Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Other security for Windows, Mac, Linux
Cross-Platform Hash Comparison to Detect Ransomware - Backup Software Hole?
Message
<blockquote data-quote="raywood" data-source="post: 978063" data-attributes="member: 94488"><p>I have developed <a href="https://raywoodcockslatest.wordpress.com/2021/12/08/ransomware-hash/" target="_blank">a scheme</a> to detect a type of ransomware. It seems that my scheme may have a hole.</p><p></p><p>The general idea is that I calculate SHA-512 values for each file on a source data drive; I compare those values against SHA-512 values for each file on a backup drive; and I review discrepancies to see whether they are highlighting ransomware activity. In theory, this should detect the type of ransomware that silently encrypts data files, decrypting them on the fly, on demand, so that the user will have no notice that files on the source drive are gradually being encrypted.</p><p></p><p><a href="https://crypto.stackexchange.com/questions/98731/hash-comparison-to-detect-ransomware-file-encryption/98735?noredirect=1" target="_blank">I am told</a> that such ransomware may prevent the operating system from recognizing that encrypted files have changed. But if I calculate the source drive hashes on a Windows system, and calculate the backup drive hashes on a Linux system, then (assuming the malware is not cross-platform) I should see discrepancies in hash values. The ransomware may fool the Windows OS, but the Linux hashing tool will hash the file as altered by ransomware, not merely its decrypted contents.</p><p></p><p>The problem is that, to update the backup drive, I am using software that detects file changes as indicated by timestamps and file sizes. I assume that (perhaps with the aid of compression) ransomware could manipulate both of those indicators, so that my backup software would see no change, and therefore would not reflect the actual condition of ransomware-encrypted files on the source (Windows) drive. I assume that a byte-for-byte comparison would detect the fact of change, but such comparisons are very slow, discouraging frequent use.</p><p></p><p>Am I wrong about any of this? I like the idea of being able to compare hash values to detect ransomware, but I'm afraid I may be going to a lot of trouble to achieve nothing.</p></blockquote><p></p>
[QUOTE="raywood, post: 978063, member: 94488"] I have developed [URL='https://raywoodcockslatest.wordpress.com/2021/12/08/ransomware-hash/']a scheme[/URL] to detect a type of ransomware. It seems that my scheme may have a hole. The general idea is that I calculate SHA-512 values for each file on a source data drive; I compare those values against SHA-512 values for each file on a backup drive; and I review discrepancies to see whether they are highlighting ransomware activity. In theory, this should detect the type of ransomware that silently encrypts data files, decrypting them on the fly, on demand, so that the user will have no notice that files on the source drive are gradually being encrypted. [URL='https://crypto.stackexchange.com/questions/98731/hash-comparison-to-detect-ransomware-file-encryption/98735?noredirect=1']I am told[/URL] that such ransomware may prevent the operating system from recognizing that encrypted files have changed. But if I calculate the source drive hashes on a Windows system, and calculate the backup drive hashes on a Linux system, then (assuming the malware is not cross-platform) I should see discrepancies in hash values. The ransomware may fool the Windows OS, but the Linux hashing tool will hash the file as altered by ransomware, not merely its decrypted contents. The problem is that, to update the backup drive, I am using software that detects file changes as indicated by timestamps and file sizes. I assume that (perhaps with the aid of compression) ransomware could manipulate both of those indicators, so that my backup software would see no change, and therefore would not reflect the actual condition of ransomware-encrypted files on the source (Windows) drive. I assume that a byte-for-byte comparison would detect the fact of change, but such comparisons are very slow, discouraging frequent use. Am I wrong about any of this? I like the idea of being able to compare hash values to detect ransomware, but I'm afraid I may be going to a lot of trouble to achieve nothing. [/QUOTE]
Insert quotes…
Verification
Post reply
Top