Virtually Sober

If there is free booze and Virtualization; I'm there!

Category Archives: Ransomware

Automatically detecting Ransomware infections with PowerShell

Back in July 2016, I posted a script which used PowerShell to send an email alert upon detecting a Ransomware infection by continuously comparing a purposefully vulnerable word doc for changes, deletion etc. The script also integrated into Zerto to insert a checkpoint, but what if you don’t have Zerto and you just want to get the email alerts? I’m presenting at Foxwoods Casino with a Rubrik partner this afternoon on Ransomware (the irony of the venue and subject not lost on me) and so I wanted to post a non-vendor integrated example as a free giveaway for everyone attending the presentation and reading the blog. This post will give you just that.

Read more of this post

Catching Ransomware infections with a Honeypot script & integration into Zerto Virtual Replication

Through my work at Zerto I’ve delivered multiple presentations and webinars on ransomware and how Zerto enables you to recover VMs, files and folders from seconds before the data was encrypted to minimize data loss and avoid having to pay a ransom. One question I’ve often been asked is how do I know what point in time my files were encrypted? And in one recent presentation a customer told me that their user didn’t tell IT until 3 days after the infection had occurred!

This got me thinking on how we could alert on this which led me to evaluate the different ransomware honeypot example scripts available online. These scripts validate a file placed on a user mapped share, where everyone has write permissions, against a gold or witness copy to catch the ransomware infection then perform a set of actions when found. In testing the multiple examples I struggled to find one that coped with the file itself being changed, I.E the extension changing, that ran consistently and none indicated this alert in the Zerto journal so I decided to write an example that did all of this and more. Read more of this post