Important Notice: On February 29th, this community was put into read-only mode. All existing posts will remain but customers are unable to add new posts or comment on existing. Please feel to join our Community Discord for any questions and discussions.

Scanning for Ransomware

Just a tip: I have a file scan setup to scan user profile directories for .crypt files. I then have a dynamic collection that will populate with any computer that has these files. Then I have a daily auto report that alerts me of any computers show up in this this collection.

Today, PDQ just discovered one laptop with ransomware that Forefront didn't detect.

0

Comments

6 comments
Date Votes
  • I have a similar thing running.  I also scan for .locky  and help_decrypt.txt   

    1
  • So, if I am reading this right it's just simply if File > Name > Contains > .locky (or whatever) it adds to the collection? 

    0
  • Yes that is correct.

    0
  • To expand on this there is a maintained spreadsheet that gets referenced on reddit a lot with almost every know type of ransomware. one of the columns in the spreadsheet is a list of the various ransom note filenames that are left behind. You could build something pretty comprehensive with that info.

    https://docs.google.com/spreadsheets/u/2/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml#

    0
  • I can't seem to get this working, am I missing something?


     

    I am simply trying to find a sample text file on my machine, but no results are coming up. I would love to see this working. Thank You for the assistance.

    0
  • First you must create a scan profile in preferences that scans computers for the specific file . Then you can configure the dynamic collection for the file like you have pictured.

    0