Detect crypto ransomware in realtime with Cryptostalker

Interesting project found on GitHub


Cryptostalker and the original project randumb are the work of Sean Williams, who wanted to create a tool that monitored the filesystem for newly written files, and if the files contained random data, the sign of encrypted content, and they were written at high speed, it would alert the system’s owner.


How it works

When cryptostalker runs, it places a recursive file system watch on the path specified with the — path command line flag.

Whenever a new file is created, it is inspected for randomness via the randumb library. If it is deemed random, and within the — window and — count parameters, a message will be output saying that a suspicious file is found. This is possibly indicative of a newly-placed encrypted file somewhere on the filesystem under the — path directory.

Installation

Copy and paste these commands:

path="$HOME/workspace.$RANDOM"
export GOPATH=$path
export GOBIN=$path/bin
mkdir -p $path/src
cd $path/src
go get github.com/unixist/cryptostalker
go install github.com/unixist/cryptostalker
echo -e 'Now you can run:n $GOBIN/cryptostalker --path=/tmp'

More info and use examples on GitHub:

https://github.com/unixist/cryptostalker

Comments