Ransomware Remediation Tools

Top 5 free tools to help defend Ransomware attack

In this blog, I have collected 5 best free tools to mitigate the risk of Ransomware attack. The list of tools covers different stages of defending ransomware attack ranging form detect to decrypt.

Detect a Ransomware attack

Anti-Ransomware File System Resource Manager (FSRM)

FSRM is a role that can be added to any Windows Server 2008 or later. By setting this File System Policy Group, analysts can monitor for certain extensions overwriting system files. In case of such events the admin is alerted via an email, so they can quickly stop the malicious activity begin clean-up before much harm is done.

This method is known as introducing a “Crypto Canary”. This process can be automated by using “CryptoBlocker”.

Decrypt Ransomware

The NoMoreRansom Project

National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre, Kaspersky and McAfee have “joined forces” in an attempt to fight against the Ransomware business run by cybercriminals.

The aim of this project is to create a go-to repository of Decryption Tools for as many Ransomwares as possible. So far NoMoreRansom has decrypted around 150 malwares.

Classify Ransomware

ID Ransomware

ID Ransomware is the tool to help identify what kind of ransomware it is. It is a simple tool where users upload the ransom note or a sample of encrypted file. The tool then detects the type of ransomware and sends the results to the user via an email. Currently it can identify 1000+ different ransomwares.

Clean up encrypted files and ransom notes

CryptoSearch

CryptoSearch goes hand-in-hand with ID Ransomware. It is used to securely identify all the infected files and move them to a new location for better analysis and making it easier to decrypt.

Monitor Ransomware activity post-compromise

CHIRP by CISA

CHIRP is a windows forensics tool that helps analysts find any post-Compromise activity as Indicators of Compromise (IOCs). CHIRP was released as a dynamic plugin to search for presence of advanced persistent threat (APT) by looking for presence of teardrop and raindrop malwares, but it can be configured to,

• Examine Windows event logs for artifacts associated with this activity.
• Examine Windows Registry for evidence of intrusion.
• Query Windows network artifacts
• Apply YARA rules to detect malware, backdoors, or implants.

Here are a few more resources about Ransomware we think are very handy to have,

1. How to Recover Data Deleted or Encrypted by Ransomware [Comprehensive Guide]
2. Ransom Note Cleaner
3. Kaspersky Malware Recovery Tools
4. Ransomware explained: How it works and how to remove it