Lightning:Capricorn: Staying ahead of ransomware

From 34C3_Wiki
Revision as of 10:54, 31 December 2017 by CodeFreezr (talk | contribs) (Video starts at)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Description Using honeypots on the local machine of the user, Capricorn prevents ransomware from encrypting files that are important to the user. This open-source and cross-platform application is always being developed further, hence the reason for this talk. To improve the program, everybody is invited to share his/her thoughts and/or give feedback and suggestions.
Slides https://maxkersten.nl/capricorn.pdf
Website(s) https://maxkersten.nl/capricorn/
Tags ransomware, capricorn, anti-ransomware, prevention, open-source, tool, call for participation
Person organizing User:libra
Contact: info@maxkersten.nl
Language en - English
en - English
Duration 5
Desired session Day 3
Desired timeframe middle

refresh

Earlier this year, I wrote a cross platform open-source (Windows and Linux distributions) Java CLI application which uses honeypots to quickly reacts when the encryption process of the ransomware starts. Capricorn does not require root or administrative privileges. Tests in a VM showed that WannaCry, together with multiple other variants of ransomware, would've failed to encrypt a single file that was outside the honeypot folders. With this talk, I'd like to start a discussion to improve the program by joining collaboration with others or by simply using the suggestions that hopefully come out of this talk during a hallway discussion or are sent in via e-mail.

Additional measures to evade the detection of the honeypot folders by ransomware are taken, but wont suffice as long as ransomware is also being actively changed. Using the most used extensions of my own computer, I created a list of nearly 600 extensions which are in each of the honeypot folders. The content of these files are random words taken from the the top 500 most used words in the English language. Additionally, the headers of the files correspondent with the extension they've got. This last function is not yet fully implemented yet, but will be finished in the week after this year's congress.

Video starts at https://www.youtube.com/watch?v=TLcByvUGMvk#t=48m17s