Endpoint Standard: How To Enable Enhanced Ransomware Protection

Endpoint Standard: How To Enable Enhanced Ransomware Protection

Environment

  • Endpoint Standard (was CB Defense): All Versions
  • Carbon Black Cloud Sensor: 3.0 and above
  • Microsoft Windows: All Supported Versions
  • Apple MacOS: All Supported Versions

Objective

How to enable create Ransomware Prevention Policy Rules for sensors versions 3.0.x and above.

Resolution

In order to enable ransomware prevention, Standard or Aggressive ransomware policies must be defined. Enhanced ransomware prevention rules can be enabled based on reputation or application path. The operation, Performs ransomware-like behavior must be selected.

Standard Ransomware Policies

To reduce the risk of ransomware with minimal false positive risk, add the following Blocking and Isolation policy rules

  1. Log into the Carbon Black Cloud Console
  2. Go to Enforce > Policies
  3. Scroll down to the Blocking and Isolation section
  4. Select Edit (pencil icon) for PROCESS "Not listed application"
  5. Select OPERATION ATTEMPT "Performs ransomware-like behavior"
  6. Select ACTION "Terminate process"
  7. Select the Confirm button
  8. Select Save (top or bottom of the page)
  9. Select Edit (pencil icon) for PROCESS "Unknown application or process"
  10. Select OPERATION ATTEMPT "Performs ransomware-like behavior"
  11. Select ACTION "Terminate process"
  12. Select the Confirm button
  13. Select Save (top or bottom of the page)

Also consider blocking suspected malware, adware, or PUPs by adding the following rules to limit those applications’ ability to ransom files

  1. Select Edit (pencil icon) for PROCESS "Suspected malware"
  2. Select OPERATION ATTEMPT "Performs ransomware-like behavior"
  3. Select ACTION "Terminate process"
  4. Select the Confirm button
  5. Select Save (top or bottom of the page)
  6. Select Edit (pencil icon) for PROCESS "Adware or PUP"
  7. Select OPERATION ATTEMPT "Performs ransomware-like behavior"
  8. Select ACTION "Terminate process"
  9. Select the Confirm button
  10. Select Save (top or bottom of the page)

For stronger protection, consider including known extensions leveraged in ransomware attacks 

  1. Select Add application path
  2. Enter Application(s) at path
    **\*.a3x 
    **\*.bat
    **\*.bin
    **\*.btm
    **\*.cmd
    **\*.com
    **\*.dll
    **\*.doc
    **\*.docb
    **\*.docm
    **\*.docx
    **\*.dotm
    **\*.exe
    **\*.js
    **\*.jse
    **\*.jsx
    **\*.pot
    **\*.potm
    **\*.potx
    **\*.ppam
    **\*.pps
    **\*.ppsm
    **\*.ppsx
    **\*.ppt
    **\*.pptm
    **\*.pptx
    **\*.ps1
    **\*.ps1xml
    **\*.psc1
    **\*.psd1
    **\*.py
    **\*.pyc
    **\*.pyo
    **\*.scr
    **\*.sys
    **\*.tmp
    **\*.vb
    **\*.vbe
    **\*.vbs
    **\*.vbscript
    **\*.wcm
    **\*.wpm
    **\*.ws
    **\*.wsf
    **\*.wsh
    **\*.xlam
    **\*.xlm
    **\*.xls
    **\*.xlsb
    **\*.xlsb
    **\*.xlsm
    **\*.xlsx
    **\*.xlt
    **\*.xltm
    **\*.xltx
    
  3. Select OPERATION ATTEMPT "Performs ransomware-like behavior"
  4. Select ACTION "Terminate process"
  5. Select the Confirm button
  6. Select Save (top or bottom of the page)
NOTE: Powershell and Python are popular targets for Windows and Mac systems, but any command interpreter that can receive code as part of its command line is a potential source of malicious activity.
 

Aggressive Ransomware Policy

The most secure ransomware policy is to add a default deny posture that prevents all applications except for those that are specifically approved from performing ransomware-like behavior. See steps below

  1. Select Add application path
  2. Enter Application(s) at path
    **
  3. Select OPERATION ATTEMPT "Performs ransomware-like behavior"
  4. Select ACTION "Terminate process"
  5. Select the Confirm button
  6. Select Save (top or bottom of the page)
NOTE: The advantage of the default deny policy is protection from ransomware behaviors that originate from compromised applications with a higher reputation (such as TRUSTED_WHITE_LIST) without enumerating all possible applications.

Additional Notes

  • Enhanced Ransomware Detection: In the absence of any ransomware rules present, Carbon Black Cloud (CBC) will default to ransomware detection mode. 
  • In ransomware detection mode, CBC will only Allow and Log ransomware behavior. This means that CBC will flag potential ransomware as a high level Threat on the "Potentially Suspicious Activity" widgit of CBC Dashboard, and there will be no policy enforcement on the endpoint.
  • When selecting Performs ransomware-like behavior the Deny operation action will be disabled. Simply denying ransomware access to the first file an application tries to encrypt would not prevent it from attempting future encryption operations. For performance and security the only action supported is Terminate process.
  • The aggressive ransomware policy policy will require tuning to handle false positives generated by applications whose legitimate activity mimics ransomware operations. 
  • Vmware Carbon Black recommends extensively testing default deny policies on a single representative host before the policies are applied to production systems. After false positives have been appropriately addressed, perform a gradual rollout by moving small groups of endpoints into the policy. To address any new false positives that are discovered, leave a few days between each group of endpoints.

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎04-23-2021
Views:
2428
Contributors