RMW Compression Heuristic for In-Progress Ransomware Attack?

[sempervictus]

When "ransomware" encrypts file data in-place, blocks which used to contain compressible data suddenly contain rather uncompressible data. Since their intent is to encrypt as much data as possible, the compression ratio should drop like a brick as the process goes on. How difficult would it be to teach ZED or the like to generate an event when this is observed such that HIDS or other response mechanisms could evaluate what's going on and try to respond accordingly?

[IvanVolosyuk]

If daily snapshots are used, there is no immediate threat of losing long term data. More likely you will notice sudden increase in storage used and compress ratio of recent snapshots dropping to 1, which is actually normal for media files. I also read an article about SSD-level heuristic to detect this kind of activity. Hopefully it will not detect normal ZFS operations as suspicious.

…

On Sun, Sep 12, 2021 at 1:47 AM RageLtMan ***@***.***> wrote: When "ransomware" encrypts file data in-place, blocks which used to contain compressible data suddenly contain rather uncompressible data. Since their intent is to encrypt as much data as possible, the compression ratio should drop like a brick as the process goes on. How difficult would it be to teach ZED or the like to generate an event when this is observed such that HIDS or other response mechanisms could evaluate what's going on and try to respond accordingly? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#12558>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABXQ6HN4XNJYNLENGERH7Q3UBN2YVANCNFSM5D3CSKSQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.