Automating Ransomware Prevention with ExtraHop and Citrix Octoblu

As long as it still works, ransomware isn't going anywhere. Ransomware netted cybercriminals hundreds of millions of dollars in Q1 of 2016 alone, which provides a clear incentive for them to keep using it.

Fortunately, we're smarter than them and we're continually developing new ways to detect and prevent ransomware attacks. In fact, ExtraHop Solutions Architect John Smith just added a slick new capability to our anti-ransomware utility belt.

ExtraHop and Octoblu ransomware prevention flowClick image to zoom
The basic workflow for automatically checking for malicious SWF files that may infect your client with ransomware.

On his Wire Data blog, John outlines a method for automatically checking Flash content (a notorious vector for ransomware transmission) to see if it comes from a malicious source that may be trying to install malware on your system. John's method uses an integration of ExtraHop and the Octoblu automation platform that was recently acquired by Citrix. Octoblu provides an open-source platform to allow connected devices to seamlessly communicate with each other, with connected systems, and with people. This is great for automating workflows that rely on real-time data ingestion and analysis, which makes it a perfect complement to ExtraHop's wire data analytics.

Dramatically oversimplified, the process goes like this:

  1. ExtraHop watches your network and analyzes wire data in real time, looking for files with the extension ".swf" (Flash) being accessed from outside sources (e.g. IP addresses not beginning with 10, 192, or 172)
  2. When ExtraHop sees a .swf file from an outside source being accessed, it does two things:
  3. Kicks off a Precision Packet Capture, so we're immediately gathering evidence if this turns out to be a malicious file, and...
  4. Tells Octoblu to execute a special process to check if this .swf file is coming from a malicious URI. This process uses VirusTotal.com's service to check if the source is malicious, and also sends an email to the ExtraHop administrator (or whoever you choose), indicating that someone in your network has accessed a .swf file from a potentially malicious source.
  5. Based on this early warning, your IT admins can take action to remove the malicious file, block the source, and quarantine any potentially infected systems.

This workflow is pretty easy to set up, and once you've got it going, it is an incredibly powerful way to get visibility into one of the biggest ransomware transmission vectors, Flash URIs, so you can prevent infections in the first place, rather than paying a ransom or fumbling to assess and mitigate damage after the fact.

Since you can also integrate ExtraHop with 3rd party Network Access Control (NAC) platforms to automatically quarantine infected workstations, we're starting to have a pretty solid line of defense against the ransomware threat.

Below is a video of John Smith walking through the ExtraHop and Octoblu integration. You can also get a much more detailed explanation (with code samples) of how to implement it from his full blog post.

Get our Guide to Ransomware Prevention and Mitigation to learn more techniques for keeping your network safe from this growing threat.

Subscribe to our Newsletter

Get the latest from ExtraHop delivered straight to your inbox.