Here is the first beta version of DataDefender. DD is a standard backup app with a focus on ransomware and data loss prevention and data control.
I believe the main anti-ransomware mechanism is quite unique, but if there is anything similar please let me know, this is how it works…
The concept of DataDefender is simple. Have you ever been using your computer and notice that at times the hard drive seems to be reading or writing endlessly for no apparent reason, so you wonder “is something reading, deleting or encrypting my data without my permission?” This happens to me all of the time, and one day I realized that as long no unknown processes are executing, then I have nothing to worry about. Basically, whenever the hard drive is grinding away, I want to be ensured that only known benign processes are currently executing and accessing the data files.
DataDefender’s main focus is to closely monitor all user space file modification events (changed, created, deleted, renamed, etc.) to protect data against ransomware and other forms of malware. The file modification events also can include file size, file attributes, file security attributes, last access time, last write time, and creation time.
The anti-ransomware mechanisms that I have tested typically monitor processes and grant or deny access to user data folders for each process. Whereas DD primarily monitors the user data folders for any and all modifications (especially increased drive activity), and secondarily monitors suspicious processes. DD considers a process to be suspicious if it is a non-native, vulnerable or unknown process, typically in the user-space.
While monitoring the user data files for increased read or write disk drive activity or file access / modification events, if no suspicious processes are executing, the drive activity is allowed and not restricted in any way.
However, if there is increased drive activity in the user data folders AND a suspicious process is executing, DD briefly suspends each suspicious process to see if drive activity increases or decreases. As each application is resumed consecutively, if drive activity remains constant, then we know that particular suspended suspicious process is not responsible for increased drive activity. Over time, suspicious processes that do not increase drive activity are automatically whitelisted by a feature known as dwell time, which we might make user configurable at some point.
However, if increased drive activity within the user data files stops and restarts as the process is suspended and resumed, then the application responsible for increased drive activity within the user data files has been identified. Once the suspicious application that is responsible for increased drive activity within the user data files has been identified, the suspicious application is then terminated and potentially quarantined, and the compromised user data files are manually or automatically restored.
So that is how DD works in a nutshell. For now DD does not utilize a kernel mode driver, but we can implement one if necessary. I have only tested it against synthetic ransomware and will certainly need to make changes once we start testing with real ransomware, simply because I am not familiar with all of the sneaky tricks ransomware utilizes while encrypting files. I just figured it was time to release a beta in case anyone was interested in helping me find ransomware that encrypts the files without DD noticing, especially since for now DD is configured to only detect file name changes. Once we start testing, we will figure out what other file modification events we need to add, and they are very simple to add. BTW, if you do test DD, please make sure you have at least 20 or so sample files to be encrypted. In my tests, DD typically takes action after around 5-15 files have been encrypted. We can also change several different parameters within DD’s detection code to tighten things up a bit if necessary.
DD 0.90 beta
SHA-256: e0507f631d698ae4a83e9a401649f27c4cc22c2091c7b61e00f7eed9d8505429
Thank you guys!