Jump to content
Posted 22 February 2017 - 03:20 AM
Posted 22 February 2017 - 09:58 AM
There are some ransomware protection software which deliberately create hidden dummy folders containing randomly named .bmp, .png, .gif, .jpg, .pem, .xls, .mdb, .txt, .sql, .docx, .doc, .xlsx, .xls, .rtf, and .txt files in various locations (and partitions) on your computer as part of its functionality. These are actually trap (bait) folders and "canary" files...patterns of files and hidden virtual files that ransomware is attracted to. They are monitored for any changes and meant to be targeted for encryption by ransomware before actual data files. When the anti-ransomware program detects any of these files has been modified it will display an alert that an attack is occurring and ask if you wish to terminate the process that is trying to access them. This feature is sometimes referred to as "Honeypot Detection" or "Entrapment Protection" but is commonly misidentified by users or incorrectly reported as being related to malware.
Cybereason RansomFree, Cybersight RansomStopper, CryptoPrevent Premium (FolderWatch HoneyPot) and CryptoMonitor by Nathan (DecrypterFixer) (no longer supported) are security programs which include this feature.
This is Nathan Scott's explanation of Entrapment Protection from his now closed EasySync web site in this topic.
Entrapment Protection lays numerous different types of traps all around your system that a Ransomware Infection cannot resist to touch. These traps send encrypted pattern signals back and forth between CryptoMonitor and themselves constantly. When a Ransomware Infection falls into one of these traps, the pattern is broken and CryptoMonitor immediately takes action. Once this happens, the machine is locked down and you are alerted about the infection and prompted for your decision on what actions to take. During this time, no file modifications are allowed, so your files are safe while you think about your course of action. With this protection enabled you may notice a few hidden files, registry keys, folders, and services running, but don't worry, they are there to protect you!
Common dummy folder locations with random names typically include My Documents, Desktop and common folder variables such as %User Profile%, %AppData%, %LocalAppData%, %ProgramData%, %Temp%.
RansomFree also deploys a “Disconnected Network Drive (A)” which is related to additional protection and detection of ransomware. The developers do no recommend you tamper with the drive.
If you attempt to remove these files and folders, RansomFree will re-create them. In fact, any attempt taken to delete (modify) the files or folders most likely will be interpreted as possible ransomware activity and trigger a warning alert or initiate some action by RansomFree.
The use of trap (bait, canary) files and folders is not a 100% solution...some data files probably will end up being encrypted by ransomware but whatever helps with prevention, I consider useful.
Posted 22 February 2017 - 08:50 PM
Few days ago I installed ransomfree. Thanks you quietman7
Posted 22 February 2017 - 08:52 PM
0 members, 0 guests, 0 anonymous users