How CrowdStrike Falcon Protects Against Ransomware
How CrowdStrike Falcon Host Protects Against Ransomware (UPDATED)
Hello, and welcome to this video where we're going to show you how Falcon Host, CrowdStrike's next generation endpoint protection solution, protects you against run ransomware. We're going to see how Falcon Host uses multiple complementary methods such as machine learning and indicators of attacks to block ransomware. And finally, we'll see how Falcon Host blocks ransomware that does not even make use of executables, but runs straight into memory.
Let's start with the ransomware sample. We can see that we are not able to execute it. And if we go to the Falcon Host console, we can see that the execution was blocked because it met one of the machine learning's algorithms threshold for malware.
But what if the ransomware manages to get by machine learning? That is always a possibility. That's why Falcon Host also uses indicators of attacks, or IOA for short, to detect and block ransomware. To simulate that situation, let's disable machine learning and try another sample.
Now let's execute another sample. You can see that it's run, but nothing happened. No file seems to have been encrypted.
But if we go back to the Falcon Host console, this time we don't see the machine learning alert, but we do see an indicator of attack indicative of ransomware activity-- in this case, an attempt to delete backups-- and was detected and blocked. If Falcon Host did not have IOAs, chances are the sample would have managed to encrypt the files.
But one question remains. What happens if there is no file to analyze, if the ransomware runs directly into memory? Let's explore this scenario by running the ransomware straight into memory. We're going to use PowerShell for that and execute the ransomware PowerShell script.
But first, let's show you that this type of ransomware does work. So let's go to an unprotected system and run the script. And now you can see that the script is run. And on the desktop, you can see the files being encrypted and then the originals being deleted.
Now let's move on to assist them protected by Falcon Host. Here, you can see that our script stops abruptly, and that the files on the desktop have remained unencrypted. So if we go back to the Falcon Host console and see what happens, we see that we don't have a hash value here because there was no file involved, but we can see the PowerShell command that was run. And we can see that the process tree and that the events matched another indicator of attack that is associated with ransomware, in this case, CryptoWall.
We've seen how Falcon Host uses multiple complementary methods, such as machine learning and indicators of attacks, to block ransomware. And finally, we've seen how Falcon Host blocks ransomware that does not even make use of executables, but runs straight into memory. Thank you for watching.