Ransomware Detection

Accelerate and simplify ransomware detection with a unified security management platform, allowing you to spot attacks in real-time and minimize the impact to your assets.

One of the more crippling threats facing security professionals and the environments they protect today is the ransomware attack. Malware like cryptolocker and the hundreds of similarly debilitating variants (cryptowall, Reveton, torrentlocker, etc.) present a unique challenge in their ability to evade detection and execute their attack. The ransomware could be present in an infected system for hours or even days before it rears its ugly head.

Ransomware gets its name from its main intent: encrypting your sensitive files so that you do not have access to them and then demanding a ransom (usually in the form of cryptocurrency like bitcoin or prepaid cash cards) in exchange for the decryption key. The encryption used is quite robust and is not easily cracked; doing so would require a lot of time and computing resources not available to those outside of various 3-letter government security agencies.

AlienVault Unified Security Management™ (USM™) delivers essential ransomware detection capabilities:

Enhance Network Visibility

  • Spot malicious payload deployment
  • Identify traffic patterns related to known ransomware
  • Prevent interference with monitoring due to the robust architecture of the detection controls

Monitor Critical Files and Registry Entries for Any Charge

  • Alert when configurations of Windows machines are modified
  • Detect encryption of sensitive and/or personal files in real-time
  • Deploy easily to your critical assets

Get Alerted to Status Changes of Critical Services

  • Observe status changes of services that could be indicative of the presence of malware
  • Detect when attacks try to mask behavior by interfering or stopping monitoring applications
  • Easily configure availability monitoring for all critical assets

Enhance Network Visibility

One of the best first steps in securing your environment is to deploy intrusion detection (IDS) at the network layer as well as host-based IDS on your critical assets. This gives you detailed insight into what exactly is coming across the wire, instead of educated guesses based on alerts from anti virus and anti malware scans. And when the data you gain from those scans uncovers the presence of ransomware or other malware, your sensitive data could already be encrypted and irrecoverable.

Identifying the presence of these files in real-time gives you a fighting chance, allowing you to quarantine infected systems before they spread. USM’s integrated Intrusion Detection monitors the network and will flag any known malicious files.

Monitor Critical Files & Registry Entries for Any Changes

While some of the early ransom software (namely Reveton and Citadel) would simply lock you out of a machine and display some page demanding payment, today’s ransomware encrypts the bulk of your sensitive and/or personal files but allows you to use your computer otherwise. This process can take some time (entirely depending on the size of your file system) so catching the malware in the act could allow you to remediate the infection and prevent any spread.

Modifying a detection tool’s configuration is a common technique attackers use to mask their ransomware’s activity. On Windows machines, this results in a change to the registry, which, proactive monitoring of these entries (much like file systems) can give you precious time to stop these threats before they wreak total havoc.

With File Integrity Monitoring (FIM) built into the Host-based IDS, USM is able to keep a close watch on the files and registries of your sensitive assets and critical systems to detect when ransomware initially takes hold. Easily deploy these HIDS agents to multiple assets at once, accelerating deployment and simplifying threat detection.

Get Alerted to Status Changes of Critical Services

Some of the more evolved ransomware variants increase their chances of success by masking their activity when establishing an initial foothold on the target system. This ability to maneuver stealthily is often a result of compromising a system’s own endpoint protection controls. In addition to altering the configuration files of these tools, some attacks involve the termination or freezing of services and processes of the monitoring tools themselves.

Service availability monitoring is a central part of USM’s Behavioral Monitoring functionality and is easily configurable. This affords you at-a-glance visibility into the status of your most valuable assets and can act as an early warning of a potential attack.