Open unixist opened 8 years ago
cy-fir
commented
8 years ago Another potential search criteria is entropy. Look for randomness within the memory regions and open files, then save off interesting memory pages for later analysis.
While it may be a better option, it may be processor intensive; however, we would only this after we detect and disrupt the ransomware.
cy-fir
commented
8 years ago After stopping the process (or on Windows, before killing it), iterate over the process' memory maps and open files to detect known signatures of key material, e.g. "-----BEGIN RSA PRIVATE KEY-----".
Agreed. Will need a few various-types of samples to test as some may behave differently... I'll start with jigsaw to be consistent with the test cases
unixist
commented
8 years ago Good idea. And some malware will use symmetric keys which will be much harder to detect, being smaller and non-ascii
After stopping the process (or on Windows, before killing it), iterate over the process' memory maps and open files to detect known signatures of key material, e.g. "-----BEGIN RSA PRIVATE KEY-----".
Another potential search criteria is entropy. Look for randomness within the memory regions and open files, then save off interesting memory pages for later analysis.