Press "Enter" to skip to content

Automatically detecting Ransomware infections for free

Joshua Stenhouse 2

What if I told you there is a completely free way to automatically detect any ransomware infection in your environment, for free, and it takes 5 minutes to configure?

BS? Trying to sell me something? Neither! It’s true, using a simple word document and PowerShell I’ll give you a free script that cannot miss a ransomware infection.

If you’d like to hit the ground running, then start by downloading it from here:

Instructions:

  1. Unzip the file, edit the .ps1 script
  2. Complete steps 1-6 in the section “# Configure the variables below”
  3. Copy the supplied word doc (the honeypot) into the $HoneypotDir and $HoneypotWitnessDir, feel free to use your own just ensure to use the same file in both locations for comparison
  4. Map the share specified for $HoneypotDir to every client/server in your environment
  5. Train your users to not edit the word document in the share
  6.  You now have near instant ransomware detection!

So how does it work? Simple! All ransomware shares 1 commonality and that is that it must alter your files, typically common file formats, to then demand a ransom.

To detect the infection we create a honeypot file, a perfectly vulnerable word document that anyone can edit on a share/map network drive, then use a PowerShell script on a schedule to verify it hasn’t been changed and send an email alert when it has.

Ransomware detection used to be quite simple in that you could easily see an infection as it changed the file extension and attributes. But newer in-memory variants like Thanos can now encrypt the data without changing either! Tricky for some paid products, but not for this script because it performs 2 different tests to detect the infection.

The first test is a Test-Path to verify the file exists in the honeypot directory. File renamed, file extension changed? This immediately detects the malicious activity and sends you an email alert.

If the filename/extension hasn’t been changed then the second test runs. This uses a combination of Get-Content and Compare-Object to do a byte for byte comparison of a gold image of the word doc and your honeypot. If your word doc has been infected it now cannot miss, because you have to change the data within the word doc to encrypt it! Upon detecting any change it will also send an email alert.

If you’ve come this far then scroll back up, get downloading and implement it in your environment today. If you found this useful all I ask in return is a follow on twitter using the signature below! Happy scripting,

  1. Interesting idea. One suggestion would be to avoid having to store a witness file and instead calculate a file hash instead (e.g. Get-FileHash) and then check the hash value is unchanged instead of having to compare two files. This would also be robust against the case of both files being encrypted in-place with the same key and still matching content wise even if encrypted.

    • Joshua Stenhouse Joshua Stenhouse

      I haven’t played around with the cmdlet, but I’ll take a look, thanks for the suggestion. Get-content on a word file is pretty much a hash of the file anyway, but even then I’d be surprised if both files came out identically from a ransomware encryption event. To be double sure I’d recommend locking down the witness file so that no user has write/edit access, so it itself cannot be encrypted.

Leave a Reply to Joshua Stenhouse Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: