Ransomware Remediation Tools
Top 5 free tools to help defend Ransomware attack
In this blog, I have collected 5 best free tools to mitigate the risk of Ransomware attack. The list of tools covers different stages of defending ransomware attack ranging form detect to decrypt.
Detect a Ransomware attack
Anti-Ransomware File System Resource Manager (FSRM)
FSRM is a role that can be added to any Windows Server 2008 or later. By setting this File System Policy Group, analysts can monitor for certain extensions overwriting system files. In case of such events the admin is alerted via an email, so they can quickly stop the malicious activity begin clean-up before much harm is done.
This method is known as introducing a “Crypto Canary”. This process can be automated by using “CryptoBlocker”.
National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre, Kaspersky and McAfee have “joined forces” in an attempt to fight against the Ransomware business run by cybercriminals.
The aim of this project is to create a go-to repository of Decryption Tools for as many Ransomwares as possible. So far NoMoreRansom has decrypted around 150 malwares.
ID Ransomware is the tool to help identify what kind of ransomware it is. It is a simple tool where users upload the ransom note or a sample of encrypted file. The tool then detects the type of ransomware and sends the results to the user via an email. Currently it can identify 1000+ different ransomwares.
Clean up encrypted files and ransom notes
CryptoSearch goes hand-in-hand with ID Ransomware. It is used to securely identify all the infected files and move them to a new location for better analysis and making it easier to decrypt.
Monitor Ransomware activity post-compromise
CHIRP is a windows forensics tool that helps analysts find any post-Compromise activity as Indicators of Compromise (IOCs). CHIRP was released as a dynamic plugin to search for presence of advanced persistent threat (APT) by looking for presence of teardrop and raindrop malwares, but it can be configured to,
- Examine Windows event logs for artifacts associated with this activity.
- Examine Windows Registry for evidence of intrusion.
- Query Windows network artifacts
- Apply YARA rules to detect malware, backdoors, or implants.
Here are a few more resources about Ransomware we think are very handy to have,