requested before installing the Windows service (username must to be in “username@contoso.com” format. This username will need read/write permissions to the shares being monitored.)

 

Resources:

 

Transparency:

This software is open source and licensed under the BSD License.  

 

License:

Copyright © 2016, Preston Cooper – HESD Ransomware Detection Service

http://www.questiondriven.com
All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.


Edited by peej228, 15 March 2016 - 04:39 PM.


BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,567 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:28 AM

Posted 15 March 2016 - 03:32 PM

Preston, thanks for posting. This is definitely an interesting idea. Will test it out and get back to you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users