Countermeasures for common ransomware families
Last Modified: 2023-04-26 08:40:49 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Veja como um ecossistema XDR que está sempre se adaptando pode energizar sua empresa.
O CEO da Trellix, Bryan Palma, explica a necessidade crítica por uma segurança que está sempre aprendendo.
Faça download do relatório Magic Quadrant, que avalia os 19 fornecedores com base na capacidade de execução e na abrangência de visão.
De acordo com a Gartner, “o XDR é uma tecnologia emergente que pode oferecer melhor prevenção, detecção e resposta a ameaças”.
Quais ameaças à segurança cibernética devem estar no radar das empresas em 2022?
A indústria da segurança cibernética nunca descansa, e não há melhor momento do que agora para enxergar isso como uma vantagem e um catalisador para o empoderamento dos negócios.
Duas líderes confiáveis em segurança cibernética se uniram para criar um mundo digital resiliente.
O CEO da Trellix, Bryan Palma, explica a necessidade crítica por uma segurança que está sempre aprendendo.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Countermeasures for common ransomware families
Technical Articles ID:
KB96146
Last Modified: 2023-04-26 08:40:49 Etc/GMT Environment
Endpoint Security (ENS) 10.x
Summary
This KB article aims to provide another layer of defense against a highly professional, for-profit malware industry that's constantly innovating and trying to either circumvent known security measures or exploit unsecured or outdated systems. NOTE: The use of rules as detailed in the "Solutions" section below have proven to be effective at stopping or reducing the impact of many current and new variants of these threats. Before implementing the recommendations below, it's essential that you test the rules thoroughly to ensure their integrity and that no legitimate application, in-house developed or otherwise, is prevented from functioning in your production environment. Problem
Threat actors continue to create ransomware variants and rework existing variants to get through security defenses. These new updates are constantly tested against security products. Vigilance is needed to prevail against ransomware as new variants are seen to emerge with similar behaviors. Targeting ransomware itself can be challenging due to the drastically evolving landscape of new variants. The best approach at combating ransomware includes a combination of behavioral detection via JTI/ATP, Dynamic Application Containment (DAC), Static and Dynamic analysis via the Real Protect Scanners, Exploit Prevention/Expert Rules, and Global Threat Intelligence (GTI) File Reputation. But, it's always best to target entry vector threats to better bolster your security posture. Solution 1
Fighting ransomware can be achieved via several security measures. The best measures you can put into place are proactive countermeasures that target entry vector threats. If you're successful in preventing these entry vector/first-stage threats, second and later stages of malware, such as ransomware, can be prevented. For recommendations on a layered security approach at preventing a successful breach from these entry vector threats, see KB91836 - Countermeasures for entry vector threats.
Solution 2
Access Protection Rules can be another form of security that target a ransomware's encrypted file extensions. By preventing the execution, write, delete, etc. of the encrypted file extension, the rules have a chance at breaking the encryption routine. But, you can't block all ransomware encryption this way. It might end up deleting the file from the system altogether or preventing the file from being renamed while still becoming encrypted, among other unexpected outcomes. So, use caution with this approach.
