Ransomware Detection and Prevention

Ransomware is on the rise, but real-time IT analytics will keep your network safe.

There are now multiple ransomware attacks every minute—and those are just the ones reported. It's no longer 'if,' but 'when.'
Are you ready?

Download the Ransomware Bundle

Did You Know?

  • Ransomware brought in over $1 billion for criminals in 2016, according to the FBI, with an average ransom demand more than double that of 2015.
  • An IBM survey found that 70 percent of businesses infected with ransomware paid up.
  • Ransomware makes up 60 percent of malware infections encountered by Malwarebytes anti-virus software.

Intrusion Prevention Won't Cut It

Global ransomware attacks like WannaCry and Petya succeed not only because of outdated systems, but also because so many organizations rely on security tools using known signatures.

New ransomware strains evolve every day, each more sophisticated than the last, each better adapted to circumvent your defenses. You can't afford to leave your network vulnerable once malware makes it inside. You need another layer of defense that looks at actual behavior in real time.

What's the Alternative?

Total Visibility

Full Network Visibility

In order to spot potential ransomware in time to quarantine infected systems, you must be able to monitor every transaction that passes across the network, including the "east-west" traffic between hosts and tiers within your network.

Real Time Insights

Real-Time Insight

Looking at the details of individual transactions is useful in after-the-fact forensics, but it won't help you detect suspicious behavior in the first place. Machine learning-driven analysis of structured L2—L7 wire data, provided in real time, is a key requirement for spotting malicious patterns before you lose sensitive data.

Deep Analytics

Deep Analytics with Long Lookback

The average ransomware strain waits inside a compromised system for 200 days before attacking. You need deep analytics going back months to understand the source of the infection, the scope of an incident, and how to root attackers out for good.

ExtraHop vs. Ransomware


The ExtraHop platform detects anomalies on the network, including the unique storage WRITE operations and file changes that are associated with ransomware. Incident response teams can set up an alert and be notified within minutes of a ransomware infection.


Ransomware takes some time to overwrite files, making it crucial that incident response teams can pinpoint attacks within minutes. The ExtraHop platform enables teams to rapidly identify attacks in progress on NAS systems and shared file infrastructure. ExtraHop also enables response teams to rapidly identify users who received malicious files and which IP addresses are hosting the malware.


With the specific data provided by ExtraHop, incident response teams can disconnect infected computers, block malicious IP addresses, and begin restoring files from backup.


Customer Success

Health Services Provider

With the ExtraHop platform, this health services provider was able to quickly pin down how ransomware had infiltrated the client machine and track its movements in real-time in order to quarantine the malicious file before it could do significant harm.

See ExtraHop in Action

Explore the interactive demo to see how quickly you can find insights that move your IT environment—and your business—forward.

Additional Resources

Use Cases