Decryptonite

Decryptonite is a tool that uses heuristics and behavioural analysis to monitor for and stop ransomware.

Features

• Monitors entire hard disk for suspicious IO behaviour
• Whitelists known-good and system processes
• Calculates a process' complete threat level by combining child suspicion with parent
• Watches process' file system writes per second
• Kills suspicious processes immediately if it passes the threshold
• Low memory and CPU footprint

Installation

• Install requirements
  • Microsoft Visual Studio 2015
  • Windows Driver Kit 8.1
  • Windows Driver Kit 10
  • Windows SDK 10
  • Windows 7 x64 (The project has been fully tested on Win7. You're welcome to install it on other 64 bit Windows operating systems after Vista. It should work.)
  • To run the executable without Visual Studios install: Visual C++ Redistributable for Visual Studio 2015
• Clone the respository: git clone https://github.com/DecryptoniteTeam/Decryptonite
• Open the project (decryptonite.sln) in Visual Studios
• In Visual Studios its time to build the executable and driver:
  • Navigate to Build -> Configuration Manager
  • Change the platform from "Win32" to "x64" for both projects
  • Browse to Build -> Build Solution
  • When you get errors please open a ticket ... Compiling and building drivers is definitely not a straightforward process.
• Disable Windows Signed Driver Enforcement:
  • Windows 7/8/Vista
  • Windows 10
• Setting up Decryptonite:
  • Install the driver:
    • Browse to containing folder
    • Right-click "decryptonite.inf" and click "Install"
  • Load the driver:
    • Open PowerShell.exe with Administrative Privileges
    • Execute fltMc.exe load decryptonite
  • Finally... We can run the executable!

Usage

The first step is to open up an Administrative PowerShell and run Decryptonite. - .\decryptonite.exe

That's all the setup required! Decryptonite will automatically detect and attach to the "C:\" drive. If you decide to run either ransomware or executables with valid digital signatures, the output will resemble the following:

To configure the application's behaviour: hit enter to bring up the prompt > and type help

Commands

• /a [drive] attach Decryptonite to another drive e.g. "D:"
• /d [drive] stop Decryptonite from monitoring on a given drive
• /l - lists all drives that Decryptonite is attached to
• /f [file name] redirect all output to a given file
• /p Decryptonite will run, it will monitor, but it won't kill any processes
• /v makes Decryptonite more verbose
• /x makes Decryptonite much more verbose
• exit exits the application

Contribute

Spotted a bug? Want to add features? Increase the performance?

Open an issue or submit a pull request!

Authors

The Decryptonite team includes:

• Adam Greenhill
• Peter Chmura
• Christina Kang
• Desiree McCarthy

Credits

A big thanks to Troy D. Hanson for his development of the open source libraries UTHash and UTArray.

Additionally, a big thanks goes to Microsoft for their development of the open source file system minifilter driver project MiniSpy.

License

This project is released under The Microsoft Public License.