The best defense against ransomware has been comprehensive backup, but ExtraHop is introducing a way to capture files just before ransomware encrypts them, making it possible to restore them but without relying on the backups.
A software upgrade to ExtraHop’s Ransomware Detection bundle picks up on precursors to ransomware encrypting files and captures them before the malware has the chance to encrypt.
The software includes triggers that detect ransomware indicators of compromise, kicking in packet capture (PCAP) to record the content of files being encrypted. The PCAP files are opened with Wireshark to recreate the original files that were encrypted.
So the bundle doesn’t stop ransomware from doing its mischief, but it can help businesses get their encrypted files back without paying ransom.
If ExtraHop doesn’t pick up on ransomware at work before it encrypts a file, customers would have to rely on backups, hope for a decryption key or pay ransom to recover files.
The ExtraHop package has a view of network traffic between user endpoints and file servers to see who is using what files and how they are using them – writing, modifying, deleting, etc. It does this by analyzing SMB/CIFS-protocol traffic. When it identifies enough suspicious activity it triggers alerts.
What’s new is that the suspicious activity also triggers packet capture to buffer file content as the ransomware reads files from the file server. So the content captured is the latest version of the file.
Opening the PCAP files in Wireshark is still a manual process, but it does enable restoring the affected files.
The ransomware detection bundle has APIs so alerts could be sent to other platforms such as SIEMs and could potentially trigger enforcement actions by next-generation firewalls, ExtraHop says.
Some of the things the bundle looks for are more than 200 known bad file types indicating ransomware, spikes in read/write activity, patterns of behavior not typical of human users, such as opening scores of files in rapid succession.
The new packet-capture software upgrade is available now. It requires customers to have either an ExtraHop Trace or Discover appliance on which to run the software and to monitor network traffic.
Sign up for CIO Asia eNewsletters.