How to Automatically Detect and Block Ransomware

Integrating ExtraHop with Network Access Control (NAC) to win the fight against ransomware.

So I've been somewhat off the grid with my family over the past couple of weeks (note to self: relocating to a new home…in July…in Texas…is a very bad idea). As I trudge my way through a seemingly unending pile of emails and news articles, all I have to say is WOW! There's been TONS of new ransomware variants/activity over the past month alone; probably more than we saw in the previous 3 months combined!

The sophistication of the latest ransomware variants, such as CrySiS, Zepto, and Jigsaw, is jaw dropping! No longer is ransomware only a Windows problem. We're seeing exponentially more threats targeted against MacOS and mobile platforms. And some of these newer variants are moving beyond just encrypting your files; we are now seeing data exfiltration (i.e. breach) behaviors as well.

Enough is enough, I say it's time to take the gloves off!

How We Detect and Stop Ransomware Automatically

Our award-winning techniques continue to be just as effective in detecting the latest batch of crypto-ransomware variants. If you're new to the ExtraHop Ransomware Bundle, I'd recommend you read my earlier blog post for an understanding of how it works. Fundamentally, the ExtraHop Ransomware Bundle provides early warning in the event of a ransomware infection, but does not natively stop ransomware outbreaks. However, given the flexible foundation of the ExtraHop platform, we can easily integrate ExtraHop with 3rd party solutions (via our Open Data Stream capability) in order to automate ACTIVE remediation measures. In other words, you can combine ExtraHop with 3rd party NAC (Network Access Control) solutions, firewalls, etc. to instantaneously block ransomware attacks in flight.

You can combine ExtraHop with 3rd party NAC (Network Access Control) solutions, firewalls, etc. to instantaneously block ransomware attacks in flight

Tom Roeh Systems Engineering Manager, ExtraHop Networks

This is best described through example. One of our existing clients has the ExtraHop Ransomware Bundle deployed in conjunction with an industry leading NAC solution. This product pairing offers an EXCELLENT means for controlling malware once it's entered your enterprise. Adding this functionality into the Ransomware Bundle can be accomplished with just a couple of lines of JavaScript code.

var my_path = "/utilities/?quarantine" + "&clientmacaddress=" + Flow.client.device.hwaddr + "&source="ExtraHop" + "&reason="RANSOMWARE";

Remote.HTTP("my_NAC").get( {path: my_path} );

In the code snippet above, we simply define a URL path in which to make an outbound REST call. The variable my_NAC refers to a predefined ODS (Open Data Stream) endpoint, which you would configure via our Admin GUI. Once our NAC platform receives the REST call, it puts the infected workstation into a quarantined state (such that it can no longer encrypt network files) and we claim VICTORY.

Simple huh? It's the power of the platform!

As we continue development of the Ransomware Bundle, we're looking to include out-of-the-box support for common NAC/firewall solutions, so stay tuned on this front. But, as you can see, modifying the bundle code is a simple exercise. The example above describes the usage of outbound RESTful API calls, but we can also use mechanisms like Syslog, Email, SNMP, etc.

If you have a particular platform you'd like to see integrated with the Ransomware Bundle, drop us a line and provide details! Also check out John Smith's integration of ExtraHop and Octoblu to automatically check for malicious flash content.

Next up, get our Ransomware Mitigation Guide for a deeper dive into how you can protect your data against this growing threat.

Subscribe to our Newsletter

Get the latest from ExtraHop delivered straight to your inbox.