How to Monitor File Access to Detect Any Ransomware – “Look Ma, No Signatures!”

Webinar Registration

Signature-based detection of malware is a reactive game of constant catch-up. And detecting malware in general via behavior is challenging although I'm happy to say that such technology is available and advancing very quickly.

But it's a different story with ransomware. Ransomware has a clearly defined goal which creates a very coherent signal if you are looking for it. For the bad guy to gain leverage on you and make you pay, he must deny you access to your files by encrypting them. Encryption is I/O intensive and requires

  1. Reading the entire file
  2. Overwriting that entire file, or
  3. Writing out a new encrypted file and deleting the original file

Rinse and repeat. There's variations on the theme but the point for now is that you can’t hide this activity. You've got to perform that file access on enough files to gain the leverage.

I've been thinking about ways to detect this. Obviously the best way is with an anti-malware agent running on the endpoint watching file activity in real-time. Many of us are security log geeks though and we might be tempted to detect this with file auditing.

I'm going to show you both. I wrote a ransomware simulator in C# and had spectacular results. First I'll show you what kind of events you get with the Windows security log and file system auditing. That detection isn't full proof and involves generating, forwarding and analyzing a massive number of events.

But I was also talking about this idea with Karl Ackerman at Sophos and he said, “Yeah we monitor for that, why don't you try your simulator against it, I'd love to know if we catch it.” So I did and the results were so cool. My pseudo-ransomware program processed 3 files and blew up on the 4th by throwing a weird exception. I'd actually just made a modification to the program and since I don't code that much anymore I was thinking, “Great, now I have to debug!”. But in the next second I got an email from Sophos saying ransomware had been detected on my system.

In this webinar I'm going to show all of this to you including:

  • My Ransomware simulator (maybe I'll post this on git)
  • How I configured file system auditing
  • The file access events you have to collect and how to analyze them
  • Demonstrating the Sophos protection agent catching and killing my simulator, preventing it from running again and even rolling back the affected files to their pre-encrypted state

We're bending the needle on the cool gauge with this real training for free ™ webinar. Please register now.

First Name:   
Last Name:   
Work Email:  
Job Title:  
Zip/Postal Code:  
Company Size:

Your information will be shared with the sponsor.

By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us and the sponsor.



Additional Resources