SkillAgentSearch skills...

Ransomcare

Crypto ransomware detection & prevention

GenerateConvertImprove

Install / Use

/learn @Happyholic1203/Ransomcare
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

RansomCare

RansomCare is a crypto ransomware detection & prevention software.

Currently it supports only MacOS, but its design aims to provide cross-platform support.

RansomCare is in its early stage, and everyone is welcome to extend it and port it to other platforms.

Running

To run ransomcare:

git clone https://github.com/Happyholic1203/ransomcare
cd ransomcare
pip install -r requirements  # (mkvirtualenv if you want)
sudo python run.py  # run with `--debug` to see more information

# in another shell
open localhost:8888

With http://localhost:8888 open in your browser, you'll be notified when crypto ransom events occur, and you will be prompted if you want to kill the suspicious process (ransomware) or not.

Please leave http://localhost:8888 open, otherwise your suspended process(es) won't have a chance to resume or get killed.

RansomCare doesn't have a UI yet, but you can inspect its status by:

curl http://localhost:8888/api/processes  # suspicious processes
curl http://localhost:8888/api/events  # detected crypto ransom events

Please be noted that ransomcare is in its early stage, and it may sometimes have some false alarms, and it may suspend your normal apps.

Please use with care.

How it Works

RansomCare sniffs critical syscalls using DTrace, and it judges from process behaviors to see if it's a crypto ransomware.

Critical syscalls include: open, getdirentries, read, write, close, unlink.

Crypto ransomwares must perform the following syscalls in order to perform encryption to your files:

  1. getdirentries: so it knows where and what the files are
  2. open
  3. read
  4. write
  5. close or unlink: close to overwrite the original file, unlink to write encrypted content to new file

We monitor those syscalls to see if there's any process performing those syscalls in the above order.

For more information, please refer to the my slides in HITCON Community 2016.

Sniffing Tools that RansomCare Uses

DTrace on MacOS

RansomCare sniffs syscalls using DTrace, a tool that is included by default in various operating systems, including Solaris, FreeBSD, and MacOS.

DTrace provides a variety of probes, each of which can be used to trace different system events, such as syscalls, io events, etc.

Road Map

  • Implement UI
  • Support for Windows
  • Implement whitelist

Contribution

Please open issues if you encounter anything unpleasent.

Please send pull requests if you improved it.

Related Skills

node-connect

352.9k

Diagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps

frontend-design

111.5k

Create distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.

openai-whisper-api

352.9k

Transcribe audio via OpenAI Audio Transcriptions API (Whisper).

qqbot-media

352.9k

QQBot 富媒体收发能力。使用 <qqmedia> 标签,系统根据文件扩展名自动识别类型(图片/语音/视频/文件)。

Happyholic1203

View profile

View on GitHub
GitHub Stars19
CategoryDevelopment
Updated8mo ago
Forks7
Happyholic1203/ransomcare

Languages

Python

Security Score

82/100

Audited on Aug 1, 2025

No findings