Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware & FSRM


  • Please log in to reply
1 reply to this topic

#1 paulc05

paulc05

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 07 December 2016 - 09:22 AM

Hi,
 
I'm hoping someone can explain, at what point when a ransomware infection is encrypting a file does the original get destroyed?
 
I'm using Windows File Server Resource Manager (FSRM) as an early warning system to alert me (network admin) and the infected user that a machine on the network is infected. Currently I have FSRM running in passive mode so that an email is sent to me and the user saying that an attempt was made to create a file matching a known ransomware filename (e.g. filename.osiris) on the the file server.
 
If I put FSRM into active mode and actually prevent the creation of the file in the first place will this not just prevent the encrypted file from being created but the original file is still deleted?
 
Any advise appreciated.
 
Paul


BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:47 AM

Posted 07 December 2016 - 10:24 AM

I'm not very familiar with FSRM myself, but there is an active project for anti-ransomware purposes that is out there. You could reach out to them with any questions, they seem to reply quickly (I've reached out before to possibly allow them access to ID Ransomware's data).

 

https://fsrm.experiant.ca/


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users