Decryptonite is a tool that uses heuristics and behavioural analysis to monitor for and stop ransomware.
- Monitors entire hard disk for suspicious IO behaviour
- Whitelists known-good and system processes
- Calculates a process' complete threat level by combining child suspicion with parent
- Watches process' file system writes per second
- Kills suspicious processes immediately if it passes the threshold
- Low memory and CPU footprint
- Install requirements
- Microsoft Visual Studio 2015
- Windows Driver Kit 8.1
- Windows Driver Kit 10
- Windows SDK 10
- Windows 7 x64 (The project has been fully tested on Win7. You're welcome to install it on other 64 bit Windows operating systems after Vista. It should work.)
- To run the executable without Visual Studios install: Visual C++ Redistributable for Visual Studio 2015
- Clone the respository:
git clone https://github.com/DecryptoniteTeam/Decryptonite
- Open the project (decryptonite.sln) in Visual Studios
- In Visual Studios its time to build the executable and driver:
- Navigate to Build -> Configuration Manager
- Change the platform from "Win32" to "x64" for both projects
- Browse to Build -> Build Solution
- When you get errors please open a ticket ... Compiling and building drivers is definitely not a straightforward process.
- Disable Windows Signed Driver Enforcement:
- Setting up Decryptonite:
- Install the driver:
- Browse to containing folder
- Right-click "decryptonite.inf" and click "Install"
- Load the driver:
- Open PowerShell.exe with Administrative Privileges
fltMc.exe load decryptonite
- Finally... We can run the executable!
- Install the driver:
That's all the setup required! Decryptonite will automatically detect and attach to the "C:\" drive. If you decide to run either ransomware or executables with valid digital signatures, the output will resemble the following:
/a [drive]attach Decryptonite to another drive e.g. "D:"
/d [drive]stop Decryptonite from monitoring on a given drive
/l- lists all drives that Decryptonite is attached to
/f [file name]redirect all output to a given file
/pDecryptonite will run, it will monitor, but it won't kill any processes
/vmakes Decryptonite more verbose
/xmakes Decryptonite much more verbose
exitexits the application
Spotted a bug? Want to add features? Increase the performance?
The Decryptonite team includes:
Additionally, a big thanks goes to Microsoft for their development of the open source file system minifilter driver project MiniSpy.
This project is released under The Microsoft Public License.