RansomwareLocker is a honeyfile-based ransomware detection tool for Linux environments. It uses inotify-tools and auditd utilities to monitor a honeyfile.
The program requires admin privileges to run and can run indefinitely in the background. The trap file is created in a location that the user would not access. The file is additionally saved with a .pdf extension to ensure that the ransomware definitely encounters it.
- A trap file of arbitrary size is created (~4KB).
- Symbolic links are set up across the file system in order to ensure that the ransomware encounters it eventually
- Using the auditctl facility, the trap file is audited/monitored.
- inotifywait is used to constantly check for either of the following events on our trap file
- access --> file or directory contents were read
- attrib --> file or directory attributes changed
- close --> file or directory closed, regardless of read/write mode
- open --> file or directory opened
- modify --> file or directory contents were written
- If the above condition is true, then the PID of the accessor is extracted from the audit.log file using auditd's ausearch utility and passed as an argument to kill.
- Once the process is killed, a notification is sent to the user saying 'A potentially malicious process was killed'.
To install the additional utilities, refer to the following:
- inotify-tools
apt install auditd
on Debian/Ubuntuyum install auditd
on RedHat
This tool was used against bash-ransomware, an open-source Linux ransomware (on a system running Ubuntu 16.04.6 64-bit), which gave promising results.
The technique was inspired by this paper.