Raccine
A Simple Ransomware Vaccine (by Neo23x0)
Ransomware-Tarpit
Quick and dirty powershell script to generate random files when files within a monitored path are modified. (by IndustryBestPractice)
Raccine | Ransomware-Tarpit | |
---|---|---|
6 | 3 | |
941 | 1 | |
- | - | |
3.5 | 0.0 | |
7 months ago | over 2 years ago | |
C++ | PowerShell | |
The Unlicense | - |
The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Raccine
Posts with mentions or reviews of Raccine.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2022-08-09.
-
Did anyone ever consider montoring Windows server vss snapshot quotas for ransomware purposes?
Shout out to Raccine https://github.com/Neo23x0/Raccine
-
Security Cadence: Ransomware Part 2 - Actions on Objectives
There's a clever little utility for that called Raccine: https://github.com/Neo23x0/Raccine.
However, a more useful control would be to detect the process responsible for deleting shadow copies and to kill it. There's a clever little utility for that called Raccine: https://github.com/Neo23x0/Raccine Just note that if you have some sort of legitimate process that deletes shadow copies, Raccine will not discriminate in killing it. However, if you don't have anything preventing you from doing something like this, you can potentially kill a ransomware infection right at the start with a simple free utility. Neato.
-
BullWall Ransomcare
If you're looking at a ransomware-specific endpoint protection tool, consider Raccine. https://github.com/Neo23x0/Raccine
-
Alert for ransomware that bypassed endpoint protection
Back to your original question, assuming a conventional AD-centric Windows environment, I would recommend starting with AppLocker to whitelist approved apps and host-based firewall to whitelist approved connections, enable detailed powershell logging, monitor for east-west wmic/SMB/RDP connections (monitor at host level and at network level), and use a tool like RITA to detect beaconing activity. Also consider blocking DOH, retaining DNS logs, and if you don't have a well-tuned EDR/XDR and SIEM, deploy sysmon and use WEF/WEC to centralize logs (SwiftOnSecurity and Olaf Hartong on github have very good starting points for sysmon configs and Microsoft's MSLab github repo has a good scenario for testing sysmon/WEF/WEC with alert recommendations from NSA and Palantir). If you have no centralized logging/analysis/alerting in place AND a managed solution like SecureWorks or a guided deployment of Defender are not realistic, consider starting with Security Onion. If your organization is in a critical infrastructure sector, you should definitely look into the risk and vulnerability assessment and no-cost cyber hygiene services offered by CISA (see https://www.cisa.gov/cyber-resource-hub). Also, have you considered testing/deploying Raccine? https://github.com/Neo23x0/Raccine
-
methodologies for detecting ransomware
checking for shadow volume copy deletion and certain other ransomware-specific commands (see, e.g., Raccine but beware that it is NOT a vaccine but a generic detection method, the name is really just wrong)
Ransomware-Tarpit
Posts with mentions or reviews of Ransomware-Tarpit.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2022-03-21.
- We got confirmation that this was legitimately implemented by our client's IT department...
-
Security Cadence: Ransomware Part 2 - Actions on Objectives
Additionally, I threw together a quick Powershell script where you can enter in a source path of your legit file server and a destination path of your honeypot file server and it will automatically clone the directory structure and filenames of your legit file server to the honeypot one, but the files will just contain random bytes. You can find this here: https://github.com/IndustryBestPractice/Ransomware-Tarpit/blob/main/clone-honeyfiles.ps1
As for the Ransomware tarpit side of this, I actually use a commercial tool for this which has a ton of other features, but this can easily be done for free. To help with that, I put together a simple Powershell script to perform the monitoring of your honeypot file servers and to randomly generate new files when modifications are detected. It will also email you on modifications. You can find it here: https://github.com/IndustryBestPractice/Ransomware-Tarpit/blob/main/ransomware-tarpit.ps1
What are some alternatives?
When comparing Raccine and Ransomware-Tarpit you can also consider the following projects:
awesome-threat-detection - ✨ A curated list of awesome threat detection and hunting resources 🕵️♂️
fibratus - A modern tool for Windows kernel exploration and tracing with a focus on security