Question
After reading about how basic ransomware targets and encrypts your files. I was wondering if it would be plausible to write your own script to try and detect such activities?
Initial Research Effort
I have looked at different ideas people had previously on this site:
Denying Write Access: Is denying write access an effective way to stop ransomware?
Suggestions how to avoid effectiveness of ransomware: How to avoid ransomware
I know of one tool that already advertises to do something like this, but I would assume the attackers already took note of that tool and will try to circumvent it. Maybe they also would just assume that the average user won't actually install this sort-of thing and the < 10% that did are irrelevant to the attackers.
Assumptions
In either case, from my understanding (and please correct me where I am wrong) the most widely spread crypto - ransomware actually:
- runs with user privileges
- accesses a limited set of the user's files (defined by file extension)
- creates many new files under a new name (either new extension or completely encrypted)
- deletes the original files properly (I assume they would overwrite the original memory to avoid people just using a simple file restore tool?)
Back to a more specific Question
Under these considerations, it appears entirely plausible for me to write a script that can monitor my most important files and locations. And to make my question more specific:
Is it true that many widespread crypto-ransomware (e.g. TeslaCrypt) work under those given assumptions (above)? And if there are actually more elusive tactics employed, would they easily avoid detection if my own monitoring script relies on standard file-access monitoring?
Side Notes in regards to what I would assume the anti-crypto-tool would be doing:
The tool could even be combined with a honeypot approach to get immediate alerts and kill processes that try to change anything in a specific set of files that look like normal personal documents.
I am aware that the recommendation is not to write your own crypto software, but I am looking for advice if you would encourage people to write anti-ransomware software to at least try to create another layer of security.
I am also aware that backups are more important in this case. I am not thinking of replacing backups with my own homegrown script and I am also aware that testing will be difficult.
The question is more directed at why there are not already more anti-crypto-ransomware tools, given that their approach could actually be detected with some basic file-monitoring. Maybe my assumption is wrong in this and I would love to hear from you why that is.