CrowdStrike Falcon offers protection against ransomware. This feature becomes increasingly valuable as the popularity of ransomware continues to rise. Our approach with this feature is to actually stop ransomware from infecting a system and encrypting its files. We believe a prevention approach is absolutely necessary because decryption is often impossible, and because nobody wants to pay the ransom or restore from backups.
CrowdStrike uses its endpoint sensor to detect ransomware behaviors and then terminates the offending process before it can accomplish its goal of encrypting files. This is done using CrowdStrike Indicator of Attack (IoA) patterns on the endpoint. These work both online and offline, and are effective against new variants and polymorphic variants of ransomware that often bypass legacy antivirus signatures.
In order to enable ransomware protection, the following requirements must be met:
• Client operating system: Windows 7 SP1 or higher
• Falcon Host config version: 3908 or higher
Step by step procedure to stop ransomware
Ransomware protection is enabled in Falcon Host by enabling three features.
1. Go to https://falcon.crowdstrike.com
2. Login to Falcon Host UI
3. Navigate to Configuration App –> Prevention Policies then select the policy or policies that you’d like to enable prevention for by clicking on the Policy Name.
There are multiple protection capabilities for ransomware in Falcon. The next steps will highlight each technology.
4. Enable Machine Learning – Anti-Malware Sensor Configuration. In this section the user is able to adjust detection and prevention for both File Attribution Analysis and File Analysis. One thing that may not be immediately obvious, but makes sense, is that you’ll not be able to enable prevention at a higher setting than detection. Select your desired settings and save any changes.
5. On-sensor Machine Learning – On sensor ML provides protection when systems can’t be connected to the cloud, including protection against ransomware. To make changes in this section start first by enabling the “Next-Gen Antivirus” toggle. The remaining toggles will then become active and changes permitted.
6. Suspicious Process Blocking – Falcon uses multiple detection capabilities to stop breaches not just machine learning or “artificial intelligence”. One of these is being able to identify suspicious processes and stopping them. This is useful in many types of malware and ransomware. To enable scroll down past Machine Machine learning and find the “Malware Protection -Prevent Suspicious Processes”.
NOTE: the “Custom Blocking” section allows IOCs to become block-able events. If this toggle is not enabled they are detection events.
7. Behavior-Based Protection – Ransomware. This section enables detection of ransomware based on behaviors. We often refer to these as Indicators of Attack or IOA’s. CrowdStrike can identify 100’s of different indicators of attack and stop them in their tracks. Ransomware has some behavior that are fairly typical such as backup deletion and file encryption. Using IOAs when these and other important contextual data is observed allows us to protect customers from ransomware even when other detection methods are bypassed. To enable Ransomware Prevention continue to scroll down on the prevention policy page. In the “Behavior-Based Prevention – Ransomware” section enable all toggles.
8. After enabling the features, click “save” in the upper right hand corner of the page to update all hosts in the policy.
Falcon Host will stop the execution of the ransomware, but this will be invisible to the end user. There is no end user messaging or client side user interface elements. Validation that Falcon Host stopped the ransomware by looking in the admin console. Go into the Detections app and see an event near the top of the list. It will show that ransomware attempted to run and was stopped by Falcon Host.
Update: 5-15-2017 WannaCryptor
Wana (aka WanaCry) ransomware exploded onto the ransomware scene on 12 May 2017 with a mass campaign impacting organizations in many countries. This second variant of the ransomware has been leveraging the EternalBlue (MS-17010) vulnerability, released by the Shadow Brokers actors (see CSA-17082), in order to spread over victim networks via the Windows file sharing protocol, Server Message Block (SMB), following an initial infection. CrowdStrike Falcon Host offers protection for this variant through two types of coverage. Falcon Host has a Machine Learning layer (at the Moderate Level) and a Behavioral IOA layer (Suspicious Process). To ensure this ransomware is prevented, the Prevention Policies must be turned on (enabled).
CrowdStrike customers are protected against this ransomware variant with current technology in the CrowdStrike Falcon platform. Falcon’s advanced endpoint protection – with next-gen antivirus that incorporates machine learning augmented with behavioral analysis that looks for indicators of attack — detects suspicious behavior before an attack occurs. These prevention features block the WannaCry ransomware and keep it from executing and encrypting the target organization’s data.
4 technologies on the Falcon platform that stop WannaCry
Machine Learning in the Cloud
The broadest and easiest way to enable prevention of WannaCry in Falcon is to enable “Prevention” on the machine learning toggles. To do this Navigate to Configuration App –> Prevention Policies then select the policy or policies that you’d like to enable prevention for. Scroll down to the “Machine Learning – Anti-Malware Sensor Configuration” section and enable Prevention to “moderate”. By default your Detection settings must at least match your preventions settings.
On Sensor Machine Learning
When systems are not connected to the internet, Falcon can still provide against WannaCry and other threats via the On-Sensor Machine Learning engine. To enable on sensor machine learning again navigate to Configuration App –> Prevention Policies then select the policy or policies that you’d like to enable. Under the “Malware Protection – Anti-Malware Sensor Configuration” section enable the “On-sensor ML” protection to the moderate level.
Suspicious Process Blocking
In addition to machine learning capabilities Falcon also provides protection via Suspicious Process Blocking. When WannaCry executes and machine learning isn’t enabled there is an additional protection capability in place that will protect customers against infection. Falcon identifies the processes associated with this variant of ransomware as suspicious and blocks it. Enabling this capability is in the same section as machine learning; Configuration App –> Prevention Policies then select the policy or policies that you’d like to enable. Under the “Malware Protection -Prevent Suspicious Processes” section and ensure the “Prevent Suspicious Process” toggle is enabled.
Finally, most ransomware has some predictable behavior. We use this behavior to our advantage and provide protection capabilities in addition to machine learning. On the same Prevention Policy page scroll down to “Behavior-Based Protection – Ransomware” and enable the toggles in this section.
Don’t forget to save your changes to push the new policy out to all the hosts.
It is possible to stop ransomware, and Falcon Host makes it easy for you to do this. By enabling the ransomware protection features, all endpoints protected by Falcon Host will be protected. This is possible because CrowdStrike offers Indicator of Attack (IoA) patterns for ransomware. This kind of protection ensures that protection is available both when the client is online and offline, and the patterns are more persistent and durable than antivirus signatures – so you don’t need to bother with daily updates. This approach ensures that the protection is both effective and easy to use.
To learn more about CrowdStrike Falcon Host and ransomware protection, please see the following resources:
- CrowdStrike Tech Center
- Sign up for a weekly Falcon demo
- Request a 1:1 Demo
- Guide to AV Replacement
- CrowdStrike Products
- Falcon OverWatch
How CrowdStrike Falcon Host Protects Against Ransomware (UPDATED)
Hello, and welcome to this video where we’re going to show you how Falcon Host, CrowdStrike’s next generation endpoint protection solution, protects you against run ransomware. We’re going to see how Falcon Host uses multiple complementary methods such as machine learning and indicators of attacks to block ransomware. And finally, we’ll see how Falcon Host blocks ransomware that does not even make use of executables, but runs straight into memory.
Let’s start with the ransomware sample. We can see that we are not able to execute it. And if we go to the Falcon Host console, we can see that the execution was blocked because it met one of the machine learning’s algorithms threshold for malware.
But what if the ransomware manages to get by machine learning? That is always a possibility. That’s why Falcon Host also uses indicators of attacks, or IOA for short, to detect and block ransomware. To simulate that situation, let’s disable machine learning and try another sample.
Now let’s execute another sample. You can see that it’s run, but nothing happened. No file seems to have been encrypted.
But if we go back to the Falcon Host console, this time we don’t see the machine learning alert, but we do see an indicator of attack indicative of ransomware activity– in this case, an attempt to delete backups– and was detected and blocked. If Falcon Host did not have IOAs, chances are the sample would have managed to encrypt the files.
But one question remains. What happens if there is no file to analyze, if the ransomware runs directly into memory? Let’s explore this scenario by running the ransomware straight into memory. We’re going to use PowerShell for that and execute the ransomware PowerShell script.
But first, let’s show you that this type of ransomware does work. So let’s go to an unprotected system and run the script. And now you can see that the script is run. And on the desktop, you can see the files being encrypted and then the originals being deleted.
Now let’s move on to assist them protected by Falcon Host. Here, you can see that our script stops abruptly, and that the files on the desktop have remained unencrypted. So if we go back to the Falcon Host console and see what happens, we see that we don’t have a hash value here because there was no file involved, but we can see the PowerShell command that was run. And we can see that the process tree and that the events matched another indicator of attack that is associated with ransomware, in this case, CryptoWall.
We’ve seen how Falcon Host uses multiple complementary methods, such as machine learning and indicators of attacks, to block ransomware. And finally, we’ve seen how Falcon Host blocks ransomware that does not even make use of executables, but runs straight into memory. Thank you for watching.