Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/jlchntoz/ransomhoneypot

Experimental program for detecting if any ransomware is attacking your files
https://github.com/jlchntoz/ransomhoneypot

c-sharp ransomware ransomware-detection ransomware-prevention

Last synced: about 2 months ago
JSON representation

Experimental program for detecting if any ransomware is attacking your files

Host: GitHub
URL: https://github.com/jlchntoz/ransomhoneypot
Owner: JLChnToZ
License: mit
Created: 2017-05-13T09:35:40.000Z (over 7 years ago)
Default Branch: master
Last Pushed: 2017-05-13T09:47:43.000Z (over 7 years ago)
Last Synced: 2024-10-10T21:16:54.515Z (2 months ago)
Topics: c-sharp, ransomware, ransomware-detection, ransomware-prevention
Language: C#
Size: 7.81 KB
Stars: 7
Watchers: 4
Forks: 4
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

awesome-honeypot - **2**星

README

RansomHoneyPot
==============
This is an experimental and incomplete program for detecting if any ransomware is attacking your files. Currently is in alpha stage.

What is Ransomware?
-------------------
[Ransomwares](https://en.wikipedia.org/wiki/Ransomware) are malicious program which will try to encrypt all your files in background, and ask you for money in order to decrypt.

So, how the honey pot works? Or how *should* it works?
------------------------------------------------------
1. This program will start track the "honey pot" files named and located with file extention and path which will likely to be encrypted by ransomwares.
2. Once the file is opened by other program (i.e. file lock is created), this program will immediately kills those process as those should consider ransomwares.

You may give it a try, but currently there is no guarantee that it can be 100% accurate.

Notes
-----
Currently, detection speed is not fast enough and it may miss some of the fast file I/O events between detetion cycles, large files may have longer lock time as they needed more time to encrypt. Also someone told me that ransomwares likely to choose the large file to be encrypt first, therefore large "honey pot" files may be more accurate :)

Reference
---------
- https://blogs.msdn.microsoft.com/oldnewthing/20120217-00/?p=8283
- https://stackoverflow.com/questions/317071/how-do-i-find-out-which-process-is-locking-a-file-using-net

Contributing
------------
Yes, go on fork one and modify it!

License
-------
[MIT](LICENSE)