Detection of Ransomware?

  • So I was wondering, Have you guy thought of any interesting ways to detect ransomware? I was thinking of looking for API’s such as CryptEncrypt and FindFirstFile as a possible way. What ideas have you guys come up with or have seen?

  • Yes, you can do this in a number of ways…

    You can try to hook calls like you said, but the problem is for legitimate programs which use those API calls…

    A better way may be to have a file monitoring service which checks for the encryption of multiple files in a directory coupled with a file backup service which immediately restores backups.

    This can be accomplished with a client program which is loaded in memory at system start and a driver which handles the kernel code to have some extra power.

  • @moveax41h @xor_dhillon Most EDR tools I use and write rules for have components that identify the DLL’s used, cross-process execution and other identifying marks. If not all, but most ransomware variants use different calls so looking for API calls would most likely only work on that variant.

  • Hi,

    What kind of detection you are talking about? Static (file scan) or dynamic (like behaviour blocker or in-memory scanning)? Hunting (which allows a high FP rate) or safe classification (no FPs)?
    Are you only interested in encrypting ransomware or also system lockers?

    Ransomware typical APIs are:
    FindFirstFile, FindNextFile, GetFiles, GetDirectories, GetDriveType, GetLogicalDrives, GetDrives, DriveInfo, SetErrorMode, WNetOpenEnum, WNetEnumResource, NetShareEnum

    Checking only APIs will always have a considerable FP rate though. There are lots of programs that need those and behave similar like backup software.
    Better signs are any calls that delete shadow volume copies or disables windows error recovery
    bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    bcdedit.exe /set {default} recoveryenabled No
    vssadmin.exe Delete Shadows /All /Quiet
    wmic.exe shadowcopy delete

Log in to reply