Set the Predictive Ransomware Protection Levels
You update Predictive ransomware protection settings in a sensor policy.
To learn which ransomware protection type to use according to your sensor version, see Ransomware protection types per version. To configure the Anti-Ransomware protection solution using canary files, see Set the Canary File-Based Anti-Ransomware Modes.
For supported operating systems for Predictive ransomware protection, see Endpoint machine prevention features.
In this topic:
Set the Predictive ransomware protection mode
Predictive ransomware protection can detect, prevent, and quarantine ransomware on your organization’s endpoints, using behavioral techniques, depending on the mode you select:
Mode |
Description |
Recommendation |
|---|---|---|
Disabled (default) |
Predictive ransomware protection is disabled. |
Not recommended. Can be used in cases where Predictive ransomware detection is not required. |
Detect |
Predictive ransomware protection is enabled in detect-only mode. When ransomware is detected, a MalOp is generated, but no further action is taken. |
Not recommended. Use for testing purposes only. |
Prevent |
When ransomware is detected, a MalOp is generated, and the process is prevented from running in on the same endpoint machine. In a scenario where the ransomware is running from a legitimate process or enabler process, the relevant threads are killed, and the process can still run. |
Recommended. |
Quarantine |
When ransomware is detected, a MalOp is generated, the process is quarantined, and the process is prevented from running in the system. In a scenario where the ransomware is running from a legitimate process or enabler process, the relevant threads are killed, and the process can still run. |
Recommended |
Set the Predictive ransomware protection sensitivity level
You can configure the level of sensitivity that the Predictive ransomware protection uses to detect and prevent ransomware. The sensitivity levels determine whether the Predictive ransomware protection feature is triggered and whether to generate MalOps for suspicious processes. This is different from the Predictive ransomware protection mode, which determines how to handle the suspicious process.
Select one of the following options:
Mode |
Description |
When to use this setting |
|---|---|---|
Cautious |
This is the setting with the lowest sensitivity. With this setting, more file encryption events trigger MalOps, compared to the Recommended (default) option. As a result, the Cybereason platform detects the ransomware at a later stage. |
You want to detect processes that indicate ransomware behavior with a very low false positive rate. When you select this option, additional files may become encrypted before the Cybereason platform responds. |
Recommended (default) |
This is the setting with the recommended sensitivity. With this setting, the Cybereason platform triggers MalOps for processes that indicate a ransomware attack with a high level of certainty. As a result, the Cybereason platform detects the ransomware at an early stage of the attack. |
You want to detect processes that indicate ransomware behavior, while streamlining analysis of the MalOps. With this setting, the Cybereason platform can detect ransomware quickly, and provide the best protection. |
Aggressive |
Trigger MalOps for any processes that Cybereason determines are likely to indicate a ransomware attack. |
You want to detect a ransomware attack. You prefer to assess and analyze some false positives, as well as processes that are likely, but not certain, to be ransomware. |
With Predictive ransomware protection, the Cybereason platform checks that a defined number of files were encrypted over a defined period of time, for a defined amount of different file extensions. These numbers are smaller for higher sensitivity levels. For example, if the sensitivity level is Aggressive, the Cybereason platform triggers Predictive ransomware protection where only a few files with the same file extension were encrypted in a relatively long period of time.
While you cannot tune each of these numbers specifically, the sensitivity level allows you to define how frequently the Cybereason platform triggers Predictive ransomware protection. Cybereason keeps monitoring the threat landscape and will update these MalOp trigger values if needed.
To show how the Predictive ransomware protection mode and sensitivity level work together, in an example scenario, the Predictive ransomware mode is set to Quarantine and the sensitivity level is set to Cautious:
The Cybereason platform determines that the file indicates a ransomware attack with a very high level of certainty.
Predictive ransomware protection is triggered, and the file is quarantined.
Configure Predictive ransomware protection options
You can also instruct the Cybereason platform to detect ransomware based on the following behaviors:
The ransomware attempts to delete shadow copies on the machine as part of its behavior.
The ransomware attempts to edit the Master Boot Record (MBR) on Windows machines.
The ransomware attempts to encrypt user files on the machine.
To enable Predictive ransomware protection features, follow these steps:
In the Predictive ransomware protection screen, locate the Shadow copy option and set the toggle to On.
This option enables the Cybereason platform to find ransomware that attempts to delete or manipulate the shadow copies on the machine as part of its pattern.
In the Rapid recovery section, set the toggle to On.
Note
To use the Rapid recovery option, you must set the Predictive ransomware protection mode to Prevent or Quarantine.
This option restores encrypted files. For more information, see Enable Rapid recovery.
In the MBR section, set the toggle to On.
This option enables you to find ransomware that attempts to edit the Master Boot Record (MBR) on Windows machines.
Note
If you need to install applications that edit the MBR, such as BitLocker, Cybereason recommends that you disable this option prior to the installation or enablement of the application. After you install or enable the application, you can enable this setting again.
Enable Rapid recovery
Predictive ransomware protection allows you to restore end-users’ encrypted files through the Volume Shadow Copy Service (VSS). In order to restore files from the VSS, the VSS service must be running on the user’s machine. To learn more about how VSS works, see the Microsoft VSS documentation. Please see our Legal Disclaimer.
Note
Rapid recovery is supported on local drives on the endpoint machine. Rapid recovery is also available if the ransomware is detected by Variant Payload Prevention.
Predictive ransomware protection creates the restored file in the same path as the encrypted file, and appends .restored to the original file name. For example, the Jon.txt file was encrypted, and Predictive ransomware protection creates a file named Jon.restored.txt.
In the MalOp details screen, all files restored by Predictive Ransomware Protection appear at the top of the Affected Files section, followed by the files that were not restored (starting from version 23.1.124). This helps you quickly identify the files that were successfully restored.
To use the Rapid recovery option, you must set the Predictive ransomware protection mode to Prevent or Quarantine.
You can either use the Cybereason platform backup service to restore encrypted files, or you can integrate with a predefined VSS used in your organization. The Cybereason platform backup service is the default option.
Note
If you deactivate Rapid recovery, Cybereason does not automatically delete the shadow copies it has generated. You may choose to delete these manually.
To configure the Rapid recovery option:
Select the backup type for encrypted files:
To use the Cybereason platform backup service, leave the Use Cybereason backup service option selected.
If your organization is using a backup service and you would like to continue using this service, select Use existing backup service.
If the Use Cybereason backup service option is selected, you can optionally click Customize to edit the following backup options:
To change the maximum percentage of disk space the Cybereason backup service uses from the total disk space, click the arrows to select a value between 2% and 10%. The default value is 5%.
The Cybereason platform backs up all mapped drives by default. To define specific drives to back up, select Define specific drives, click Add New, and add drives in the format: F:\.
Note
If you select the Define specific drives option, the Cybereason platform does not back up any drives, except for the drives you add to the list. Make sure to add all relevant drives. In addition, you must add at least one drive for the backup to take effect.