Environment
Endpoint Standard (was CB Defense): All Versions
- Carbon Black Cloud Sensor: 3.0 and above
- Microsoft Windows: All Supported Versions
- Apple MacOS: All Supported Versions
Objective
How to enable create Ransomware Prevention Policy Rules for sensors versions 3.0.x and above.
Resolution
In order to enable ransomware prevention, Standard or Aggressive ransomware policies must be defined. Enhanced ransomware prevention rules can be enabled based on reputation or application path. The operation, Performs ransomware-like behavior must be selected.
Standard Ransomware Policies
To reduce the risk of ransomware with minimal false positive risk, add the following Blocking and Isolation policy rules
- Log into the Carbon Black Cloud Console
- Go to Enforce > Policies
- Scroll down to the Blocking and Isolation section
- Select Edit (pencil icon) for PROCESS "Not listed application"
- Select OPERATION ATTEMPT "Performs ransomware-like behavior"
- Select ACTION "Terminate process"
- Select the Confirm button
- Select Save (top or bottom of the page)
- Select Edit (pencil icon) for PROCESS "Unknown application or process"
- Select OPERATION ATTEMPT "Performs ransomware-like behavior"
- Select ACTION "Terminate process"
- Select the Confirm button
- Select Save (top or bottom of the page)
Also consider blocking suspected malware, adware, or PUPs by adding the following rules to limit those applications’ ability to ransom files
- Select Edit (pencil icon) for PROCESS "Suspected malware"
- Select OPERATION ATTEMPT "Performs ransomware-like behavior"
- Select ACTION "Terminate process"
- Select the Confirm button
- Select Save (top or bottom of the page)
- Select Edit (pencil icon) for PROCESS "Adware or PUP"
- Select OPERATION ATTEMPT "Performs ransomware-like behavior"
- Select ACTION "Terminate process"
- Select the Confirm button
- Select Save (top or bottom of the page)
For stronger protection, consider including known extensions leveraged in ransomware attacks
- Select Add application path
- Enter Application(s) at path
**\*.a3x
**\*.bat
**\*.bin
**\*.btm
**\*.cmd
**\*.com
**\*.dll
**\*.doc
**\*.docb
**\*.docm
**\*.docx
**\*.dotm
**\*.exe
**\*.js
**\*.jse
**\*.jsx
**\*.pot
**\*.potm
**\*.potx
**\*.ppam
**\*.pps
**\*.ppsm
**\*.ppsx
**\*.ppt
**\*.pptm
**\*.pptx
**\*.ps1
**\*.ps1xml
**\*.psc1
**\*.psd1
**\*.psm1
**\*.py
**\*.pyc
**\*.pyo
**\*.scr
**\*.sys
**\*.tmp
**\*.vb
**\*.vbe
**\*.vbs
**\*.vbscript
**\*.wcm
**\*.wpm
**\*.ws
**\*.wsf
**\*.wsh
**\*.xlam
**\*.xlm
**\*.xls
**\*.xlsb
**\*.xlsb
**\*.xlsm
**\*.xlsx
**\*.xlt
**\*.xltm
**\*.xltx
- Select OPERATION ATTEMPT "Performs ransomware-like behavior"
- Select ACTION "Terminate process"
- Select the Confirm button
- Select Save (top or bottom of the page)
NOTE: Powershell and Python are popular targets for Windows and Mac systems, but any command interpreter that can receive code as part of its command line is a potential source of malicious activity.
Aggressive Ransomware Policy
Recommended for high-value targets or when experiencing an active ransomware attack as due to its restrictive nature the rule may generate a high number of blocks and/or alerts.
It is also recommended to leverage the “test rule” functionality prior to rolling this rule out into production, observing the number of hits, and carefully considering the impact on daily operations.
During the testing stage, prior to rollout, administrators may dismiss alerts with prevalence, after investigating the events and only when they’ve been deemed safe to dismiss.
This rule will add a default “deny-all” posture that prevents applications except for those that are specifically approved from performing ransomware-like behavior.
This aggressive ransomware policy will require tuning to handle false positives generated by applications whose legitimate activity mimics ransomware operations, see steps below.
- Select Add application path
- Enter Application(s) at path
**
- Select OPERATION ATTEMPT "Performs ransomware-like behavior"
- Select ACTION "Terminate process"
- Select the Confirm button
- Select Save (top or bottom of the page)
NOTE: The advantage of the default deny policy is protection from ransomware behaviors that originate from compromised applications with a higher reputation (such as TRUSTED_WHITE_LIST) without enumerating all possible applications.
Additional Notes
- Enhanced Ransomware Detection: In the absence of any ransomware rules present, Carbon Black Cloud (CBC) will default to ransomware detection mode.
- In ransomware detection mode, CBC will only Allow and Log ransomware behavior. This means that CBC will flag potential ransomware as a high level Threat on the "Potentially Suspicious Activity" widgit of CBC Dashboard, and there will be no policy enforcement on the endpoint.
- When selecting Performs ransomware-like behavior the Deny operation action will be disabled. Simply denying ransomware access to the first file an application tries to encrypt would not prevent it from attempting future encryption operations. For performance and security the only action supported is Terminate process.
- Vmware Carbon Black recommends extensively testing default deny policies on a single representative host before the policies are applied to production systems. After false positives have been appropriately addressed, perform a gradual rollout by moving small groups of endpoints into the policy. To address any new false positives that are discovered, leave a few days between each group of endpoints.
- VMWare Carbon Black recommends upgrading to 3.8.0.398 or higher, as it includes security efficacy enhancements that improve ransomware attacks prevention (DSEN-15830).
Related Content
