CryptoBuster logo

CryptoBuster

 User Guide
×
Menu
  • File Extensions

File Extensions

 
CryptoBuster File Extensions Monitor Alert
 
Besides Honeypots that are effective to stop ransomware when they start to encrypt the user files, File Extensions Monitor can monitor the file system to detect the creation of specific types of files that may indicate ongoing ransomware attack or sometimes may indicate the preparations for an attack.
 
You can configure the File Extensions Monitor settings using the options under the File Extensions tab in the CryptoBuster settings.
 
File Extensions Monitor has four sub-components; each one is responsible for the detection of specific types of files:
 

 
Malicious Extensions Monitor
 
CryptoBuster has a built-in database of file extensions used by ransomware to encrypt the user files. CryptoBuster will raise a security alert when a file with a malicious extension is created. For example, CryptoBuster will display a security alert when the file Test.lockbit is created as the .lockbit extension is related to LockBit ransomware.
 
Pros:
Few false positive alerts
 
Cons:
Ineffective against new ransomware strains.
Ineffective against ransomware that does not change file extensions.
Ineffective against ransomware that uses random file extensions.
 
Info
Use the configurations editor to add or remove file extensions from the malicious file extensions database.
 

 
Potentially Dangerous Extensions Monitor
 
CryptoBuster will raise security alerts when a file of a potentially dangerous type is created (e.g., batch files and scripts); those file types are commonly used in ransomware attacks. For example, the file Test.bat will raise a security alert as the file type is a DOS batch file.
 
Pros:
Effectively detects files used in ransomware attacks.
 
Cons:
High chance of false-positive alerts as many legitimate programs create batch files and scripts; however, you can easily exclude those programs or even exclude directories from the Potentially Dangerous Extensions Monitor.
 
Info
Use the options in the security alert window to exclude programs, file extensions, and directories from the File Extensions Monitor.
 

 
Unknown Extensions Monitor
 
CryptoBuster has a built-in database of trusted file extensions, any file with an extension that does not belong to this list or is not registered in the Windows Registry (the default option) will be considered a file of unknown type and CryptoBuster will raise a security alert. The detection of files of unknown types is an aggressive technique to detect ransomware that changes file extensions.
 
Many legitimate programs may create files with unknown extensions, this will cause many false positive alerts. For that reason, there are a couple of options that are enabled by default to decrease false-positive alerts but at the same time they can reduce security (you can change those options in the CryptoBuster Settings)
 
Trust extensions of registered file types
CryptoBuster will automatically trust files with extensions registered in the Windows Registry even if they are not added to the trusted file extensions list (ransomware may register its file extension to bypass the Unknown Extensions Monitor).
 
Trust files created by foreground application processes
CryptoBuster will automatically trust files with unknown extensions created by processes that have a user interface (ransomware process can create a user interface to bypass the Unknown Extensions Monitor).
 
Trust files created by processes signed with a valid digital signature
CryptoBuster will automatically trust files with unknown extensions that were created by processes that have their image files signed with a valid digital signature (threat actors can sign the ransomware executable with a stolen digital signature to bypass the Unknown Extensions Monitor).
 
Warning
To increase security, you should disable the settings above. This will increase false positive alerts; however, you can train CryptoBuster to automatically trust legitimate programs and file extensions.
 
Pros:
Effectively detects ransomware that uses random file extensions to encrypt user files.
 
Cons:
Ineffective against ransomware that does not change file extensions.
High chance of false-positive alerts as many legitimate programs may create files with unknown extensions; however, you can easily exclude legitimate programs and file extensions.
 

 
Double (Fake) Extensions Monitor
 
CryptoBuster will detect if a file with a double (fake) extension is created; for example, the file Payment.docx.exe will raise a security alert. Threat actors abuse the Windows setting Hide file extensions for known file types to disguise malware executables to appear as normal documents; these types of files are used to spread malware via email attachments.
 
Info
Use the options in the CryptoBuster settings to enable or disable sub-components of the File Extensions Monitor and customize their settings and automatic actions.
 

 
comments powered by Disqus