What are these files?

You might notice some strangely named files/folders in certain places on your drive after installing Ransomware Rewind. These folders should be completely hidden for most users, but using ‘non-standard’ gui windows might display them.

These files are referred to as ‘canary’ files: from the ‘canary in the coal mine’ idiom. If someone is overriding the data in a canary file, it serves as a good early indicator of compromise that something is going wrong on the system.

Canary files can also have data embedded into them that may be helpful in the event of an encryption or data leak that can help identify where they came from, or by detecting the file access at time of file enumeration.

Why are they named this way?

Canary files have psuedo-random names and file contents, this way they cannot be added to a database of files to avoid by hash or name. This ensures that they will be modified by ransomware, and can do their job as one of the first indicators of compromise.

The way their names are generated is known internally, so Cyber Crucible can determine if a file is a canary or not, but outsiders cannot distinguish them from any other data that might be on the systemOur Data Extortion Prevention software receives behavioral indicators from several engines before making a split-second decision whether an attack is at hand. One of the engines, the file monitoring engine, uses special files in several locations.

Those files you sometimes see, sometimes not, are there by Cyber Crucible. Depending on how an application may list files, you may see them. For example, a program that use File Explorer to list files to save or open, will now show you them.

We call those files canaries, like, “canary in the coal mine” (wiki).