How CrowdStrike Falcon Protects Against Ransomware


Ransomware has become a problem everyone is dealing with. At CrowdStrike we recognize that this attack will continue to be a problem as long as it’s profitable and for that reason CrowdStrike has multiple prevention methods designed to stop this attack from multiple threat vectors. In this video we demonstrate a few of these attack vectors and the different ways CrowdStrike is built to stop them.

Read Video Transcript

How CrowdStrike Falcon Protects Against Ransomware

In this demo, we’re going to illustrate the different ways Falcon– CrowdStrike’s next generation endpoint protection solution– protects you against ransomware. We are going to see how Falcon uses multiple complementary methods, such as machine learning and indicators of attack, to block ransomware. And finally, we’ll see how Falcon blocks ransomware and does not even make use of executables, but runs via PowerShell script that attempts to load a process directly into memory. For our first attempt, we will enable machine learning detection in the Falcon UI on the configuration page. Also on this page are CrowdStrike’s IOAs– or indicators of attack– for detecting behavior associated with ransomware.

On the desktop, I have three different ransomware samples. To execute these, I’ll add the correct extension and then select Run. As I try to run each of these samples, I get a Windows permission error. This is Falcon not permitting the file to run.

In the console, we’ll refresh and notice that there are three new detections. Inspecting these detections, we see that they are blocked because of the machine learning algorithm that recognizes these files as malicious. We can also see that there are 45 other AV engines that detect this particular sample as malicious. We’ll mark these as true positive and go back to our configuration page. But what if ransomware manages to get by machine learning?

Falcon uses indicators of attack– or IOAs for short– to detect and block ransomware. To simulate that situation, I’ll disable machine learning and run the sample again. Looking at the documents on our desktop, we can see that no files seem to have been encrypted. This time in the Falcon UI, we see three alerts similar to last time. But upon further inspection, these blocks weren’t initiated by machine learning. They were stopped because they triggered an indicator of attack indicative of ransomware activity.

In the first sample, it was blocked because there was an attempt to delete backups. The next sample is associated with Locky. And then the last sample is associated with CryptoWall. If Falcon did not have IOAs or machine learning, the samples would have encrypted the files. There is a question that remains, however– what happens if there is no file to analyze? If the ransomware runs directly in memory?

Let’s explore this scenario– we’re going to use PowerShell to execute a sample, which is loaded into memory and doesn’t drop a file on the target. Again, the files on the desktop appear to be uneffected. In the UI, we have additional detections. And upon further inspection, we see that it was the behavior of malware that prevented the host from getting infected. It doesn’t matter if the thread is file or file lists– the behavior remains the same– as does Falcon’s ability to stop the threat.

We’ve seen how Falcon uses multiple complementary methods– such as machine learning and indicators of attack– to block ransomware. And finally, we’ve seen how Falcon can block [INAUDIBLE] ransomware. The profitability of ransomware has created a huge problem for organizations that are constantly under attack from this threat. CrowdStrike Falcon can help you solve this problem. For more information, or to take a test drive, check this out at



  • OS icon
  • deployment icon
  • installation icon

For technical information on installation, policy configuration and more, please visit the CrowdStrike Tech Center.

Visit the Tech Center