brad-sp
commented
9 years ago Should probably use check_write_file()
Closed kevross33 closed 9 years ago
brad-sp
commented
9 years ago Should probably use check_write_file()
Create a signature to detect files multiple files being appended with file extensions connected to know ransomware. This is mostly just Telsa/AlphaCrypt the now.
There may be a better signature than this though but I am not sure how to go about creating it. Basically if you look over the APi calls and things like TeslaCrypt of ransomware encrypting files it will generally query (i.e NtQueryInformationFile) read (i.e NtReadFile), set the file information (NtSetInformationFile), modify/encrypt file (NtWriteFile) and then it will move the original file into the new file with an appended extension (i.e abc, ezz, exx, ecc) with MoveFileWithProgressW. It will repeat this kind of cycle over multiple files as it encrypts them.
So as I said while I am not sure how to go about creating an accurate sig based on this observation it would be better because the generally process can be seen across multiple ransomware families (that actually encrypt/modify files) and it would be more resistant to evasion (i.e just create a sample with extensions not in the list although they will be easy to add for now).