Decryptonite is a tool that uses heuristics and behavioural analysis to monitor for and stop ransomware.
- Monitors entire hard disk for suspicious IO behaviour
- Whitelists known-good and system processes
- Calculates a process' complete threat level by combining child suspicion with parent
- Watches process' file system writes per second
- Kills suspicious processes immediately if it passes the threshold
- Low memory and CPU footprint
- Install requirements
- Microsoft Visual Studio 2015
- Windows Driver Kit 8.1
- Windows Driver Kit 10
- Windows SDK 10
- Windows 7 x64 (The project has been fully tested on Win7. You're welcome to install it on other 64 bit Windows operating systems after Vista. It should work.)
- To run the executable without Visual Studios install: Visual C++ Redistributable for Visual Studio 2015
- Clone the respository:
git clone https://github.com/DecryptoniteTeam/Decryptonite
- Open the project (decryptonite.sln) in Visual Studios
- In Visual Studios its time to build the executable and driver:
- Navigate to Build -> Configuration Manager
- Change the platform from "Win32" to "x64" for both projects
- Browse to Build -> Build Solution
- When you get errors please open a ticket ... Compiling and building drivers is definitely not a straightforward process.
- Disable Windows Signed Driver Enforcement:
- Setting up Decryptonite:
- Install the driver:
- Browse to containing folder
- Right-click "decryptonite.inf" and click "Install"
- Load the driver:
- Open PowerShell.exe with Administrative Privileges
- Execute
fltMc.exe load decryptonite
- Finally... We can run the executable!
- Install the driver:
The first step is to open up an Administrative PowerShell and run Decryptonite. - .\decryptonite.exe
That's all the setup required! Decryptonite will automatically detect and attach to the "C:\" drive. If you decide to run either ransomware or executables with valid digital signatures, the output will resemble the following:
To configure the application's behaviour: hit enter
to bring up the prompt >
and type help
/a [drive]
attach Decryptonite to another drive e.g. "D:"/d [drive]
stop Decryptonite from monitoring on a given drive/l
- lists all drives that Decryptonite is attached to/f [file name]
redirect all output to a given file/p
Decryptonite will run, it will monitor, but it won't kill any processes/v
makes Decryptonite more verbose/x
makes Decryptonite much more verboseexit
exits the application
Spotted a bug? Want to add features? Increase the performance?
Open an issue or submit a pull request!
The Decryptonite team includes:
A big thanks to Troy D. Hanson for his development of the open source libraries UTHash and UTArray.
Additionally, a big thanks goes to Microsoft for their development of the open source file system minifilter driver project MiniSpy.
This project is released under The Microsoft Public License.