Ransomware Detection and Mitigation Software

License: MS-PL

Language: C


Decryptonite is a tool that uses heuristics and behavioural analysis to monitor for and stop ransomware.


  • Monitors entire hard disk for suspicious IO behaviour
  • Whitelists known-good and system processes
  • Calculates a process' complete threat level by combining child suspicion with parent
  • Watches process' file system writes per second
  • Kills suspicious processes immediately if it passes the threshold
  • Low memory and CPU footprint


  • Install requirements
  • Clone the respository: git clone
  • Open the project (decryptonite.sln) in Visual Studios
  • In Visual Studios its time to build the executable and driver:
    • Navigate to Build -> Configuration Manager
    • Change the platform from "Win32" to "x64" for both projects
    • Browse to Build -> Build Solution
    • When you get errors please open a ticket ... Compiling and building drivers is definitely not a straightforward process.
  • Disable Windows Signed Driver Enforcement:
  • Setting up Decryptonite:
    • Install the driver:
      • Browse to containing folder
      • Right-click "decryptonite.inf" and click "Install"
    • Load the driver:
      • Open PowerShell.exe with Administrative Privileges
      • Execute fltMc.exe load decryptonite
    • Finally... We can run the executable!


The first step is to open up an Administrative PowerShell and run Decryptonite. - .\decryptonite.exe

That's all the setup required! Decryptonite will automatically detect and attach to the "C:\" drive. If you decide to run either ransomware or executables with valid digital signatures, the output will resemble the following: Easter egg

To configure the application's behaviour: hit enter to bring up the prompt > and type help


  • /a [drive] attach Decryptonite to another drive e.g. "D:"
  • /d [drive] stop Decryptonite from monitoring on a given drive
  • /l - lists all drives that Decryptonite is attached to
  • /f [file name] redirect all output to a given file
  • /p Decryptonite will run, it will monitor, but it won't kill any processes
  • /v makes Decryptonite more verbose
  • /x makes Decryptonite much more verbose
  • exit exits the application


Spotted a bug? Want to add features? Increase the performance?

Open an issue or submit a pull request!


The Decryptonite team includes:


A big thanks to Troy D. Hanson for his development of the open source libraries UTHash and UTArray.

Additionally, a big thanks goes to Microsoft for their development of the open source file system minifilter driver project MiniSpy.


This project is released under The Microsoft Public License.

Project Statistics

Sourcerank 5
Repository Size 135 KB
Stars 53
Forks 30
Watchers 9
Open issues 0
Dependencies 0
Contributors 1
Tags 0
Last updated
Last pushed

Top Contributors See all


Interesting Forks See all

Ransomware Detection and Mitigation Software
C - Updated - 1 stars

Something wrong with this page? Make a suggestion

Last synced: 2016-10-16 12:17:34 UTC

Login to resync this repository