Embedded in PowerShell we have stripped the ransomware signature from this binary in order to highlight behavioral based ransomware protection. This imitates the situation of a zero-day ransomware attack. 

1. Run PowerShell with administrative privileges
2. Change directories with command cd 'C:\Users\Public\Desktop\Ransomware Artifacts\'
3. Run command Set-ExecutionPolicy Unrestricted 
4. Run command .\ryuk.ps1 

Notice that prevention is applied. When we visit the Carbon Black console, we can dig further into how we saw ransomware-like behaviors to prevent this modified piece of ransomware.

We will now pivot to the Carbon Black Console to review information about the attack we just ran. If you are not currently on the Alerts page, navigate to Alerts using the left-hand menu. 

Through our native AMSI scripting integration Carbon Black Cloud is uniquely able to analyze and prevent scripts prior to allowing the binary to execute in your environment, ultimately reducing your overall risk. Even while applying prevention administrators can still get visibility into what an attacker/attack was attempting to do.

Click into the alert triage of the first alert listed for more details. Check the time stamp to understand which alert is the one you just triggered.

Scrolling down to the Observations we can expand details of events. We can see the associated ransomware-like behaviors.

Beyond AMSI scripting integration Carbon Black has robust ransomware preventative capabilities. Carbon Black NGAV/EDR can detect and prevent upon behaviors associated with ransomware. Those behaviors include detecting/preventing access of the master boot record, modification of volume shadow copies, and the encryption of data. Additionally, alongside the Carbon Black agent we deploy canary/decoy files to track and kill processes attempting to encrypt, modify or delete our files. We can apply prevention to anything exhibiting those behaviors, even something that is not listed or never seen before (like a zero-day).