Giters

leeqwind / detect-ransomware-filenames

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Detect Ransomware Filenames

This package/script watches SMB transactions to look for known bad filenames that ransomware is known to use. It rides on top of the Anti-Ransomware File System Resource Manager Lists maintained here.

How to use

A Python script (download-list.py) is included to be able to refresh the list periodically. By default, it will download the new file to the inputs/ folder.

Use zkg to install this, the way you would any Zeek package.

The script generates notices like the following:

{
  "_path": "notice",
  "_system_name": "bas-cl-swsensor-01",
  "_write_ts": "2020-04-27T21:40:10.494579Z",
  "_node": "worker-02",
  "ts": "2020-04-27T21:40:10.494579Z",
  "uid": "CNhUff2G2TzzRoQi45",
  "note": "Ransomware::KnownBadFilename",
  "msg": "Detected potential ransomware! Known bad file name: test3.hj36MM in use by client 10.0.2.51 on file server 172.16.4.66",
  "src": "10.0.2.51",
  "dst": "172.16.4.66",
  "peer_descr": "worker-02",
  "actions": [
    "Notice::ACTION_LOG"
  ],
  "suppress_for": 3600
}

If/when you get a notice, investigate, ideally as quickly as possible!

License

Please read the license file here for information about the license for this software.

About

License:BSD 3-Clause "New" or "Revised" License

Languages

Language:Zeek 61.8%Language:Python 38.2%