Execute and Exfiltrate

Updated on

One of the biggest concerns we see in the security space is ransomware; for good reason because of how costly and destructive this type of attack can be. Ransomware such as RYUK and Conti will attempt to distribute across the network and encrypt/destroy data for maximum impact. In recent years ransomware has shown a drastic increase in both commonality and the level of destruction on users' systems. This stage is often detrimental. 

6.1 Run the Attack

Embedded in PowerShell we have stripped the ransomware signature from this binary in order to highlight behavioral based ransomware protection. This imitates the situation of a zero-day ransomware attack. 

Run PowerShell command

  1. Run PowerShell with administrative privileges
  2. Change directories with command cd 'C:\Users\Public\Desktop\Ransomware Artifacts\'
  3. Run command Set-ExecutionPolicy Unrestricted 
  4. Run command .\ryuk.ps1 

Notice that prevention is applied. When we visit the Carbon Black console, we can dig further into how we saw ransomware-like behaviors to prevent this modified piece of ransomware.

6.2 Investigate

We will now pivot to the Carbon Black Console to review information about the attack we just ran. If you are not currently on the Alerts page, navigate to Alerts using the left-hand menu. 

Analyze Scripts

Through our native AMSI scripting integration Carbon Black Cloud is uniquely able to analyze and prevent scripts prior to allowing the binary to execute in your environment, ultimately reducing your overall risk. Even while applying prevention administrators can still get visibility into what an attacker/attack was attempting to do.


Click into the alert triage of the first alert listed for more details. Check the time stamp to understand which alert is the one you just triggered.

Triage Observations


Scrolling down to the Observations we can expand details of events. We can see the associated ransomware-like behaviors.

Carbon Black preventative capabilities

Beyond AMSI scripting integration Carbon Black has robust ransomware preventative capabilities. Carbon Black NGAV/EDR can detect and prevent upon behaviors associated with ransomware. Those behaviors include detecting/preventing access of the master boot record, modification of volume shadow copies, and the encryption of data. Additionally, alongside the Carbon Black agent we deploy canary/decoy files to track and kill processes attempting to encrypt, modify or delete our files. We can apply prevention to anything exhibiting those behaviors, even something that is not listed or never seen before (like a zero-day). 

Previous Article Maintain and Manipulate
Next Article Contact us