Raccine VS Ransomware-Tarpit

Shout out to Raccine https://github.com/Neo23x0/Raccine

There's a clever little utility for that called Raccine: https://github.com/Neo23x0/Raccine.

However, a more useful control would be to detect the process responsible for deleting shadow copies and to kill it. There's a clever little utility for that called Raccine: https://github.com/Neo23x0/Raccine Just note that if you have some sort of legitimate process that deletes shadow copies, Raccine will not discriminate in killing it. However, if you don't have anything preventing you from doing something like this, you can potentially kill a ransomware infection right at the start with a simple free utility. Neato.

If you're looking at a ransomware-specific endpoint protection tool, consider Raccine. https://github.com/Neo23x0/Raccine

Back to your original question, assuming a conventional AD-centric Windows environment, I would recommend starting with AppLocker to whitelist approved apps and host-based firewall to whitelist approved connections, enable detailed powershell logging, monitor for east-west wmic/SMB/RDP connections (monitor at host level and at network level), and use a tool like RITA to detect beaconing activity. Also consider blocking DOH, retaining DNS logs, and if you don't have a well-tuned EDR/XDR and SIEM, deploy sysmon and use WEF/WEC to centralize logs (SwiftOnSecurity and Olaf Hartong on github have very good starting points for sysmon configs and Microsoft's MSLab github repo has a good scenario for testing sysmon/WEF/WEC with alert recommendations from NSA and Palantir). If you have no centralized logging/analysis/alerting in place AND a managed solution like SecureWorks or a guided deployment of Defender are not realistic, consider starting with Security Onion. If your organization is in a critical infrastructure sector, you should definitely look into the risk and vulnerability assessment and no-cost cyber hygiene services offered by CISA (see https://www.cisa.gov/cyber-resource-hub). Also, have you considered testing/deploying Raccine? https://github.com/Neo23x0/Raccine

checking for shadow volume copy deletion and certain other ransomware-specific commands (see, e.g., Raccine but beware that it is NOT a vaccine but a generic detection method, the name is really just wrong)

Additionally, I threw together a quick Powershell script where you can enter in a source path of your legit file server and a destination path of your honeypot file server and it will automatically clone the directory structure and filenames of your legit file server to the honeypot one, but the files will just contain random bytes. You can find this here: https://github.com/IndustryBestPractice/Ransomware-Tarpit/blob/main/clone-honeyfiles.ps1

As for the Ransomware tarpit side of this, I actually use a commercial tool for this which has a ton of other features, but this can easily be done for free. To help with that, I put together a simple Powershell script to perform the monitoring of your honeypot file servers and to randomly generate new files when modifications are detected. It will also email you on modifications. You can find it here: https://github.com/IndustryBestPractice/Ransomware-Tarpit/blob/main/ransomware-tarpit.ps1