Project Description
This program detects all present and future ransomware in Windows file shares or local drives.

For early detection of ransomware you expect the ransomware to encrypt your sample files and you catch it in the act. This entraps ransomware because the sample files that ordinarily would be left alone become encrypted by the ransomware. I made this program to aide system administrators not average users.

Username and password requested upon install are a domain account or local computer account for the windows service to install and run under. The account specified will need read/write access to the file shares you want to monitor. The user account can be changed later using the services.msc console. Find the service called "RansomwareDetectionService".

This program solves the following issues:
  • How do I monitor my windows file shares for ransomware with minimal performance impact? (Compare tab and a few example files in the SourcePath)
  • How do I detect a ransomware that does not create a ransom note in the file share or modify the file names in the share? (Compare tab)
  • How do I automatically stop an infection from encrypting more files and only stop the user that was infected? (Compare tab - CommandProgram and the StopRansomwareInfectedUserPublic.ps1 script)
  • What files and how many files are corrupted in my windows file shares? (Audit Files tab)
  • How do I check the integrity of the files in file shares? (Audit Files tab)
  • What files have been recently changed or created since that last good backup? (Audit Files tab, or Compare tab for full binary comparison)
  • How do I detect encrypted or corrupted zip files, word documents, excel files, or powerpoint files? (Audit Files tab - ValidateZipFiles option)
  • What files and how many were repeatedly created by the virus? (Find Ransom Files tab)
  • How do I delete the ransom note files created by the virus? (Find Ransom Files tab)
  • How do I replace the corrupted files and keep the newest good files? (Audit Files tab)
  • How do I quickly stop the Windows file server from sharing files during a virus outbreak? ("Stop File Sharing" button and sample script StopAllWindowsFileServersAfterRansomwareActivityDetected.cmd)
  • How do I restore files when long file paths are involved? (Audit Files tab for corrupted files, or FastCopy for full restore of all files)
  • How do I find out what files have file permissions corrupted or files that are inaccessible? (Audit Files tab - ExportUnknownToCSV)
  • What files were created or modified when compared to a previous backup? (Audit Files tab or Compare tab for full comparison)


This program detects when/where ransomware has hit Windows file shares or local drives. This program doesn't prevent ransomware infection see for prevention recommendations.

When staff members get ransomware, you need to respond quickly to get their computer shutdown as soon as possible. If you respond quickly enough, you can shut down the offending computer before other file shares become encrypted. Anti-virus programs currently do not detect encrypted files written by ransomware. Not knowing that a ransomware virus is on your network is a big problem. The sooner you get the offending computer shutdown and restore your backups of files shares the better.

File servers do not get the virus, the virus encrypts the files stored on the file server. This makes knowing the damage caused by a ransomware difficult. If you do not notice an encrypted file share, you can lose your opportunity to restore from backup or cause your users to use a much older backup than necessary. Anti-virus programs are always a few days behind in detecting new viruses.

Full Documentation

There are additional uses for this software that are not related to ransomware:
  • Search for corrupted or encrypted office documents in file shares. (Audit Files tab)
  • File change email notification (Compare tab)
  • File change can execute a script (Compare tab)
  • Get a list of changed files when compared with last backup (Audit Files tab)
  • Get a list of all unknown file extensions in file shares (Audit Files tab)
  • Get a list of all files in the file share (Audit Files tab)
  • Verify the binary/content of files when compared with a backup of the same files (Compare tab)

These tasks can help with damage control after an infection, or help keep your file shares maintained.

Beta Testing Instructions:

Compare Beta Test:

  • Create some sample files in a folder in the SourcePath (pdf, xls, xlsx, doc, docx, txt, etc.)
  • Specify the email settings
  • Test send an email (File -> Test Send Email)
  • Specify the copy options or copy the sourcepath files manually if desired.
  • Monitor some files shares
  • Schedule the compare to run on a schedule (have it run once with copy options or manually copy files before testing)
  • Delete a few of the sample files in the file share after it ran once (verify email was sent if option was checked and error logged)
  • Modify a few of the sample files in the file share after it ran once. (verify email was sent if option was checked and error logged)
  • Test some local paths and unc paths
  • Test some long paths (longer that 1000 characters deep)
  • The service must be restarted for settings to apply.

Ransomware Find Files Beta Test:

  • Specify the email settings
  • Test send an email (File -> Test Send Email)
  • Specify the any additional file filters
  • Create a text file with a file filter that was specified in the file share you are monitoring.
  • Monitor some file shares and schedule it to run
  • Verify email if checked was sent and error was logged.
  • The service must be restarted for settings to apply.

Audit Files Beta Test

  • Check mark all of the csv related options.
  • Specify the FilePathToCheck folder.
  • Add a good readable zip file and an encrypted zip file into the FilePathToCheck folder.
  • Specify the email settings and test send an email.
  • Set a schedule for file auditing during non work hours.
  • Run the audit once with custom signatures and once without any custom signatures in the table to verify custom and stock signatures.
  • Check mark the ValidateZipFiles option. (Test to see if zip files become locked after verification. Try to delete on of the zip files after verification)
  • Add more files into the FilePathToCheck
  • Add a custom signature to my template full list of signatures and verify that it verifies the new extension. (File stops listing in the unknown csv file.)
  • Test FixUnverifiedFilesFromBackup option
  • The service must be restarted for settings to apply.


If you have any strange errors please make an issue, or if your tests succeed let me know by posting a comment to the beta testing thread on the discussion tab on this codeplex site.
Author's article regarding this project
Author's Information Technology blog:


Last edited Fri at 6:06 PM by pcooper, version 83