Predictive Ransomware Protection
The Cybereason platform also contains Predictive ransomware protection. This new type of ransomware protection uses a multi-layered detection mechanism to identify typical ransomware behavior and prevent unknown strains of ransomware.
Predictive ransomware protection is an NGAV feature, and is not available to EDR-only customers.
Because every ransomware is essentially malware, the Cybereason platform NGAV modules—including signature-based detection, Artificial Intelligence analysis, Behavioral document protection, Fileless protection, and more—can detect and prevent ransomware. To enhance this protection, Cybereason now offers Predictive ransomware protection, an additional behavioral engine that provides a new protection layer. Predictive ransomware protection monitors specific behaviors of the ransomware, and prevents the ransomware from executing, regardless of the medium that the ransomware used to infiltrate the system.
Predictive ransomware protection is supported on Windows machines. For details, see Endpoint machine prevention features.
Note
In heavy load Windows Server based environments, Predictive ransomware protection may cause an increase in resource demand and degradation of the sensor performance, which can degrade the overall server performance. On such environments, we recommend using the Canary Files-based Anti-Ransomware instead.
To learn how to configure Predictive ransomware protection, see Set the Predictive Ransomware Protection Levels.
Watch this video to learn more about how Predictive ransomware protection protects against the Conti strand of ransomware.
In this topic:
How Predictive ransomware protection works
The Predictive ransomware protection feature is comprised of four main components:
File encryption protection: When you enable Predictive ransomware protection, the Cybereason platform monitors relevant file operations, and performs sophisticated comparisons to determine whether the files were regularly modified or actually encrypted.
Volume Shadow copy Service (VSS) protection: Detects and prevents types of ransomware that disable and delete shadow copies on Windows machines. This feature is disabled (set to Off) by default.
Rapid Recovery: Automatically restores the user’s encrypted files through the VSS, which allows the organization to access files that were backed up in various scenarios. To configure this feature, see Enable Rapid recovery.
Note
Rapid recovery is supported on local drives on the endpoint machine.
Master Boot Record (MBR) protection: Allows organizations to protect their endpoints against bootkits and respond early in the attack lifecycle, even before the attacker attempts to encrypt the files. This feature protects against all bootkit attacks, including ransomware attacks. This feature is disabled (set to Off) by default.
Predictive ransomware protection monitors all relevant file events on the endpoint, and performs the following checks:
The Cybereason platform monitors all relevant file events for all processes, to identify activity that might indicate a ransomware attack.
For each relevant process, the Cybereason platform checks whether the process is encrypting the file. The Cybereason platform compares the state of the file before and after the file was edited against a number of file characteristics, and determines whether the file was modified as part of a regular user operation, or whether the modification was an actual encryption.
To define whether the process is behaving like ransomware, the Cybereason platform checks whether a defined number of files were encrypted over a defined period of time, for a defined amount of different file extensions. These numbers change according to the sensitivity level. For more information, see Set the Predictive ransomware protection sensitivity level.
Note
When Predictive ransomware protection is enabled, canary files are installed for two minutes after upload, and then disappear.
As soon as Ransomware protection detects a malicious process, the platform can automatically suspend the process and generate a Malop. The Malop details show whether the ransomware affected any user files, and how many user files the ransomware affected. In this scenario, Ransomware protection automatically suspends or prevents the process.
You can then perform additional remediation actions. If you enable Application Control, and mark the process for prevention from the Malop details screen or the Investigation screen, the Cybereason platform sends the hash of the ransomware to all endpoints across your installation and prevents the ransomware from executing in the future.
Kernel based protection
Modern ransomware attacks execute increasingly faster. Modern ransomwares can encrypt files at a speed of 300-400 MB per second.
To address this risk, Predictive ransomware protection works at the kernel level, which allows the Cybereason platform to detect a ransomware attack significantly faster than the time it would take to detect manipulation of canary folders on different endpoint machines.
In addition, attackers are learning how to bypass decoy files, making the canary file solution less effective. While canary files may confuse endpoint users, Predictive ransomware protection is not visible to the endpoint user and works seamlessly behind the scenes.
Cybereason recommends that you upgrade to the most recent product version to leverage Predictive ransomware protection. To understand which type of ransomware protection you need to use according to your sensor version, see Ransomware protection types per version. For more information on the previous Anti-Ransomware solution based on canary files, see Anti-Ransomware Protection (Canary Files).
Protection for network and cloud-based drives
Some ransomware strains have evolved and target shared network and cloud drives in addition to local drives.
Predictive ransomware protection protects network and cloud-based drives by default. At this point, you cannot configure protection of network and cloud-based drives.
Note
When the Cybereason platform analyzes a cloud drive, the response time is slightly slower than the analysis of a local drive.
Network and cloud-based drive protection is valid only for network drives that are mapped on the endpoint. A mapped network drive:
Points to resources found on your network / Cloud storage drive.
Has a drive letter assigned like any other partition in your system.
From version 23.2.6x, Predictive Ransomware Protection can prevent ransomware in cases where another machine on the network is that is not protected by Predictive Ransomware Protection attempts to execute the ransomware on a machine that is protected by Predictive Ransomware Protection (for example, by using shared folders). In previous versions, this behavior was detected, but not prevented.
MalOp details for Ransomware MalOps
From version 23.1.124 and later, for Ransomware MalOps, the MalOp Details screen presents information about the encryption process, encrypted files, prevention/remediation actions, and more, including:
Root cause: Ransomware behavior
Process information: The encrypting process and the original Ransomware process
Encrypted files: List of files (full path) that were encrypted by the Ransomware before it was blocked
Restored files including which files were successfully / not successfully restored
File information: The files of the encrypting process and the original Ransomware process
Network information: Network connections and DNS queries of the encrypting process and the original Ransomware process
Machine information: Machines the Ransomware was executed on
User information: The users associated with the execution of the encrypting process and the original Ransomware process
Ransomware protection types per version
The following table describes which type of ransomware protection you can use according to your Cybereason platform version.
Server version |
Protection type available |
Sensor version usage notes |
|---|---|---|
23.1.10x and higher |
Predictive Ransomware Protection and Anti-Ransomware are both available by default in the Sensor Policy screen. |
Predictive Ransomware Protection is recommended for sensors version 23.1.124 and higher. Older sensors should use Anti-Ransomware. Make sure to update your sensors to the latest version before enabling Predictive Ransomware Protection, to avoid endpoint compatibility issues. |
23.1.8x and lower |
Anti-Ransomware is available in the Sensor Policy screen. To make Predictive Ransomware Protection available in this screen, contact Cybereason Support. |
Predictive Ransomware Protection is recommended for sensors version 23.1.124 and higher. Older sensors should use Anti-Ransomware. Make sure to update your sensors to the latest version before enabling Predictive Ransomware Protection, to avoid endpoint compatibility issues. |
Note
If Predictive Ransomware Protection and Anti-Ransomware are both enabled on the same sensor, the sensor will use Predictive Ransomware Protection.