Ransomware detection application for Windows using Windows Minifilter driver
RansomWatch is a solution which monitors and analyses data collected from the file system in real time in order to identify suspicious ransomware behavior on the file system. RansomWatch autonomously stops ransomware applications and backups data in order to prevent data loss.
User-mode GUI application is responsible for handling all data of running applications based on their GID* given by the driver, reporting to user, backup, sending kill requests to driver with GIDs detected as malicious and restoring changed files.
The driver collects file system usage, calculates entropy for read/write operations, gives multi-process applications a unique GID for tracking. It is also responsible for killing malicious applications based on their GID (system processes do not have GID, thus will not be killed).
Application operations are passed to RansomWatch application based on user-mode application request for IRPs (I/O Request Packet) with filterSendMessage
. System applications are not recorded, which reduces a significant overhead. Our application records IRP operations usage. After each recording of IRP operation for application, RansomWatch application checks if the state of some applications has changed to malicious.
GID is given by the driver each time a new application is interduced to the system by registering to process creation and ending (PsSetCreateProcessNotifyRoutine
). The driver evaluates the image file loaded and decides whether it is a system process - if not, a new GID is assigned and every process generated from this process is given the same GID.
After detecting malicious application and stopping it with our driver, RansomWatch application tries to recover files that were changed using Azure storage. The application can only recover areas that were selected to be protected from the application. The application restores based on last known valid snapshot known (based on dates of first ransomware detection in system and snapshot time).
The user-mode application is written in C++/CLI.
These instructions will get you a copy of the project up and running on your local machine for development and testing purposes. See deployment for notes on how to deploy the project on a live system.
Our driver uses test signing so before using it Windows should be set to install and run test signed drivers.
Enable test signed drivers can be done in elevated command prompt with the following command:
bcdedit /set testsigning on
Restart Windows for changes to take effect.
Copy the solution application (application.exe
) and the DLL next to it (Microsoft.WindowsAzure.Storage.dll
) to the target machine. those files are generated under: \<project location>/x64/Release
Copy driver files: FsFilter.inf, FsFilter.sys, FsFilter.cer
to the target machine and place them in the same directory. Those files are generated under: \<project location>/x64/Debug
Install the driver using .inf file (requires elevated command prompt)
RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 \<Driver files location>\FsFilter.inf
Start the driver using fltmc
command or by sc
command.
We tested our solution with service control manager sc:
sc start FsFilter
Stopping the driver by using the command:
sc stop FsFilter
Removing the driver by using the command:
sc delete FsFilter
Run the application, we recommend to run it as Admin.
For running the application, Visual Runtime for Windows is required. The application requires the driver to run to work properly.
Testing ransomwares requires a VM (well, unless you do not mind testing it on your machine) and a ransomware applications.
This project is licensed under the MIT License - see MIT for details