Feature Request: Cryptolocker tell-tale

[JamesBayley]

My goal is to protect my Veeam Backup repository on my Linux NAS from Cryptolocker.

My concern (addressed in another thread) is that opening a backup connection might allow the virus access to the repository.

This feature request is to not open a connection to the backup repository if an infection is suspected.

Suitable tell-tales include,

* Incremental backup changes by >50%
* 10 or more Microsoft Office documents reduce in size (assuming encryption reduces file size)

[PTide]

Hi,

This feature request is to not open a connection to the backup repository if an infection is suspected.

Sounds like a good idea, indeed. However the infection indicators that you've mentioned do not seem reliable yet:

* Incremental backup changes by >50%

Large Windows Update, or deduplication, or defragmentation would make you to manually approve each backup session even if there was no infection.

* 10 or more Microsoft Office documents reduce in size (assuming encryption reduces file size)

AFAIK the encrypted text will be larger than the original one in 99,9% of cases (assuming that the malware is really intended to get some ransom). We need to do some research to develop a reliable list of indicators in order to avoid false-positives.

Anyway thanks for heads up!