Solution 3
By identifying similar patterns of behavior within different variants, we've come up with some proactive rules for our Endpoint products: Endpoint Security (ENS) and Trellix Endpoint (formerly MVISION Endpoint). These rules intend to effectively prevent the installation or the payload of historical, current, and evolving new variants of these threats. From internal Support testing, we've found the following ENS countermeasures effective against several types of ransomware attacks: ENS Adaptive Threat Protection JTI Rules (ATP): Enable or disable the settings for the rules below within the ePolicy Orchestrator (ePO) Server Settings under Adaptive Threat Protection. There're three different configurations: Productivity, Balanced, and Security. The changes made within Server Settings apply to rule group assignments in the ATP Options policy. Rule ID 5: Use GTI URL reputation to identify trusted or malicious processes Rule ID 239: Identify suspicious command parameter execution Rule ID 240: Identify suspicious files with characteristics that have been predominantly seen in ransomware Rule ID 255: Detect potentially obfuscated command-line parameters Rule ID 263: Detect processes accessing suspicious URLs Rule ID 300: Prevent office applications from starting child processes that can execute script commands Rule ID 309: Block processes attempting to launch from Office applications. Rule ID 312: Prevent email applications, such as Outlook, from spawning script editors and dual use tool Rule ID 313: Prevent text editors like Notepad and WordPad from spawning processes that can execute script commands in all rule group assignments Rule ID 316: Prevent PDF readers from starting processes that can execute scripts in all rule group assignments Rule ID 318: Prevent PDF readers from starting cmd.exe Rule ID 319: Prevent cmd.exe from starting other script interpreters such as cscript or PowerShell in all rule group assignments Rule ID 323: Prevent mshta from being launched as a child process. Rule ID 332: Prevent certutil.exe from downloading or decoding files with suspect extensions Rule ID 341: Identify and block patterns being used in Ransomware attacks in security rule group assignments. Rule ID 342: Identify and block patterns being used in Ransomware attacks Rule ID 502: Detect new service creation Rule ID 513: Detect commands used for copying files from a remote system Rule ID 517: Prevent actor process with unknown reputations from launching processes in common system folders ENS Dynamic Application Containment (DAC): DAC is triggered only if the reputation for the process meets the reputation criteria defined in the ATP Options policy. When a process is contained by DAC, it's subject to post execution monitoring and any rules enabled within the DAC policy. Rule: Disabling critical operating system executables Rule: Modifying appinit DLL registry entries Rule: Modifying Image File Execution Options registry entries Rule: Modifying screen saver settings Rule: Modifying startup registry locations Rule: Reading files commonly targeted by ransomware-class malware Rule: Suspending a process Rule: Terminating another process Rule: Reading from another process' memory Rule: Writing to files commonly targeted by ransomware-class malware NOTE: For best practices, see KB87843 - Dynamic Application Containment rules and best practices. Similar to Access Protection rules, test all DAC rules to prevent interruptions in your environment. ENS Threat Prevention Anti-Malware Scan Interface (AMSI): Enable integration with AMSI. AMSI provides enhanced script scanning. AMSI is a generic interface standard that allows applications and services to integrate with Threat Prevention, providing better protection against malware. Microsoft provides AMSI. AMSI is supported on Windows 10 and Windows Server 2016 (and later) systems. Use AMSI to enhance scanning for threats in non-browser-based scripts, such as ENS Exploit Prevention: Signature 413: Suspicious Double File Extension Execution Signature 428: Generic Buffer Overflow Signature 6107: MS Word trying to execute unwanted programs Signature 6108: Suspicious download string script execution Signature 6113: Fileless Threat: Reflective Self Injection Signature 6114: Fileless Threat: Reflective EXE Self Injection Signature 6115: Fileless Threat: Reflective DLL Remote Injection Signature 6116: Mimikatz LSASS Suspicious Memory Read Signature 6117: Mimikatz LSASS Suspicious Memory DMP Read Signature 6120: Fileless Threat: Process Hollowing Signature 6121: Fileless Threat: Process Hollowing Signature 6127: Suspicious LSASS Access from PowerShell Signature 6131: Weaponized OLE object infection via WMI Signature 6148: Malware Behavior: Windows EFS abuse Signature 6153: Malware Behavior: Ryuk Ransomware activity detected Signature 6155: Malicious Behavior: Directory Junction attempt detected ENS Exploit Prevention Expert Rules: The Trellix Advanced Research Center Detect_Suspicious_Usage_Of_VSSADMIN.EXE.md.txt File_Block_Rclone ENS Access Protection Default Rules: Creating new executable file in the programs files folder Creating new executable file in the windows folder Disabling registry editor and task manager Doppelganger attack on processes Executing mimikatz malware Executing scripts by windows script host Remotely creating or modifying files or folders Remotely creating or modifying PE,.INI and core system locations Related Information
The following Trellix publications provide several data points on ransomware families as a whole:
Additional recommendations to defend against ransomware:
Affected ProductsLanguages:This article is available in the following languages: |
|