Ransomware Malops

There are multiple MalOps related to Ransomware:

  • The ‘Cybereason Threat Intelligence identified a loaded module as ransomware’ MalOp is triggered when a process loads a module identified as ransomware by Cybereason Threat Intelligence.

  • The ‘Cybereason Threat Intelligence identified an executable as Ransomware’ MalOp is triggered when the image file of a process is identified as ransomware by Cybereason Threat Intelligence.

  • The ‘Ransomware behavior’ MalOp is triggered when the process is found to be performing behavior indicative of ransomware, such as encrypting files, attempting to delete backups, and so forth.

Ransomware detections include behaviors seen in known ransomware or characteristics of known ransomware. The Cybereason platform detects instances where a file, process image file, or a module is classified as ransomware by threat intelligence and instances where processes exhibit behavior similar to ransomware.

These MalOps are part of the Verified group.

Malop Example

Malop Example

Supported OS for the Cybereason Threat Intelligence identified an executable as ransomware Malop and Cybereason Threat Intelligence identified a loaded module as ransomware: Windows, Mac OS, and Linux

Supported OS for the Ransomware behavior Windows

Examples of behavior that can trigger this MalOp:

  • Identification of a hash value for a file or module as ransomware by Cybereason Threat Intelligence

  • Ransomware behavior of processes, such as file encryption, shadow copy deletion, or Master Boot Record infection

In version 21.2.26x and later, the ‘Ransomware behavior’ MalOp displays a list of files affected by the ransomware. For example:

Malop Example - Affected Files

Next steps

  • Investigate the process, module, or file depending on what the detection was raised on

  • Adjust your Anti-Ransomware protection in your Security Profile and on the Sensors as needed to stop the files.

  • Remediate the file if it has been suspended on the machine.