Ransomware canary

Originally published at: https://blog.urbackup.org/371/ransomware-canary

One upcoming feature is the ransomware canary file. The idea is that UrBackup generates a random file that looks like a file that potential ransomware should definitely encrypt. The backup server then checks if this file was changed or deleted during every backup. If ransomware encrypts the file the backup server will notice, fail backups…


Presumably leaving the path empty permanently would disable the feature?

How does it behave if a client removes or deletes an entire user account? (Transient & short term users).

Yes, it wouldn’t delete the files though. It would just stop checking them.

It would error… idk how it would differentiate between a removal on purpose vs. malicious removal.

I would recommend to inlude a client specific part in the filename. This would make it harder for an attacker to identify patterns in the filesystem when he has compromised multiple machines in the network. It can become pretty obvious that identical files in the same folder on every single client are in fact the canary.

1 Like

I think it is a great idea.
Thanks Martin,

works on LockFile Ransomware ?