In this article, you will learn everything you need to know about the Ransomware Encryption Protection module. REP has the purpose of detecting processes that encrypt files on the endpoint with malicious intent.
1. Description
1. How does Ransomware Encryption Protection work?
3. HEIMDAL Agent - Ransomware Encryption Protection
4. Ransomware Encryption Protection view
5. Ransomware Encryption Protection settings
DESCRIPTION
Ransomware Encryption Protection is a revolutionary 100% signature-free solution that protects your devices against malicious encryption attempts initiated during ransomware attacks. Ransomware Encryption Protection extends the functionality of the traditional antivirus, becoming a solution capable of preventing and protecting your endpoints against any type of ransomware attack.
HOW DOES RANSOMWARE ENCRYPTION PROTECTION WORK?
Ransomware Encryption Protection operates on behavioral analysis (it triggers detections based on rules that mimic ransomware behavior) and processes kernel events for I/O reads, writes, directory enumeration, and file execution. Patterns are matched against the collected events after studying the same patterns that are being created by actual ransomware. The engine will allow approximately 3-average-size files (depending on the size of the files and the ransomware speed, more files could get encrypted. For example, ransomware could easily encrypt more than 3 files sizing 20 KBs) to get encrypted until it will give the verdict that the process is suspicious. Once flagged, details about the suspicious process are gathered and sent to the HEIMDAL servers. These details include the process command line arguments, the network connections (IP Address and Port), read/write operation count at the moment of detection, and the process tree from the suspicious process with trace-back to the root process. The Ransomware Encryption Protection module is based on the new Windows service called Heimdal Insights. The service is responsible for permanently scanning the active processes and mapping out each process action, as well as searching for encryption patterns in the running processes. The Heimdal Insights service will run only if the module is enabled in the Group Policy. If REP is disabled in the Group Policy, the Heimdal Insights service will be present but will not run.
HEIMDAL AGENT - RANSOMWARE ENCRYPTION PROTECTION
The HEIMDAL Agent displays information about the Found Detections, the Total Processes and the Latest Detection time.
The Ransomware Encryption Protection section includes information about the number of detections, the Process Name, the PID, the Owner, the Date and the Status.
RANSOMWARE ENCRYPTION PROTECTION view
The Ransomware Encryption Protection view displays all the information collected by HEIMDAL Agent that is running on the endpoints in your organization. The collected information refers to the detected processes intercepted by the HEIMDAL Agent engine. On the top, you see a statistic regarding the number of Detections Found.
The collected information is placed in the following views: Endpoint Detections, Hostname/Detections, and Cloud Detections.
- Endpoint Detections
This view displays a table with the following details: Hostname, Username, Process Name, Blocking Reason, PID, Owner, Status, and Timestamp. This view allows you to select one or multiple infected files and exclude it/them or add it/them to storage.
In the Process Name column, you can click on the hamburger menu to access VirtusTotal (to get a detailed VirusTotal analysis), the Forensic details (to get the Process details) or copy the file path to the clipboard. The Statuses can be Blocked (when a process is intercepted and blocked at REP level) or Detected (when the process is intercepted and reported in the HEIMDAL Dashboard when Reporting mode is enabled). Please be aware that we have a retention policy of 90 days in place for the REP entries. That means that all the entries from the Endpoint Detections view older than 90 days will be removed. - Hostname/Detections
This view displays a table with the following details: Hostname, Username, Number of Matches. - Cloud Detections
This view displays a table with the following details: Email, AD Groups, Number of affected files, User's session revoked, and Timestamp. This view is populated if Ransomware Encryption Protection for Cloud is enabled.
The Process Details view gives information on the parent process and the spawned processes, their PIDs, username, File Name, Path, Command-Line, Thread Count, top 3 encrypted files, Write Operations, Read Operations, MD5, Signature, and Owner.
You also get information on the Network Activity of the detected process, where you can select one or multiple IP Addresses to block them in the Firewall (on one, multiple, or all Group Policies).
Exclusions can be made by selecting one or more detections and by pressing the Exclude and Apply buttons from the dropdown menu. This will pop up the following modal that allows you to exclude the file(s) on one or multiple Group Policies, or all Group Policies. The detection(s) can be excluded by File Name, Folder Path, File Path or MD5:
The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.
The Filters functionality allows you to filter entries by Allowed or Blocked detections.
RANSOMWARE ENCRYPTION PROTECTION settings
The Ransomware Encryption Protection module detects processes that perform encryption operations on files on the endpoint with malicious intent. The product is processing kernel events for IO reads, writes, directory enumeration, and file execution. Patterns are matched against the collected events after studying the same patterns that are being created by actual ransomware. The engine will allow 3 files to get encrypted until it gives the verdict that the process is suspicious. Once flagged, details about the suspicious process are gathered and sent to the Heimdal servers.
Ransomware Encryption Protection - turn ON/OFF the Ransomware Encryption Protection module;
General Settings
Reporting mode - enabling it will report the processes detected by Ransomware Encryption Protection without blocking them;
Agent Baloon Notifications - allows you to turn ON/OFF the Agent balloon notifications when encryption is detected;
Agent Balloon Notification Persistence - this feature will allow you to see the agent balloon notification until you close it.
Isolate on Tamper Detection - allows you to turn ON/OFF the isolation feature when a Tamper Detection is being made. When enabled, it will ensure the Firewall product/service is enabled and that the endpoint where this behavior is being observed will be isolated from the network (thus, preventing lateral movement). For the functionality to work, you need to have the Next-Gen Antivirus & MDM and Firewall products/services licensed, and, even if the Firewall product is disabled, we will automatically activate it (otherwise the corresponding tick box will be grayed out/non-functional);
Device protection actions - a dedicated table will be displayed, in which the Dashboard user can select one or multiple actions (Isolate, Shutdown, or Logout) to be taken in case of detections occurring in either NGAV, Firewall, or REP modules.
IMPORTANT
In case Device protection actions is enabled and the Firewall module is disabled, the latter will be enabled automatically, as will the Endpoint isolation setting. If the Ransomware Encryption Detection module is disabled or the submodule is not licensed, the row inside the grid, corresponding to Ransomware Encryption Detection, will be disabled (not actionable). For the Firewall module, the only available protection action is Isolation and it will be triggered after a minimum of 100 occurrences of public Brute Force Attacks. Disabling the newly added setting after a Group policy update will trigger a toast message informing the dashboard user that disabling the Device protection actions feature will not disable the Firewall module and the Endpoint isolation setting.
In case multiple actions are selected for a module, these will be executed in order: Isolation first, followed by Shutdown and Logout, as the third action (depending on the combination of actions, in some scenarios, the Logout action will not be performed anymore).
Exclusions - allows you to exclude a filename, file path, directory path, MD5, or wildcard (*\MyFolder\*, *\MyFolder\*.exe, D:\*\MyFolder\*, D:\*\MyFolder\*.exe, *\Folder\app.exe, C:\Folder\*, C:\Folder\*\folder2\app.exe) from being blocked by the REP module. The Exclusions section has a Download button that will download a CSV Report with the exclusions list.