|
Ransomware will attempt to encrypt critical files, databases and other valuable data while at the same time attempting to delete all available backups so that it's difficult or impossible for the victim to restore the data. |
Ransomware will attempt to avoid detection until the encryption process is complete and the victim is presented with the dreaded message, explaining that only paying the ransom will give the victim access to the data again. Fast detection of a Ransomware infection is of utmost importance.
While detecting the actual encryption process in a timely fashion is difficult, extensive monitoring of the infrastructure can reveal that suspicious activity is underway and should be investigated asap. Detecting and responding may help mitigate the damage.
|
•Always make sure that backups of all critical data exists and cannot easily be tampered with, restore operations should be tested on a regular basis •Auditing access to important files and directories can reveal unusual patterns, such as a high rate of file read/write access •Unusual patterns in CPU usage may indicate that encryption is underway |
EventSentry Benefits |
||
File Auditing Setting up NTFS Auditing for write access on critical files and monitoring for excessive activity can help detect Ransomware. |
||
File Entropy Since encrypted files tend to have a higher entropy than plain text files, alerting on high entropy can help detect Ransomware. |
||
