Would it be plausible to write your own anti-crypto-ransomware tool?

Why there are not already more anti-crypto-ransomware tools?

Because there are. They are called virus scanners and they should have heuristic algorithms to detect this behavior. Unfortunately the ransomware-developers are smart enough to test their creations against all commonly used virus scanners and make sure they circumvent their heuristics somehow.

And before you start writing your own solution hoping it is somehow not covered by all the evasion tactics used by this kind of malware, setting up a backup solution is usually far easier and protects you from far more problems than just ransomware.


Your question becomes broader as it goes on, so I'll aim to simply answer the question in the title. Also note I'm answering from a perspective of making a solution on Windows. The same concept could be taken over to *nix though.

Would it be plausible to write your own anti-crypto-ransomware tool?


Sure, there are things like the .NET TraceEvent library that are very easy to use where one can monitor absolutely everything happening on your computer in real time. Ever since Vista, the Windows Kernel generates boatloads of information about absolutely everything that takes place on your computer.

This includes when a program loads a DLL, calls a system function, allocates memory, begins to access a file, completes a modification to a file, attempts to do anything related to networking, so on and so forth. There's so much data being generated by the Kernel, you'd probably kill the computer if you tried to read it all into user space in real time.

Just from this information alone, regardless of how crafty these dopes writing this software are, you could keep your stuff safe via whitelist of processes that can make modifications to your files. For example, the moment the Kernel raises an event about a process that is not found in the whitelist accessing a file in a certain path, you murder the process in cold blood. Simple in concept and could be implemented in < 500 LOC (I know from experience with TraceEvent).

Obviously there's a bunch of unforeseen things that need be to addressed once you actually try this, but in theory it's simple. This wouldn't be perfect, maybe it would get away with ruining one or two of your files before you kill it because of the variable delay between the actual time something happened and the time the Kernel alerted you, but this would be a solid start, if your sole concern is preventing the full effects of ransomware that encrypts data you can't lose.

From the comments:

Why aren't there more open-source home made solutions


As someone who publishes things open source - this stuff takes time. Good development is hard, time is limited, and there is no cookie to be had or even a dollar to motivate you to take interest in something like this. Whenever people do work on something they plan on publishing open source, it's going to be something that interests them.

How many programmers are such masochists that they think "I want to spend my free time working on software that will invoke a never ending onslaught from shady people who will work tirelessly to circumvent it? Oh, and for free." Not many.

Regarding

"Anyway, I am aware that the recommendation is not to write your own crypto software"

As snowman points out in the comments, it's not writing your own software which uses existing crypto that people warn you against, it's trying to roll your own cryptography software/methods that people warn against. All that said, this doesn't require crypto at all, it's simply a file and process monitor that would only be effective because its like a bouncer that just shoots anybody who comes near the club and is not on the VIP list. The downside is that maybe someone he shoots is someone you really care about and simply forgot to add them to list. :)

Edit


Just for fun, I tried this. Relevant code is here on Github. When I simply browsed to the protected directory, so many Windows processes associated with explorer.exe got instantly murdered that I had to log out because things like my start menu stopped working. But hey, if you throw in some hashes of the files and build a whitelist of Windows processes, then you're all set. :)

I wanted to add a second program and call it Kingpin and have it deliberately try to encrypt all the files in the protected directory, but I've been staring at my screen for two days and I'll have to come back to it after I rest. As you probably imagine from the names, I've been binge watching Daredevil.

Edit, Again

I've done some research into this on Windows. Turns out that from 8 onward, Windows keeps a directory of all binaries and such necessary to completely rebuild your OS. This is the WinSXS folder. Why this is relevant is because of the concept of whitelisting here and the problem of not killing the OS when a user tries to browse to folders. You could use SFC and DISM to verify the integrity of this cache, then scan this folder and generate hashes for every single binary you discover. Viola, the OS is whitelisted.