I can’t seem to find a lot of specific information about how Admins detect Ransomware other than their users calling up IT asking for the company credit card so they can open their files after a they’ve been hit. I believe that detection is an important role in understanding the weak point in the environment, because typically worse case scenarios in practice are usually the ones that happen IRL.
I know that products like Alienvault and Sophos have built-in detection modules that depend on past user history and complex algorithms. But I’m sure there must be a simple method to detecting a hit. Even if there are chances of false positives.
I have a Change Management System that detects changes through several core systems including File Systems. I have setup a rule that will detect if a user or system renames more than 50 files within a span of 1 minute. That should be pretty hard for user to accomplish and would only happen if something is systematically changing files like ransomware would. Another detection I have is if a file becomes “encrypted” via the windows check mark under a file’s properties. I have not seen a sample of ransomware file up close yet but would image there would be other characteristics that would be a dead give away.