A comprehensive Proof of Concept (PoC) for Linux ransomware recovery using Go, featuring real-time file monitoring, automatic backup, suspicious pattern detection, and automated rollback capabilities.
- Agent (
agent.go): Real-time file system monitoring usingfsnotify - Detector (
detector.go): Suspicious pattern detection with customizable triggers - Rollback (
rollback.go): Automated file restoration from backups - Backup System: Automatic file backup with checksums and integrity verification
- Logging: Structured JSON logging with multiple severity levels
- Configuration: Flexible JSON-based configuration system
※ Real-time Monitoring: Watches ./demo-folder/ for all file system events
※ Hash-based Backup: Creates backups only when files actually change using SHA256 hashes
※ Immediate Backup: Files are backed up instantly when created or modified
※ Remote Backup: Secure off-site backup using Rsync over SSH to Ubuntu servers
※ Periodic Scanning: Random interval file scanning (60s, 5min, 10min)
※ Pattern Detection: Detects suspicious extensions (.locked, .encrypted, etc.)
※ Content Analysis: Scans file content for ransomware-related keywords
※ Deletion Alerts: High-priority alerts for file deletions and mass deletions
※ Threshold-based Triggers: Configurable detection thresholds and time windows
※ Automatic Rollback: Restores files when suspicious activity is detected
※ Manual Rollback: Command-line triggered complete system restoration
※ Remote Rollback: Restore files from backup server using Rsync over SSH
※ Hybrid Rollback: Intelligent source selection with local/remote redundancy
※ File Structure Restoration: Recreates complete directory structure from backups
※ Malicious File Cleanup: Removes suspicious files before restoration
※ Parallel Processing: Multi-threaded operations for performance
※ Optimized Logging: Configurable logging modes for 24/7 operation
※ Graceful Shutdown: Proper cleanup on SIGINT/SIGTERM
※ Security: Path traversal protection and input validation
┌─────────────┐ ┌──────────────┐ ┌─────────────┐
│ Agent │───▶│ Detector │───▶│ Rollback │
│ (fsnotify) │ │ (patterns) │ │ (restore) │
└─────────────┘ └──────────────┘ └─────────────┘
│ │ │
▼ ▼ ▼
┌─────────────┐ ┌──────────────┐ ┌─────────────┐
│ Backup │ │ Logger │ │ Config │
│ (checksums) │ │ (journal) │ │ (settings) │
└─────────────┘ └──────────────┘ └─────────────┘
- Go 1.21 or later
- Linux environment (tested on Ubuntu 22.04)
- Write permissions for backup and log directories
- Clone the repository:
git clone https://github.com/vaishnavucv/Project-Linux-Ransomware-Recovery
cd Project-Linux-Ransomware-Recovery- Install dependencies:
go mod tidy- Build the project:
go build -o ransomware-recovery .Note: The ransomware-recovery executable is excluded from git tracking via .gitignore. Users need to build it locally after cloning.
- Basic Usage (Start Monitoring):
./ransomware-recovery- Manual Rollback (Restore All Files):
./ransomware-recovery --rollback- Help and Version:
./ransomware-recovery --help
./ransomware-recovery --version- With Demo Script:
./demo.shThe system will:
- Monitor
./demo-folder/for file changes - Create backups in
./.backup/with hash-based change detection - Log activities to
./logs/journal.log - Automatically trigger rollback when suspicious activity is detected
- Allow manual rollback with complete file structure restoration
The system uses a JSON configuration file (config.json) with the following structure:
{
"monitor_path": "./demo-folder",
"backup_path": "./.backup",
"log_path": "./logs",
"detection": {
"suspicious_extensions": [".locked", ".encrypted", ".crypto", ".crypt", ".enc"],
"threshold": 3,
"time_window": 60,
"real_time_detection": true,
"content_patterns": ["RANSOMWARE", "DECRYPT", "BITCOIN", "PAYMENT"]
},
"backup": {
"auto_backup": true,
"retention_days": 30,
"enable_checksums": true,
"compression": false
},
"system": {
"worker_count": 4,
"buffer_size": 100,
"operation_timeout": 30
}
}suspicious_extensions: File extensions that trigger alertsthreshold: Number of suspicious events to trigger rollbacktime_window: Time window (seconds) for counting eventsreal_time_detection: Enable real-time pattern detectioncontent_patterns: Keywords to detect in file content
auto_backup: Enable automatic backup on file changesretention_days: How long to keep backup filesenable_checksums: Enable SHA-256 checksums for integritycompression: Enable backup compression (future feature)remote_backup: Remote backup settings for Rsync over SSH
worker_count: Number of parallel processing workersbuffer_size: Event channel buffer sizeoperation_timeout: Timeout for individual operations
The system provides a comprehensive manual rollback system via command-line:
