Skip to content

DecryptoniteTeam/Decryptonite

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Decryptonite

Decryptonite is a tool that uses heuristics and behavioural analysis to monitor for and stop ransomware.

Features

  • Monitors entire hard disk for suspicious IO behaviour
  • Whitelists known-good and system processes
  • Calculates a process' complete threat level by combining child suspicion with parent
  • Watches process' file system writes per second
  • Kills suspicious processes immediately if it passes the threshold
  • Low memory and CPU footprint

Installation

  • Install requirements
  • Clone the respository: git clone https://github.com/DecryptoniteTeam/Decryptonite
  • Open the project (decryptonite.sln) in Visual Studios
  • In Visual Studios its time to build the executable and driver:
    • Navigate to Build -> Configuration Manager
    • Change the platform from "Win32" to "x64" for both projects
    • Browse to Build -> Build Solution
    • When you get errors please open a ticket ... Compiling and building drivers is definitely not a straightforward process.
  • Disable Windows Signed Driver Enforcement:
  • Setting up Decryptonite:
    • Install the driver:
      • Browse to containing folder
      • Right-click "decryptonite.inf" and click "Install"
    • Load the driver:
      • Open PowerShell.exe with Administrative Privileges
      • Execute fltMc.exe load decryptonite
    • Finally... We can run the executable!

Usage

The first step is to open up an Administrative PowerShell and run Decryptonite. - .\decryptonite.exe

That's all the setup required! Decryptonite will automatically detect and attach to the "C:\" drive. If you decide to run either ransomware or executables with valid digital signatures, the output will resemble the following: Easter egg

To configure the application's behaviour: hit enter to bring up the prompt > and type help

Commands

  • /a [drive] attach Decryptonite to another drive e.g. "D:"
  • /d [drive] stop Decryptonite from monitoring on a given drive
  • /l - lists all drives that Decryptonite is attached to
  • /f [file name] redirect all output to a given file
  • /p Decryptonite will run, it will monitor, but it won't kill any processes
  • /v makes Decryptonite more verbose
  • /x makes Decryptonite much more verbose
  • exit exits the application

Contribute

Spotted a bug? Want to add features? Increase the performance?

Open an issue or submit a pull request!

Authors

The Decryptonite team includes:

Credits

A big thanks to Troy D. Hanson for his development of the open source libraries UTHash and UTArray.

Additionally, a big thanks goes to Microsoft for their development of the open source file system minifilter driver project MiniSpy.

License

This project is released under The Microsoft Public License.

About

Ransomware Detection and Mitigation Software

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages