Ransomeware detection idea

[Blue407]

Morning All

I've been giving some thought to Ransomware of late, I feel in large enterprises, its only a matter of time before you get an infected PC and probably some network data.

Thinking about network shares, from what I inderstand, Ransomware will encrypt every single file it can access.
With regular backups every 2 hours, you would suddenly see a massive jump in the amout of data changed, could we set an alert for this?

I know it wouldn't stop infection, but it may help to know about it faster?

[b.vanhaastrecht]

I think an better place would be to monitor your file servers for "files open". As this amount would increase very rapidly when an encryptor hits an share. You could even write an session blockage if an set threshold is reached.

Also, file screening can help you in the prevention of randsomware: http://olivermarshall.net/using-file-sc ... ptolocker/

[veremin]

For now there is an alarm in Veeam ONE called "Possible ransomware activity" that gets triggered whenever there is abnormal increase in both CPU usage and datastore write rate. Might be a good place to start with. Thanks.

[Delo123]

the ransomware detected in veem ONE seems to be triggered (only?) by heavy write activity. We get alarms when saving bigger Excel files, doing Database backups, replay logs etc... After a while our guys tend to "ignore" these, for us we went with file screening on the fileservers and whitelisting all applications on the terminal servers together with av from Cylance. So far so good