Scanning for Ransomware

Comments

6 comments

  • Dan Sadler

    I have a similar thing running.  I also scan for .locky  and help_decrypt.txt   

    1
    Comment actions Permalink
  • Edward Gray

    So, if I am reading this right it's just simply if File > Name > Contains > .locky (or whatever) it adds to the collection? 

    0
    Comment actions Permalink
  • Michael Muni

    Yes that is correct.

    0
    Comment actions Permalink
  • Mike Tupker

    To expand on this there is a maintained spreadsheet that gets referenced on reddit a lot with almost every know type of ransomware. one of the columns in the spreadsheet is a list of the various ransom note filenames that are left behind. You could build something pretty comprehensive with that info.

    https://docs.google.com/spreadsheets/u/2/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml#

    0
    Comment actions Permalink
  • Edward Gray

    I can't seem to get this working, am I missing something?


     

    I am simply trying to find a sample text file on my machine, but no results are coming up. I would love to see this working. Thank You for the assistance.

    0
    Comment actions Permalink
  • Michael Muni

    First you must create a scan profile in preferences that scans computers for the specific file . Then you can configure the dynamic collection for the file like you have pictured.

    0
    Comment actions Permalink

Please sign in to leave a comment.