Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Identifying and Disrupting Crypto-Ransomware (and Destructive Malware) using handle heurustics
Fetching latest commit…
Cannot retrieve the latest commit at this time.
|Type||Name||Latest commit message||Commit time|
|Failed to load latest commit information.|
handle_monitor Detects abnormal number of handle creations in an attempt to identify crypto ransomware encryption, or destructive malware in action Usage: handle_monitor.exe <optional arguments> Optional parameters: /cycles=X - Set number of cycles before a review [Default: 10] /threshold=X - Set suspicion threshold for number of new handles [Default: 10] /pause=X - Set pause in milliseconds between cycles [Default: 1000] /signed - Include signed executables in review process /suspend - Suspend processes identified as suspicious /verbose - Display verbose progress messages How it works: 1. Index all file handles from all running processes 2. Pauses for /pause=X amount of time 3. Checks again, adding new handles to the index, and keeping a tally 4. After /cycles=X iterations, perform an analysis 5. Analysis checks whether any processes have created /threshold=X or more new handles 6. If so, will either raise an alert, or /suspend the process (if required) By default, it only looks for unsigned executables (to reduce noise), but signed can be included with /signed SANS blog on subject: http://digital-forensics.sans.org/blog/2015/04/03/identifying-and-disrupting-crypto-ransomware-and-destructive-malware YouTube demo: https://www.youtube.com/watch?v=evYscmVq9P8 If you get an error about msvcr120.dll being missing, install the microsoft runtime libraries: http://www.microsoft.com/en-gb/download/details.aspx?id=40784 Follow me on Twitter: @CyberKramer