Scanning for Ransomware
Just a tip: I have a file scan setup to scan user profile directories for .crypt files. I then have a dynamic collection that will populate with any computer that has these files. Then I have a daily auto report that alerts me of any computers show up in this this collection.
Today, PDQ just discovered one laptop with ransomware that Forefront didn't detect.
0
Comments
I have a similar thing running. I also scan for .locky and help_decrypt.txt
So, if I am reading this right it's just simply if File > Name > Contains > .locky (or whatever) it adds to the collection?
Yes that is correct.
To expand on this there is a maintained spreadsheet that gets referenced on reddit a lot with almost every know type of ransomware. one of the columns in the spreadsheet is a list of the various ransom note filenames that are left behind. You could build something pretty comprehensive with that info.
https://docs.google.com/spreadsheets/u/2/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml#
I can't seem to get this working, am I missing something?
I am simply trying to find a sample text file on my machine, but no results are coming up. I would love to see this working. Thank You for the assistance.
First you must create a scan profile in preferences that scans computers for the specific file . Then you can configure the dynamic collection for the file like you have pictured.