Hacker News new | past | comments | ask | show | jobs | submit login

Does anyone know if any tools exist on Linux which can be used for early detection of ransomeware?

Something that monitors file access, disk activity, etc. for suspicious behavior and can trigger some action or alert?

I think I remember some discussion about using a 'canary file' - some innocent looking file with known contents which should never be modified. If a modification is detected, you know something fishy is going on.




Aide is a popular utility to monitor for changes to files on Linux systems.

http://aide.sourceforge.net

You could also use the built in audit subsystem if you wanted to watch a specific canary file, directory, filesysyem, etc. https://www.linux.com/learn/customized-file-monitoring-audit...


I'd like to emphasize the canary file. This is a file that you should never access in normal operations. Thus, if the file was in fact accessed, that is a sign that something is scanning your file system.

Depending on the threat, such a scan might be a good reason to pull the cord from the mains socket. You don't want to let a normal shutdown occur, rather pull the cord and mount the disk on another system to recover / analyze.


what a horrible interface

  aide 
  Couldn't open file /var/lib/aide/please-dont-call-aide-without-parameters/aide.db for reading

  aide -i
  Couldn't open file /var/lib/aide/please-dont-call-aide-without-parameters/aide.db.new for writing


I suppose, but it's not really made as a one off run-a-command type tool. It needs set up so that you can compare now to then.

Having no parameters specified doing something real is probably not desired, as it would overwrite the DB that your aide Cron job is running.

That's why your Linux distro (not aide) picked those funny defaults.


I thought tripwire was the standard.. happy to know another name.


Tripwire got very stale after they split off a non open source commercial version.

Aide filled that gap. I believe most people prefer it to the open source tripwire.


I like running ossec on my linux boxes:

* ossec - https://ossec.github.io/

Also worth looking at:

* chkrootkit - http://www.chkrootkit.org/

* rkhunter - http://rkhunter.sourceforge.net/


To do it properly you would likely be looking at mandatory access control, such as SELinux, so that the ransomware wouldn't be authorized to modify the files and further would make itself obvious in the logs. Not very easy to use (in a way that still provides meaningful security) outside of the server space, though it can be done.


RHEL products, including Fedora, come with a fairly usable SELinux out of the box. By extension, so does Qubes OS.

I currently run a QEMU setup at home with different VMs, all Fedora, for different domains of use (internet, work, development/art, untrusted, a clean environment for installing OS's, etc) in the spirit of Qubes. Regular backups of everything are made frequently.

In the highly unlikely event of a ransomware infection, it would be limited to a single domain.

I believe this is the way forward for personal computing.


Tripwire is the archetype, it's been around for over 15 years.

https://en.wikipedia.org/wiki/Open_Source_Tripwire




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: