Scanning for Ransomware

Just a tip: I have a file scan setup to scan user profile directories for .crypt files. I then have a dynamic collection that will populate with any computer that has these files. Then I have a daily auto report that alerts me of any computers show up in this this collection.

Today, PDQ just discovered one laptop with ransomware that Forefront didn't detect.



Date Votes
  • I have a similar thing running.  I also scan for .locky  and help_decrypt.txt   

  • So, if I am reading this right it's just simply if File > Name > Contains > .locky (or whatever) it adds to the collection? 

  • Yes that is correct.

  • To expand on this there is a maintained spreadsheet that gets referenced on reddit a lot with almost every know type of ransomware. one of the columns in the spreadsheet is a list of the various ransom note filenames that are left behind. You could build something pretty comprehensive with that info.

  • I can't seem to get this working, am I missing something?


    I am simply trying to find a sample text file on my machine, but no results are coming up. I would love to see this working. Thank You for the assistance.

  • First you must create a scan profile in preferences that scans computers for the specific file . Then you can configure the dynamic collection for the file like you have pictured.


Please sign in to leave a comment.

Didn't find what you were looking for?

New post