back to article Try as they might, ransomware crooks can't hide their tells when playing hands

Common behaviors shared across all families of ransomware are helping security vendors better spot and isolate attacks. This according to a report from British security shop Sophos, whose breakdown (PDF) of 11 different malware infections, including WannaCry, Ryuk, and GandCrab, found that because ransomware attacks all have …

  1. osakajin

    All your files are belong to us

  2. KittenHuffer Silver badge

    What I want is a file system that keeps incremental copies of files, and flashs up a warning when it suddenly goes from 0.01% of files updated per day to 10% of files updated. As long as I have enough spare storage to handle the encryted versions of the files until the alarms gets raised I should be able to wind the clock back to before the encrption phase of the infection started. And since the cost of storage is dropping faster than the size of the files I really want to keep is increasing I reckon it should be possible.

    I'm sure this is where some other commentard is gonna tell me of just such a file system!

    1. rmason Silver badge


      Not a file system, but I can make suggestions.

      Most of the new AV offering from various vendors do pretty much this.

      Things like sophos interceptX sit on your servers and learn what "normal" usage is. A baseline. Then once all trained and enabled it would do just as you describe. If a server is suddenly getting an unusual amount of file edits/writes then bam, it kills the services and stops the process. Loads of other vendors do it, but we have sophos so that's the one I have experience of.

      If your file shares are on windows boxes, then look into FRSM : You can configure it to help with ransomware type scenarios too.

      1. Kientha

        100% this. If you haven't looked at the changes to Endpoint Protection over the past couple years, it's something I'd seriously recommend. The market has shifted (and is still shifting) quite significantly with the big players changing around and Microsoft ATP really shaking things up. Then you have newer players like Elastic (Previously Endgame) offering very different solutions both in pricing and offering that didn't even exist a couple years ago but have a real chance of knocking the long time players off the top spots in the market!

    2. Doctor Syntax Silver badge

      "I'm sure this is where some other commentard is gonna tell me of just such a file system!"

      Not such a file system but certainly such a system. Open/NextCloud keeps versioned files (it's the V in WebDAV) and there are a couple of server side apps that claim to detect such behaviour.

      But that's a client-server system. Maybe what we need is a new architecture that fits that into one box. Your user-facing WP, spreadsheet or whatever doesn't directly read and write files but asks for such services from the server. Maybe two VMs would be enough to run client and server or, for the truly paranoid sensibly security minded, two separate processors. For added security the formats of the updated files could be checked before being saved.

    3. Robert Helpmann?? Silver badge

      What I want is a file system that keeps incremental copies of files, and flashs up a warning when it suddenly goes from 0.01% of files updated per day to 10% of files updated.

      What you are looking for is a HIDS or HIPS application (or NIDS or NIPS if you are concerned with multiple systems). There are plenty of vendors that will be happy to take your money and even some free tools that will cover your stated goal.

    4. Paul Crawford Silver badge

      "commentard is gonna tell me of just such a file system!"

      Yes there is, any of the so called "copy on write" file systems can do this - you can have snapshots are regular intervals with very little cost as the file system only fills up with changes and the cost of each snapshot is simply another FAT-equivalent block. So if someone tried to encrypt all your files you would see a massive decrease in the free space as the changed files have to be written to another location. Once you have stopped the crypto rampage you can go back in time to any of the snapshots and get the good files again.

      The big problem with this is if the malware has admin privileges and can disable/delete snapshots, but if your files are on a NAS that the victim computer can't get such rights then you are OK. Take a look at FreeNAS which uses ZFS as the file system - it can have periodic snapshots enabled for just this sort of thing. And for any other fat-fingered mistake.

      Other files systems I know of are not as readily available, such as IBM's GPFS or the NetApp system, and Linux's Btrfs is still a bit too new for my liking. I'm sure there are others as well...

      1. J. Cook Silver badge

        Yep. One of the Netapp's redeeming features is that the snapshot system built into the WAFL filesystem* is read only by default and design- you have to tell the filer to clone the snapshot (aka snapclone) in order to generate a writable copy.

        That saved our bacon at least once. Microsoft's shadow copy (vss) is good, but the problem is that it's a windows box- if it's compromised, it's game over.

        * explains why Netapp's documentation used to refer to the filer as 'toaster'. And now I have a hankering for waffles....

      2. Anonymous Coward
        Anonymous Coward

        lvm backing any FS if ZFS is too heavy

        Is another option

  3. EnviableOne Silver badge

    Intercept X FTW!

    still not been beaten ...

    1. Anonymous Coward
      Anonymous Coward

      Re: Intercept X FTW!

      except for its name, which I think is silly.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019