One of the biggest concerns we see in the security space is ransomware; for good reason because of how costly and destructive this type of attack can be. Ransomware such as RYUK and Conti will attempt to distribute across the network and encrypt/destroy data for maximum impact. In recent years ransomware has shown a drastic increase in both commonality and the level of destruction on users' systems. This stage is often detrimental.
6.1 Run the Attack
Embedded in PowerShell we have stripped the ransomware signature from this binary in order to highlight behavioral based ransomware protection. This imitates the situation of a zero-day ransomware attack.
- Run PowerShell with administrative privileges (right click to run as admin)
- Change directories with command cd 'C:\Users\Public\Desktop\Ransomware Artifacts\'
- Run command Set-ExecutionPolicy Unrestricted
- Run command .\ryuk.ps1
Notice that prevention is applied. When we visit the Carbon Black console, we can dig further into how we saw ransomware-like behaviors to prevent this modified piece of ransomware.
We will now pivot to the Carbon Black Console to review information about the attack we just ran. If you are not currently on the Alerts page, navigate to Alerts using the left-hand menu.
Through our native AMSI scripting integration Carbon Black Cloud is uniquely able to analyze and prevent scripts prior to allowing the binary to execute in your environment, ultimately reducing your overall risk. Even while applying prevention administrators can still get visibility into what an attacker/attack was attempting to do.
Click into the triage for more details. Scrolling down to the enriched events we can expand details for PowerShell. We can see the associated ransomware-like behaviors.
Carbon Black preventative capabilities
Beyond AMSI scripting integration Carbon Black has robust ransomware preventative capabilities. Carbon Black NGAV/EDR can detect and prevent upon behaviors associated with ransomware. Those behaviors include detecting/preventing access of the master boot record, modification of volume shadow copies, and the encryption of data. Additionally, alongside the Carbon Black agent we deploy canary/decoy files to track and kill processes attempting to encrypt, modify or delete our files. We can apply prevention to anything exhibiting those behaviors, even something that is not listed or never seen before (like a zero-day).