How to Prevent Ransomware with CrowdStrike Falcon Endpoint Protection

Introduction

CrowdStrike Falcon offers protection against ransomware. This feature becomes increasingly valuable as the popularity of ransomware continues to rise. Our approach with this feature is to actually stop ransomware from infecting a system and encrypting its files. We believe a prevention approach is absolutely necessary because decryption is often impossible, and because nobody wants to pay the ransom or restore from backups.

CrowdStrike uses its endpoint sensor to detect ransomware behaviors and then terminates the offending process before it can accomplish its goal of encrypting files. This is done using CrowdStrike Indicator of Attack (IoA) patterns on the endpoint. These work both online and offline, and are effective against new variants and polymorphic variants of ransomware that often bypass legacy antivirus signatures.

Video

Read Video Transcript

Prerequisites

In order to enable ransomware protection, the following requirements must be met:

• Client operating system: Windows 7 SP1 or higher
• Falcon config version: 3908 or higher

Step by step procedure to stop ransomware

Ransomware protection is enabled in Falcon by enabling three features.
1. Go to https://falcon.crowdstrike.com
2. Login to Falcon UI

login-screen

 

3. Navigate to Configuration App –> Prevention Policies then select the policy or policies that you’d like to enable prevention for by clicking on the Policy Name.

Policy management page

There are multiple protection capabilities for ransomware in Falcon.  The next steps will highlight each technology.

4. Enable Machine Learning – Anti-Malware Sensor Configuration.  In this section the user is able to adjust detection and prevention for both File Attribution Analysis and File Analysis.  One thing that may not be immediately obvious, but makes sense, is that you’ll not be able to enable prevention at a higher setting than detection.  Select your desired settings and save any changes.

Cloud Machine learning options

 

5. On-sensor Machine Learning – On sensor ML provides protection when systems can’t be connected to the cloud, including protection against ransomware.  To make changes in this section start first by enabling the “Next-Gen Antivirus” toggle.  The remaining toggles will then become active and changes permitted.

On-sensor machine learning toggles

6. Suspicious Process Blocking – Falcon uses multiple detection capabilities to stop breaches not just machine learning or “artificial intelligence”.  One of these is being able to identify suspicious processes and stopping them.  This is useful in many types of malware and ransomware.  To enable scroll down past Machine Machine learning and find the “Malware Protection -Prevent Suspicious Processes”.

Suspicious model blocking

NOTE:  the “Custom Blocking” section allows IOCs to become block-able events.  If this toggle is not enabled they are detection events.

7. Behavior-Based Protection – Ransomware.  This section enables detection of ransomware based on behaviors.  We often refer to these as Indicators of Attack or IOA’s.  CrowdStrike can identify 100’s of different indicators of attack and stop them in their tracks.  Ransomware has some behavior that are fairly typical such as backup deletion and file encryption.  Using IOAs when these and other important contextual data is observed allows us to protect customers from ransomware even when other detection methods are bypassed.  To enable Ransomware Prevention continue to scroll down on the prevention policy page.  In the “Behavior-Based Prevention – Ransomware” section enable all toggles.

 

Ransomware Prevention Toggles

 

8. After enabling the features, click “save” in the upper right hand corner of the page to update all hosts in the policy.

Falcon will stop the execution of the ransomware, but this will be invisible to the end user. There is no end user messaging or client side user interface elements.   Validation that Falcon stopped the ransomware by looking in the admin console. Go into the Detections app and see an event near the top of the list. It will show that ransomware attempted to run and was stopped by Falcon.

locky-detection

 

Update: 5-15-2017 WannaCryptor

Wana (aka WanaCry) ransomware exploded onto the ransomware scene on 12 May 2017 with a mass campaign impacting organizations in many countries. This second variant of the ransomware has been leveraging the EternalBlue (MS-17010) vulnerability, released by the Shadow Brokers actors (see CSA-17082), in order to spread over victim networks via the Windows file sharing protocol, Server Message Block (SMB), following an initial infection. CrowdStrike Falcon offers protection for this variant through two types of coverage. Falcon has a Machine Learning layer (at the Moderate Level) and a Behavioral IOA layer (Suspicious Process). To ensure this ransomware is prevented, the Prevention Policies must be turned on (enabled).

CrowdStrike customers are protected against this ransomware variant with current technology in the CrowdStrike Falcon platform. Falcon’s advanced endpoint protection – with next-gen antivirus that incorporates machine learning augmented with behavioral analysis that looks for indicators of attack — detects suspicious behavior before an attack occurs. These prevention features block the WannaCry ransomware and keep it from executing and encrypting the target organization’s data.

4 technologies on the Falcon platform that stop WannaCry

Machine Learning in the Cloud

The broadest and easiest way to enable prevention of WannaCry in Falcon is to enable “Prevention” on the machine learning toggles.  To do this Navigate to Configuration App –> Prevention Policies then select the policy or policies that you’d like to enable prevention for.  Scroll down to the “Machine Learning – Anti-Malware Sensor Configuration” section and enable Prevention to “moderate”.  By default your Detection settings must at least match your preventions settings.

Cloud Machine Learning Toggles

On Sensor Machine Learning

When systems are not connected to the internet, Falcon can still provide against WannaCry and other threats via the On-Sensor Machine Learning engine.  To enable on sensor machine learning again navigate to Configuration App –> Prevention Policies then select the policy or policies that you’d like to enable.  Under the “Malware Protection – Anti-Malware Sensor Configuration” section enable the “On-sensor ML” protection to the moderate level.

On-sensor machine learning toggles

Suspicious Process Blocking

In addition to machine learning capabilities Falcon also provides protection via Suspicious Process Blocking.   When WannaCry executes and machine learning isn’t enabled there is an additional protection capability in place that will protect customers against infection.  Falcon identifies the processes associated with this variant of ransomware as suspicious and blocks it.  Enabling this capability is in the same section as machine learning; Configuration App –> Prevention Policies then select the policy or policies that you’d like to enable.  Under the “Malware Protection -Prevent Suspicious Processes” section and ensure the “Prevent Suspicious Process” toggle is enabled.

Suspicious model blocking

Behavior-Based Prevention

Finally, most ransomware has some predictable behavior.  We use this behavior to our advantage and provide protection capabilities in addition to machine learning.  On the same Prevention Policy page scroll down to “Behavior-Based Protection – Ransomware” and enable the toggles in this section.

Ransomware Prevention Toggles

 

Don’t forget to save your changes to push the new policy out to all the hosts.

Conclusion

It is possible to stop ransomware, and Falcon makes it easy for you to do this. By enabling the ransomware protection features, all endpoints protected by Falcon will be protected. This is possible because CrowdStrike offers Indicator of Attack (IoA) patterns for ransomware. This kind of protection ensures that protection is available both when the client is online and offline, and the patterns are more persistent and durable than antivirus signatures – so you don’t need to bother with daily updates. This approach ensures that the protection is both effective and easy to use.

More resources

To learn more about CrowdStrike Falcon and ransomware protection, please see the following resources:

 

Stop Breaches with CrowdStrike Falcon request a live demo