Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Endpoint Standard: How To Enable Enhanced Ransomware Protection

Endpoint Standard: How To Enable Enhanced Ransomware Protection

Environment

Endpoint Standard (was CB Defense): All Versions
  • Carbon Black Cloud Sensor: 3.0 and above
  • Microsoft Windows: All Supported Versions
  • Apple MacOS: All Supported Versions

Objective

How to enable create Ransomware Prevention Policy Rules for sensors versions 3.0.x and above.

Resolution

In order to enable ransomware prevention, Standard or Aggressive ransomware policies must be defined. Enhanced ransomware prevention rules can be enabled based on reputation or application path. The operation, Performs ransomware-like behavior must be selected.

Standard Ransomware Policies

To reduce the risk of ransomware with minimal false positive risk, add the following Blocking and Isolation policy rules

  1. Log into the Carbon Black Cloud Console
  2. Go to Enforce > Policies
  3. Scroll down to the Blocking and Isolation section
  4. Select Edit (pencil icon) for PROCESS "Not listed application"
  5. Select OPERATION ATTEMPT "Performs ransomware-like behavior"
  6. Select ACTION "Terminate process"
  7. Select the Confirm button
  8. Select Save (top or bottom of the page)
  9. Select Edit (pencil icon) for PROCESS "Unknown application or process"
  10. Select OPERATION ATTEMPT "Performs ransomware-like behavior"
  11. Select ACTION "Terminate process"
  12. Select the Confirm button
  13. Select Save (top or bottom of the page)

Also consider blocking suspected malware, adware, or PUPs by adding the following rules to limit those applications’ ability to ransom files

  1. Select Edit (pencil icon) for PROCESS "Suspected malware"
  2. Select OPERATION ATTEMPT "Performs ransomware-like behavior"
  3. Select ACTION "Terminate process"
  4. Select the Confirm button
  5. Select Save (top or bottom of the page)
  6. Select Edit (pencil icon) for PROCESS "Adware or PUP"
  7. Select OPERATION ATTEMPT "Performs ransomware-like behavior"
  8. Select ACTION "Terminate process"
  9. Select the Confirm button
  10. Select Save (top or bottom of the page)

For stronger protection, consider including known extensions leveraged in ransomware attacks 

  1. Select Add application path
  2. Enter Application(s) at path
    **\*.a3x 
    **\*.bat
    **\*.bin
    **\*.btm
    **\*.cmd
    **\*.com
    **\*.dll → Please test prior to implementing, particularly when using full drive encryption
    **\*.doc
    **\*.docb
    **\*.docm
    **\*.docx
    **\*.dotm
    **\*.exe
    **\*.js
    **\*.jse
    **\*.jsx
    **\*.pot
    **\*.potm
    **\*.potx
    **\*.ppam
    **\*.pps
    **\*.ppsm
    **\*.ppsx
    **\*.ppt
    **\*.pptm
    **\*.pptx
    **\*.ps1
    **\*.ps1xml
    **\*.psc1
    **\*.psd1
    **\*.psm1
    **\*.py
    **\*.pyc
    **\*.pyo
    **\*.scr
    **\*.sys
    **\*.tmp
    **\*.vb
    **\*.vbe
    **\*.vbs
    **\*.vbscript
    **\*.wcm
    **\*.wpm
    **\*.ws
    **\*.wsf
    **\*.wsh
    **\*.xlam
    **\*.xlm
    **\*.xls
    **\*.xlsb
    **\*.xlsb
    **\*.xlsm
    **\*.xlsx
    **\*.xlt
    **\*.xltm
    **\*.xltx
    
  3. Select OPERATION ATTEMPT "Performs ransomware-like behavior"
  4. Select ACTION "Terminate process"
  5. Select the Confirm button
  6. Select Save (top or bottom of the page)
  7. Consider restricting Living off the Land Binaries as well, for a detailed list see: Endpoint Standard: Which Binaries Should Be Restricted to Help Mitigate LotL Attacks? 

Aggressive Ransomware Policy

Recommended for high-value targets or when experiencing an active ransomware attack as due to its restrictive nature the rule may generate a high number of blocks and/or alerts.

It is also recommended to leverage the “test rule” functionality prior to rolling this rule out into production, observing the number of hits, and carefully considering the impact on daily operations.

During the testing stage, prior to rollout, administrators may dismiss alerts with prevalence, after investigating the events and only when they’ve been deemed safe to dismiss.

This rule will add a default “deny-all” posture that prevents applications except for those that are specifically approved from performing ransomware-like behavior. 

This aggressive ransomware policy will require tuning to handle false positives generated by applications whose legitimate activity mimics ransomware operations, see steps below.
 

  1. Select Add application path
  2. Enter Application(s) at path
    **
  3. Select OPERATION ATTEMPT "Performs ransomware-like behavior"
  4. Select ACTION "Terminate process"
  5. Select the Confirm button
  6. Select Save (top or bottom of the page)
NOTE: The advantage of the default deny policy is protection from ransomware behaviors that originate from compromised applications with a higher reputation (such as TRUSTED_WHITE_LIST) without enumerating all possible applications.

Additional Notes

Additional mitigation and prevention recommendations
Please perform extensive testing prior to implementing any changes in your environment

  • Consider VMWare Carbon Black's Managed Detection and Response offering as MDR provides 24/7/365 alert triage and threat containment by a team of highly experienced security experts, augmenting customer’s security teams and programs of all sizes and level of maturity
  • Do not expose services, such as RDP to the open internet
  • Patch and update operating systems to the latest versions
  • If a legacy/end-of-life operating system is required by the business to remain online, isolate those machines so they have no access to production endpoints and servers
  • Restrict access to USB unknown devices, by leveraging Carbon Black Cloud's blocking policies
  • Disable Microsoft's legacy Autorun functionality 
  • Implement Multi-Factor Authentication (MFA) on all VPN connections and email. 
  • Disable Server Message Block (SMB) protocol version 1, if absolutely needed, opt for SMBv 3.1.1
  • Block public-facing access to SMB by enforcing blocking rules at the peripheral firewall, ports 445, 137, 138, and 139 should not be exposed for access from the internet
  • Require Kerberos-based IPSec for lateral SMB communications
  • Implement robust password policies
  • Enforce lockout policies after a number of login attempts
  • Separate administrator accounts from user accounts
  • Disable macro scripts when MS Office files are transmitted via email
  • Disable Windows Script Host (WSH)
  • Implement Protective DNS (PDNS)
  • Restrict the use of PowerShell to only those users that require it via GPO
  • Disable execution of Powershell prior to version 5 as older versions do not offer improved logging such as Deep Script Block Logging or Over-the-Shoulder Transcription

For more information on best security practices for preventing ransomware, consider reviewing CISA's complete set of recommendations:

#StopRansomware Guide | CISA

Additional notes

  • VMWare Carbon Black recommends extensive testing prior to implementing policy changes into production. We suggest rolling out changes onto a small group of endpoints, leaving a few days between each group. Once false positives have been addressed, continue a gradual rollout by moving small groups of endpoints into the newly created policy. This method will facilitate addressing any new false positives as they are discovered.

Related Content


Was this article helpful? Yes No
50% helpful (1/2)
Article Information
Author:
Creation Date:
‎04-23-2021
Views:
9831
Contributors