Does anyone know if any tools exist on Linux which can be used for early detection of ransomeware?
Something that monitors file access, disk activity, etc. for suspicious behavior and can trigger some action or alert?
I think I remember some discussion about using a 'canary file' - some innocent looking file with known contents which should never be modified. If a modification is detected, you know something fishy is going on.
I'd like to emphasize the canary file. This is a file that you should never access in normal operations. Thus, if the file was in fact accessed, that is a sign that something is scanning your file system.
Depending on the threat, such a scan might be a good reason to pull the cord from the mains socket. You don't want to let a normal shutdown occur, rather pull the cord and mount the disk on another system to recover / analyze.
aide
Couldn't open file /var/lib/aide/please-dont-call-aide-without-parameters/aide.db for reading
aide -i
Couldn't open file /var/lib/aide/please-dont-call-aide-without-parameters/aide.db.new for writing
To do it properly you would likely be looking at mandatory access control, such as SELinux, so that the ransomware wouldn't be authorized to modify the files and further would make itself obvious in the logs.
Not very easy to use (in a way that still provides meaningful security) outside of the server space, though it can be done.
RHEL products, including Fedora, come with a fairly usable SELinux out of the box. By extension, so does Qubes OS.
I currently run a QEMU setup at home with different VMs, all Fedora, for different domains of use (internet, work, development/art, untrusted, a clean environment for installing OS's, etc) in the spirit of Qubes. Regular backups of everything are made frequently.
In the highly unlikely event of a ransomware infection, it would be limited to a single domain.
I believe this is the way forward for personal computing.
Something that monitors file access, disk activity, etc. for suspicious behavior and can trigger some action or alert?
I think I remember some discussion about using a 'canary file' - some innocent looking file with known contents which should never be modified. If a modification is detected, you know something fishy is going on.