Version 3.4.1(current) of StealthINTERCEPT has a template available right out of the box (called Ransomware Detection), whereas older versions will require a new File System Policy to be created. Once you have the policy created or copied from a template, set the desired hosts and path you wish to monitor.
Configure as follows:
Set Access Operations to include Create, Write, and Rename (typically there will be a create operation from generating an encrypted copy, then subsequent destruction of the original in most attacks). And then enter desired Wildcards (* and ? can both be used) as follows:
There are many more that can be included and are as flexible as desired. The naming conventions can also be difficult to Wildcard at times. Fortunately, these criminals have one common factor and that’s MONEY. There will always be an instruction set on how to pay them, so any file being generated as Decrypt.me, Decrypt.Instructions, etc. can be another indicator of an attack.
As new attacks emerge, knowing that encryption naming convention makes it easy to update and add additional Wildcards. Having separate Policies is a great way to delineate between definite attacks and activity to review. With a properly scoped Policy, this is one of the few quick wins a security professional can have with immediately actionable information. Incorporating scripts, and integrating with an existing SIEM can further automate your protection/visibility to these Perpetrators.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Jeff is a Senior Engineer at STEALTHbits.