A new concept our team gave birth Ransomware (RW) Check (RanCheck) Before Backup (BK) in short RBB. Due to rising threat of RW we drive a two-part approach. Human and Machine but both same priviledged. So if Human has the 'feeling' that data infected it 'tells' Machine to FullCkeck. If Human has no Indicator Of RW (IOR) - most important term in the game - Machine runs LightCheck. Only if both agree on no IOR the backup starts.
You all will tell me that Machine beats Human related to IOR. True but users sometimes make mistakes and don't tell the admin because of shame. So Human has a limited capability of guessing IOR. The question is Which areas Humans EVER will beat Machines? These areas and out of the respective capabilities we want to teach Human. Train the Human to better indicate out of soft factors.
Today DayOne. But what are your ideas? Like to learn from you guys -)
What is IOR? (Indicator Of RansomWare should be IORW, according to your own invented acronyms)
What is the need to invent four new acronyms in a single post?
(of which RW will be understood by everyone as Read/Write)
But I really don't get it 😯 basically you are saying that
1) if Human suspects nothing, don't trust him/her and run anyway the "light" check
2) if Human suspects anything then he/she will "vote" for it
3) if Machine (after having run the "light" check) suspects that there is Ransomware running OR if the Human casted vote is "yes" then run the "deep" check.
You should apply for a patent for the new idea, which is dramatically different from
1) always run a "light" check before backup
2) if the light check is positive then run the "deep" check
3) if the light check is negative then if Human (which has a higher privilege) suspects anything, he can override and perform a "deep" check nonetheless
Besides the apparent similarities between the "new concept" and the old one, in the specific case of Ransomware, there is with BOTH the not-so-little issue that IF the system is infected the more time it runs the more files it will crypt, so maybe a better idea would be
1) switch the system off
2) back it up "as is"
3) analyze the offline system
4) if no trace of Ransomware is found, "validate" the backup as "clean"
jaclaz
#jaclaz good job! - you get it. Agree on all points you made. Its just, we insert RBB into normal replication- process (syncing). So time budget is zero as a target. All aspects of checking and validating takes too long and therefore Human loses against Machine.
Not new (just new proj in our team, see new name RBB) we proof to not setup to constantly and all the time running the RBB because of performance, bandtwidth and cost, we try to level 90% of RW cleaness with just 70% of ressources (algo optimized).
The RanCheck takes time, so the IOR is the point to think of most. Inside we further splitted the IOR into pre, is- and post attributes.
All I want to say is Think you are ransomwared (assumeably), have to check and decide to stop if you are. This is the last resort before Valley of Death.
Any COTS software doing the RBB properly, my ears are open.
#jaclaz good job! - you get it.
Actually the point is that I DO NOT get it (at all).
I have NO idea about WHAT is actually "new" in your approach, WHERE are you going to implement it, WHY do you believe it to be "good" (or "better" than any comparable approach).
As said before AFAIK a RansomWare more or less resolves as a background process, that runs silently and stealthily encrypts a number of documents.
At the time of the backup (and it's eventual pre, during or post analysis), see also
http//www.forensicfocus.com/Forums/viewtopic/p=6571336/#6571336
it is either "active" (i.e. it has ALREADY started encrypting accessible documents) or "dormant" (but I have never seen any report about a "dormant" RansomWare).
The approach you described may be of use in the latter case of a "dormant" RansomWare (as said never heard of) whilst in the case of an "active" one, the best policy (to hopefully limit damages) is to pull the plug of the system off as soon as it is detected (or even suspected only).
jaclaz
We here love to improve and dual-automate processes, Human and Machine in collab. Positive and new thinking is required.
Will and cannot disclose the concept and I am aware of describing its features does not cover it all. Have to say we discussed this issue since Sept '13 and constructed since many parts to fit together. Today we started the project to build.
But my post is just the flag up to ask Do others run similar systems(!) in place of RBB?
But my post is just the flag up to ask Do others run similar systems(!) in place of RBB?
And this is exactly the reason why there is the "make a poll" option.
The answer to your question is of course YES
http//
or maybe NO.
But unless others are put in a condition where thy can understand what you are running, it is unlikely that their answers will be accurate as they are unlikely to be able to determine if the whatever they are running (or not running) is in any way "similar" to what you are running or going to run, maybe.
jaclaz
Its not about a poll. The potential is about collab devops. There is a difference in reality you are right (running systems). And there is always a way to improve as RW also gets more sophisticated (e.g. dormant, or better time-optimized e-banking account higher the keylogger tells RW Cash is ready).
The potential is about collab devops.
Sure the potential is there.
But the minimum pre-requisite of "collab" is that other people are capable to understand what (the heck) you are talking about.
Till now (and I tried my best to let you know this, clearly failing at it ( ) you completely failed to produce anything but a bunch of mostly senseless acronyms, i.e. you were not IMNSHO (it doesn't really matter if this happens because of security restrictions or *whatever* other reasons) capable of communicating.
This is a forum, people are supposed to come here to propose, discuss and comment ideas, it is not some sort of guessing game, AFAIK.
Mind you, if you think it is a guessing game, it's good as well ) some of the other kids might be happy to play it with you.
Personally, I now declare the whole stuff a SEP
https://
Have fun with it.
jaclaz