Ransomware is a type of malware that is installed covertly on a computer, without the knowledge of the user, then restricts access to the infected computer system and requires the user to pay a ransom to the malware operators, to eliminate the restriction.
The ransomware attack consists in systematically encrypting files on the hard drive of the system, which become inaccessible, if the ransom is not paid.
Other attacks can simply block system messages and display a message to convince the user to pay.
The ransomware usually spreads like a trojan, whose payload is disguised as an apparently legitimate file, for example, as a downloaded file or exploiting a software vulnerability.
The ransomware tries to read and then encrypt the files, creating an identifier for each file with which it interacts. No matter what encryption algorithm you use, this is a lower level concept, depending on how the Windows kernel interacts with the system hardware. If we are able to monitor the frequency of new identifiers that are created by each process, it is possible to detect the abnormal activity produced by the ransomware. This would also apply to destructive malware that has been designed to overwrite a large number of files to prevent its recovery.
Taking into account that an object is a data structure that represents a system resource, such as a file. An application can not directly access the data of an object or a system resource that represents an object. Instead, an application must obtain an object identifier, which can be used to examine or modify system resources. Each identifier has an entry in an internally maintained table. These entries contain the addresses of the resources and the means to identify the type of resource. This is one of several layers of abstraction that separate the user (and all processes that are running), from physical assets, such as the hard drive. Any request to access a file on the disk,
Based on this identification pattern, the tool for Windows, called handle_monitor, is designed, which takes stock of each file identifier, per process throughout the system. It then takes a short break (at the user's discretion) and checks again for new identifiers that have not been seen before and calculates the number of new identifiers created. If the threshold passes a defined number of cycles, then an alert is generated and an action is taken (such as suspending the suspicious process).
Sequence of operation:
  1. Generates an index of all files and takes care of all running processes.
  2. Pauses (/pause=X) for amount of time.
  3. Monitors indexes, to keep a count.
  4. After the defined cycles (/cycles=X), it performs an analysis.
  5. In the analysis, it checks whether all processes have exceeded the threshold (/threshold=X) for repeating the identification.
  6. If so, it is good to generate an alert for the process (/suspend).



By default, it only looks for unsigned executables (to reduce noise), but you can include signed ones with "/signed".
How to use handle_monitor:
Optional parameters:
/cycles=X, number of monitoring cycles (default: 10)
/threshold=X, set suspicion threshold for number of new identifiers (default: 10).
/pause=X, set pause in milliseconds between cycles (default: 1000).
/signed, include signed executables in the review process.
/suspend, suspend processes that are considered suspicious.
/verbose, display detailed messages.
More information and download handle_monitor: