Setup Guide for Ransomware Protection

This document will give examples of how to setup monitors to protect servers with PA File Sight against ransomware using a variety of techniques.

In the examples below, we'll assume we're protecting the D:\ drive.

There are two parts to the document: Detection Methods, and Protection Responses.

Detection Methods

There are three methods for detecting active ransomware activity:

1. Heuristics - detect the pattern that ransomware has to use (read the file, write it back in an encrypted format, and then delete the original file). This is the most reliable option.

2. Honeypots - create a folder that users should never access, and if it is accessed, assume it is software misbehaving (ransomware)

3. Well known file extensions and filenames - people on the Internet have been keeping lists of how filenames are changed when files are encrypted, and PA File Sight can watch for those specific lists.

Protection Responses

Once a ransomware attack has been detected using the monitors above, it needs to be stopped as soon as possible. This is done by adding one or more action to the monitors.

All of the monitors above should have an Email action attached which alerts IT staff to the problem so they can investigate.

In addition, one or more of the following actions could be used to automatically respond which will be faster than waiting for IT staff to see an email. Some suggested responses are:

1. Add User to Blocked User List - automatically block the user from all access to all protected servers

2. Shutdown the Server - shutdown the file server to prevent any further harm

3. Stop a Service - stop a critical service, such as the Lanman Server service

4. Run External Program - you might have another process that you want to run that will perform protective actions