Analyzing an Anti-Ransomware threat

This document provides a structured approach for analyzing and responding to a suspected ransomware intrusion using Endpoint Central's Anti-Ransomware feature. Swift and accurate analysis is crucial to identify the true nature of an intrusion and to mitigate risks effectively.

Why did you receive this alert?

Endpoint Central's Ransomware detection engine has identified anomalous activity. It's essential to validate the intrusion before classification of the breach.

When did this intrusion happen?

Utilize the Anti-Ransomware tab for key information :

• The timing of the intrusion
• The number of alerts generated
• The number of affected devices
• Attack progress
• Option to categorize the intrusion as True/False Positive

How to analyze the received alert

Click the incident and access the Summary section to view crucial incident details.

For the first level of analysis:

• Verify the authenticity of the application signature to detect any potential tampering or unauthorized modifications.
• Confirm the validity of the SHA-256 value by cross-referencing it on VirusTotal to check for any indications of malicious activity.
• Retrieve information about the first infected device, including details and timestamp, to effectively track and analyze the incident.
• Leverage organizational and process details to assess the alert's credibility, distinguishing between true and false positives.
• The alert received can be further classified based on the configurations as:

Incident detected
Incident prevented
Incident blocked

 

Parameter	Detected Incident	Prevented Incident	Blocked Intrusion
Initial Status	Incident has been detected.	Incident has been successfully prevented.	Attempted intrusion has been blocked.
Urgency	Urgent attention is needed.	No immediate urgency, as the incident has been prevented.	Urgent attention may be needed, but the intrusion is blocked.
User Action Required	Investigate and label the intrusion as true/false positive.	Further analysis can be performed to enhance security.	Immediate user action may be required, as the intrusion is blocked.
Proactive Measures	Investigate and label the intrusion to ensure system security.	Enhance security measures based on additional analysis.	Prevent and block the intrusion, ensuring network stability.
Follow-up Action	Modify configurations to enable prevention/blocking in future incidents.	Investigate additional details to enhance security measures.	Monitor for any potential future incidents.
File Modifications	Restore the device to its pre-malware state if file modifications occurred.	None required	Restore the device to its pre-malware state if file modifications occurred.
System Stability	Potential impact on system integrity and security.	System security and stability are ensured.	System integrity and security are maintained.

 

• Expand the Incident Summary in the Alerts tab.

Gain granular insights by examining the process source, child processes, and command-line tools. Clicking a child process provides detailed information, including SHA value, image path, and command line details.

VirusTotal verification (true positive)

Validation through VirusTotal can affirm the hash as a true positive, offering conclusive evidence of malware attempting infiltration. VirusTotal conducts a comprehensive analysis using diverse antivirus scan engines to scrutinize files for potential threats. Upon verification, take proactive security measures by quarantining the infected device.

Proceed to quarantine the infected device.

VirusTotal verification ( unclear / no results )

Clicking VirusTotal may sometimes provide unclear or no results . In such cases, further investigation is required.

• Remotely access or manually check the affected device.
• Look for unusual disk activity, new accounts, signs of ransomware and file encryption.
• If it's a true positive, proceed with an incident response plan.
• If it's a false positive, refer to the guide on how to exclude false positives.