What to WHILE ransomware is encrypting?

[njmyers3]

I'm writing a program in Python that detects when ransomware is encrypting files. So far, it does detect when ransomware is modifying files such as changing their contents, renaming, or deleting them, but it doesn't do anything useful. All it can tell me is the fact that ransomware is detected, but not prevent it. So I was wondering what it should do to prevent the ransomware. Here are some ideas I had:

• Shutdown the system immediately, may not work depending on privileges of software or current open applications
• Log out, may not actually stop the ransomware if it's running as a system process
• I thought about stopping network access but that wouldn't really stop the encryption, just delay the key being sent

As you can see, there's a potential flaw with all of these. What would you recommend I do?

[Theguywhobea]

Identify the process and stop the process.

[NTDaws]

Either Identify the process to have it stop.

Or you can cause the computer to blue screen. Which I would prefer.

[njmyers3]

Just now, Theguywhobea said:

Identify the process and stop the process.

It's a good idea but I feel that modern ransomware is designed to combat a regular user just stopping it with task manager. I'd also like to have something that works with all variants of ransomware rather than having a chance of not identifying the process. But thanks for your input  

[njmyers3]

1 minute ago, Being Delirious said:

Either Identify the process to have it stop.

Or you can cause the computer to blue screen. Which I would prefer.

Honestly crashing it isn't a bad idea, not the best, but I'll consider it. Thanks  

[CamTechCorner]

turn off write privileges to the disk, then no changes can occur.

[njmyers3]

1 minute ago, CamTechCorner said:

turn off write privileges to the disk, then no changes can occur.

Good idea, but I'm pretty sure you need administrator privileges to do that, which may not be possible in all scenarios.

[rodrosenberg]

13 minutes ago, njmyers3 said:

It's a good idea but I feel that modern ransomware is designed to combat a regular user just stopping it with task manager. I'd also like to have something that works with all variants of ransomware rather than having a chance of not identifying the process. But thanks for your input  

Would suspending the process be a good stop gap?

[CamTechCorner]

5 minutes ago, njmyers3 said:

Good idea, but I'm pretty sure you need administrator privileges to do that, which may not be possible in all scenarios.

Can you not then start python in admin mode, then the ability to turn off the function should be their.

[njmyers3]

Just now, CamTechCorner said:

Can you not then start python in admin mode, then the ability to turn off the function should be their.

I can while testing this, but if people with a standard user account use this program it won't work. I want something that will work no matter what.

[njmyers3]

2 minutes ago, rodrosenberg said:

Would suspending the process be a good stop gap?

Yes, but I don't believe that the program could identify every variant of ransomware, so I would rather do something that is guaranteed to work.

[CamTechCorner]

3 minutes ago, njmyers3 said:

I can while testing this, but if people with a standard user account use this program it won't work. I want something that will work no matter what.

then, inputting this admin line at the top would do the same thing as starting the program in admin state. https://stackoverflow.com/questions/130763/request-uac-elevation-from-within-a-python-script

or this 

runas /user:mydomain\admin
"mmc.exe %windir%\system32\dsa.msc"

[njmyers3]

8 minutes ago, CamTechCorner said:

then, inputting this admin line at the top would do the same thing as starting the program in admin state. https://stackoverflow.com/questions/130763/request-uac-elevation-from-within-a-python-script

or this 

runas /user:mydomain\admin
"mmc.exe %windir%\system32\dsa.msc"

I'll look into that. I'm not sure that it'll work for a standard user but I'll check it out.

[Mira Yurizaki]

It's likely that any ransomware on the system that's active is running in elevated privileges. And if it's competent, it also probably changed the file permissions on top of it. So if you want to have even a shot at stopping it, anything you run must have elevated privileges or higher.

 

And even then, I'm not hopeful anything short of killing the process or dismounting volumes can stop it. If it's running elevated, the game is over.

[wasab]

you need to stop it before it executes. stopping it while it is already in full swing is hopeless. 

[vorticalbox]

9 hours ago, CamTechCorner said:

turn off write privileges to the disk, then no changes can occur.

Windows defender also has the ability to lock write access to you files.

 

you can't block a root app from writing with permissions alone and you certainly can't block write access to a system drive.

[straight_stewie]

18 hours ago, njmyers3 said:

I'm writing a program in Python that detects when ransomware is encrypting files. So far, it does detect when ransomware is modifying files such as changing their contents, renaming, or deleting them, but it doesn't do anything useful. All it can tell me is the fact that ransomware is detected, but not prevent it. So I was wondering what it should do to prevent the ransomware. Here are some ideas I had:

• Shutdown the system immediately, may not work depending on privileges of software or current open applications
• Log out, may not actually stop the ransomware if it's running as a system process
• I thought about stopping network access but that wouldn't really stop the encryption, just delay the key being sent

As you can see, there's a potential flaw with all of these. What would you recommend I do?

As far as I know, there is no real time removal of problems. What nearly all of them do is try to prevent a virus from getting into the system in the first place. If a virus does slip past, it is caught in scans: if a definite virus is found, it is marked as needing to be removed, then the computer rebooted and some tricks used to make sure the antivirus loads before anything else. If an indefinite virus is found it either asks the human or does other tests, such as running the program in a virtual machine to determine if it is malicious or not, once marked as malicious it does the same thing as a normal scan. If it can't decide, it notifies the administrator to make a decision about it.

The biggest key to modern antimalware is that it is pretty good at preventing viruses from ever being installed in the first place.