In this article, you will learn everything you need to know about the Ransomware Encryption Protection module. REP has the purpose of detecting processes that encrypt files on the endpoint with malicious intent.
1. How does Ransomware Encryption Protection work?
3. HEIMDAL Agent - Ransomware Encryption Protection
4. Endpoint Detection - Ransomware Encryption Protection view
5. Endpoint Detection - Ransomware Encryption Protection settings
Ransomware Encryption Protection is a revolutionary 100% signature-free solution that protects your devices against malicious encryption attempts initiated during ransomware attacks. Ransomware Encryption Protection extends the functionality of the traditional antivirus, becoming a solution capable of preventing and protecting your endpoints against any type of ransomware attack.
HOW DOES RANSOMWARE ENCRYPTION PROTECTION WORK?
Ransomware Encryption Protection operates on behavioral analysis (it triggers detections based on rules that mimic ransomware behavior) and is processing kernel events for I/O reads, writes, directory enumeration, and file execution. Patterns are matched against the collected events after studying the same patterns that are being created by actual ransomware. The engine will allow approximately 3-average-size files (depending on the size of the files and the ransomware speed, more files could get encrypted. For example, ransomware could easily encrypt more than 3 files sizing 20 KBs) to get encrypted until it will give the verdict that the process is suspicious. Once flagged, details about the suspicious process are gathered and sent to the HEIMDAL servers. These details include the process command line arguments, the network connections (IP Address and Port), read/write operation count at the moment of detection, and as well the process tree from the suspicious process with trace-back to the root process. The Ransomware Encryption Protection module is based on the new Windows service called Heimdal Insights. The service is responsible for permanently scanning the active processes and mapping out each process action, as well as searching for encryption patterns in the running processes. The Heimdal Insights service will run only if the module is enabled in the Group Policy. If REP is disabled in the Group Policy, the Heimdal Insights service will be present but will not run.
HEIMDAL AGENT - RANSOMWARE ENCRYPTION PROTECTION
The HEIMDAL Agent displays information about the Found Detections, the Total Processes and the Latest Detection time.
The Ransomware Encryption Protection section includes information about the number of detections, the Process Name, the PID, the Owner, the Date and the Status.
ENDPOINT DETECTION - RANSOMWARE ENCRYPTION PROTECTION view
The Endpoint Detection - Ransomware Encryption Protection view displays all the information collected by HEIMDAL Agent that is running on the endpoints in your organization. The collected information refers to the detected processes intercepted by the HEIMDAL Agent engine. On the top, you see a statistic regarding the number of Detections Found.
The collected information is placed in the following views: Latest Detections and Hostname/Detections.
- Latest Detections
This view displays a table with the following details: Hostname, Username, Process Name, Blocking Reason, PID, Owner, Status, and Timestamp. This view allows you to select one or multiple infected files and exclude it/them or add it/them to storage.
In the Process Name column, you can click on the process (or on the Forensics 'F' icon) to see the process details or you can click on the VirusTotal icon to get a detailed VirusTotal analysis. Please be aware that we have a retention policy of 90 days in place for the REP entries. That means that all the entries from the Latest Detections view older than 90 days will be removed.
This view displays a table with the following details: Hostname, Username, Number of Matches.
The Process Details view gives information on the parent process and the spawned processes, their PIDs, username, File Name, Path, Command-Line, Thread Count, top 3 encrypted files, Write Operations, Read Operations, MD5, Signature, and Owner.
You also get information on the Network Activity of the detected process, where you can select one or multiple IP Addresses to block them in the Firewall (on one, multiple, or all Group Policies).
Exclusions can be made by selecting one or more detections and by pressing the Exclude and Apply buttons from the dropdown menu. This will pop up the following modal that allows you to exclude the file(s) on one or multiple Group Policies, or all Group Policies. The detection(s) can be excluded by File Name, Folder Path, File Path or MD5:
The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.
The Filters functionality allows you to filter entries by Allowed or by Blocked detections.
ENDPOINT DETECTION - RANSOMWARE ENCRYPTION PROTECTION settings
The Ransomware Encryption Protection module detects processes that perform encryption operations on files on the endpoint with malicious intent. The module is processing kernel events for IO reads, writes, directory enumeration, and file execution. Patterns are matched against the collected events after studying the same patterns that are being created by actual ransomware. The engine will allow 3 files to get encrypted until it will give the verdict that the process is suspicious. Once flagged, details about the suspicious process are gathered and sent to the Heimdal servers.
Ransomware Encryption Protection - turn ON/OFF the Ransomware Encryption Protection module;
Reporting mode - enabling it will report the processes detected by Ransomware Encryption Protection without blocking them;
Agent Baloon Notifications - allows you to turn ON/OFF the Agent balloon notifications when encryption is detected;
Isolate on Tamper Detection - allows you to turn ON/OFF the isolation feature when a Tamper Detection is being made. When enabled, it will ensure the Firewall product/service is enabled and that the endpoint where this behavior is being observed will be isolated from the network (thus, preventing lateral movement). For the functionality to work, you need to have the Next-Gen Antivirus & MDM and Firewall products/services licensed, and, even if the Firewall product is disabled, we will automatically activate it (otherwise the corresponding tick box will be grayed out/non-functional);
Exclusions - allows you to exclude a filename, file path, directory path, MD5, or wildcard (*\MyFolder\*, *\MyFolder\*.exe, D:\*\MyFolder\*, D:\*\MyFolder\*.exe, *\Folder\app.exe, C:\Folder\*, C:\Folder\*\folder2\app.exe) from being blocked by the REP module. The Exclusions section has a Download button that will download a CSV Report with the exclusions list.