This is the ExtraHop-supported Ransomware Bundle built to detect Ransomware (or cryptographic) attacks in real time using an ExtraHop trigger. If you're looking for information on how ExtraHop Reveal(x), our enterprise security product, detects ransomware through Network Traffic Analysis, click here.
There are multiple techniques available through this bundle, but all detection mechanisms are based upon analyzing traffic from the SMB/CIFS network protocol (a file sharing protocol, traditionally for Microsoft Windows systems). The trigger is intended to be highly configurable and is annotated to provide additional information for settings you can modify.
For more detailed information about installing, configuring, and identifying potential ransomware attacks with the Ransomware Bundle, see the Ransomware Bundle Walkthrough.
Note: The v1.2.6 update to the bundle includes the following changes:
Updated list of file extensions and file patterns to include the Wanna Decryptor Ransomware variant:
- Added a single file extension (*.wncry) to the Type ONE Alert Dictionary
- Added a single file pattern (please_read_me@) to the Type FOUR Alert Dictionary (for the ransom note)
Note: The v1.2.5 update to the bundle includes the following changes:
- Updated list of file extensions for new Ransomware variants, including ZCrypt, new Jigsaw variant, and several others
- Alerts are now disabled by default, except for Type 1 detection, and sample email address removed from their notification lists. Users are encouraged to configure email notifications for this alert, and any others that they choose to enable.
- Default threshold values defined in the trigger have been adjusted in an effort to remove false positive reporting.
- (4) Alerts
- Ransomware Type One Detection Event
- Ransomware Type Two Detection Event
- Ransomware Type Three Detection Event
- Ransomware Type Four Detection Event
- (1) Trigger
- Ransomware CIFS Detection v1.2.5
- (2) Pages
- Ransomware Details
- Ransomware Trending
- (1) Dynamic Group
- CIFS Servers
- (1) Application
- (2) Dashboards
- Ransomware Detection
- Ransomware Supplemental
ExtraHop version 6.0 or later
Note: Your data feed (such as through an ERSPAN, RSPAN, RPCAP, or port mirror) must be configured correctly and able to view traffic for your SMB/CIFS network-attached storage.
If you have a previous version of this bundle installed, disable the existing trigger, do not uninstall it.
If you have custom file extensions or regular expressions defined in the existing trigger, copy and store those so you can re-enter them in the new trigger.
- Download the bundle on this page.
- Log into the ExtraHop Web UI and complete the following procedures, which are available in the ExtraHop Web UI Guide.
- Review the Ransomware Supplemental dashboard and identify any invalid file extensions.
- Add those file extensions to the trigger code (look for the type_two_file_extension_whitelist variable).
- There are variables within the trigger that will allow you to individually enable/disable the 4 different detection types.
- The variables are: var type_one_detection_enable, var type_two_detection_enable, var type_three_detection_enable, var type_four_detection_enable.
If you had a previous version of this bundle
- Replace the custom file extensions and regular expressions you stored from the existing version.