# Perform complete manual rollback
./ransomware-recovery --rollback
# Show help information
./ransomware-recovery --help
# Show version information
./ransomware-recovery --version
# Use custom configuration
./ransomware-recovery --rollback --config /path/to/config.jsonThe system also provides APIs for manual operations:
// Manual rollback
result, err := system.ManualRollback()
// Force detection analysis
detection := system.ForceDetection()
// Get system statistics
stats := system.GetSystemStats()- Create test files in
demo-folder/ - Run the system:
./ransomware-recovery - Simulate ransomware by creating
.lockedfiles:
echo "RANSOMWARE" > demo-folder/test.txt.locked
echo "DECRYPT" > demo-folder/document.pdf.locked
echo "BITCOIN" > demo-folder/image.jpg.locked- Watch the system automatically detect and rollback
The system uses structured JSON logging with the following levels:
- INFO: Normal operations and status updates
- WARN: Suspicious activity and rollback triggers
- ERROR: System errors and failures
- DEBUG: Detailed debugging information
Log entries include:
- Timestamp
- Component (agent, detector, rollback, backup)
- Event details
- File paths
- Operation results
Example log entry:
{
"component": "detector",
"event_type": "CREATE",
"file_path": "./demo-folder/test.txt.locked",
"level": "warning",
"msg": "Suspicious pattern detected",
"pattern": "suspicious_extension:.locked",
"severity": "high",
"time": "2024-01-15 10:30:45"
}- Validates all file paths to prevent directory traversal attacks
- Ensures operations stay within designated directories
- Sanitizes file paths and content
- Validates configuration parameters
- Prevents injection attacks
- Restricts operations to monitored directories
- Validates file permissions before operations
- Secure backup and quarantine handling
- Multi-threaded file operations
- Parallel backup and restore operations
- Non-blocking event processing
- Configurable worker pools
- Memory-efficient file streaming
- Automatic cleanup of old events and backups
- Handles large directory structures
- Efficient file system monitoring
- Configurable buffer sizes and timeouts
- File Size: Large files may impact performance
- Network Drives: Not tested with network-mounted filesystems
- Encryption: Cannot decrypt already encrypted files
- Real-time: Small delay between detection and rollback
- Storage: Requires adequate disk space for backups
├── main.go # Main application entry point
├── agent.go # File system monitoring
├── detector.go # Pattern detection
├── rollback.go # File restoration
├── pkg/
│ ├── backup/ # Backup management
│ ├── config/ # Configuration handling
│ └── logger/ # Logging system
├── demo.sh # Demonstration script
├── go.mod # Go module definition
├── .gitignore # Git ignore rules
└── README.md # This file
The .gitignore file excludes the following from version control:
- Built executable:
ransomware-recovery(users build this locally) - Runtime directories:
logs/,.backup/,demo-folder/ - Configuration files:
config.json(generated at runtime) - Temporary files:
*.log,*.tmp,*.pid - IDE files:
.vscode/,.idea/,*.swp - OS files:
.DS_Store,Thumbs.db - Build artifacts:
*.test,*.out,*.prof
- Update
config.jsonwith new patterns:
{
"detection": {
"suspicious_extensions": [".locked", ".encrypted", ".your_extension"],
"content_patterns": ["RANSOMWARE", "YOUR_PATTERN"]
}
}- Implement custom detection logic in
detector.go:
func (d *Detector) customDetection(event FileEvent) []SuspiciousEvent {
// Your custom detection logic here
}Run the demo script to test all functionality:
./demo.shThe script will:
- Build the project
- Create test files
- Start the system
- Simulate ransomware activity
- Verify automatic detection and rollback
- Clean up resources
- Fork the repository
- Create a feature branch
- Implement your changes
- Add tests for new functionality
- Update documentation
- Submit a pull request
This project is licensed under the MIT License - see the LICENSE file for details.
This is a Proof of Concept for educational and research purposes. It should not be used in production environments without thorough security review and testing. The system provides basic ransomware detection and recovery capabilities but may not protect against all types of ransomware attacks.
For issues, questions, or contributions, please:
- Check the existing issues
- Create a new issue with detailed description
- Provide system information and logs
- Follow the contribution guidelines
Note: This PoC demonstrates core concepts of ransomware detection and recovery. In a production environment, additional security measures, comprehensive testing, and integration with enterprise security systems would be required.