Ransomware attacks are becoming more frequent, more damaging and more sophisticated. Besides other tips mentioned here, it is very important to detect ransomware quickly and remediate immediately. In this blog, we have collected 5 free tools to assist mitigating the risk of Ransomware Attacks faster. The list of tools cover different stages of defending against ransomware attacks ranging from detection to decryption.
1. Detect Ransomware Attack
Anti-Ransomware File System Resource Manager (FSRM)
Link: https://fsrm.experiant.ca/
FSRM is a role that can be added to any Windows Server 2008 or later. By setting this File System Policy Group, analysts can monitor for certain extensions overwriting system files. In case of such events the admin is alerted via an email, so they can quickly stop the malicious activity begin clean-up before much harm is done.
2. Decrypt Ransomware
The NoMoreRansom Project
Link: https://www.nomoreransom.org/
National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre, Kaspersky and McAfee have “joined forces” in an attempt to fight against the Ransomware business run by cybercriminals.
The aim of this project is to create a go-to repository of Decryption Tools for as many Ransomwares as possible. So far NoMoreRansom has decrypted around 150 malwares.
3. Classify Ransomware
ID Ransomware
Link: https://id-ransomware.malwarehunterteam.com/
ID Ransomware is the tool to help identify what kind of ransomware it is. It is a simple tool where users upload the ransom note or a sample of encrypted file. The tool then detects the type of ransomware and sends the results to the user via an email. Currently it can identify 1000+ different ransomwares.
4. Clean up Encrypted files and Ransom notes
CryptoSearch
Link: https://www.bleepingcomputer.com/download/cryptosearch/
CryptoSearch goes hand-in-hand with ID Ransomware. It is used to securely identify all the infected files and move them to a new location for better analysis and making it easier to decrypt.
5. Monitor Post-Compromise Ransomware Activity
CHIRP by CISA
Link: https://us-cert.cisa.gov/ncas/alerts/aa21-077a
CHIRP is a windows forensics tool that helps analysts find any post-Compromise activity as Indicators of Compromise (IOCs). CHIRP was released as a dynamic plugin to search for presence in advanced persistent threat (APT) by looking for presence of teardrop and raindrop malwares, but it can be configured to 1. Examine Windows event logs for artifacts associated with this activity. 2. Examine Windows Registry for evidence of intrusion 3. Query Windows network artifacts 4. Apply YARA rules to detect malware, backdoors, or implants.
In addition to the tools above, DTonomy’s AI has helped our clients improve their security investigation and response efficiency 10X.
Can AI help reduce your risk of ransomware? Try it out for free or get in touch with us to learn more.
Additional Resources:
DTonomy’s collected free resources on defending Ransomware attack: Github link
