STEALTHbits ProTip: Ransomware Detection with StealthINTERCEPT

STEALTHbits ProTip: Ransomware Detection with StealthINTERCEPT

Ransomware has been ‘top of mind’ due to its much deserved media attention. With StealthINTERCEPT for File Systems we can make it easy to keep up with current & emerging versions of this evolving scourge.Ransomware Detection

Version 3.4.1(current) of StealthINTERCEPT has a template available right out of the box (called Ransomware Detection), whereas older versions will require a new File System Policy to be created. Once you have the policy created or copied from a template, set the desired hosts and path you wish to monitor.

Configure as follows:

File System Policy

Set Access Operations to include Create, Write, and Rename (typically there will be a create operation from generating an encrypted copy, then subsequent destruction of the original in most attacks). And then enter desired Wildcards (* and ? can both be used) as follows:

  • *.locky
  • *.cryptolocker
  • *.*.aaa
  • Decrypt.me

There are many more that can be included and are as flexible as desired. The naming conventions can also be difficult to Wildcard at times. Fortunately, these criminals have one common factor and that’s MONEY. There will always be an instruction set on how to pay them, so any file being generated as Decrypt.me, Decrypt.Instructions, etc. can be another indicator of an attack.

As new attacks emerge, knowing that encryption naming convention makes it easy to update and add additional Wildcards. Having separate Policies is a great way to delineate between definite attacks and activity to review. With a properly scoped Policy, this is one of the few quick wins a security professional can have with immediately actionable information. Incorporating scripts, and integrating with an existing SIEM can further automate your protection/visibility to these Perpetrators.

Don’t miss a post! Subscribe to The Insider Threat Security Blog here:

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Start a Free StealthAUDIT® Trial!

No risk. No obligation.