Infocyte: ARR Ransomware Detection Policy and Rollback

Example of Ransomware Detection and Rollback in action

We have created this video to demonstrate the Ransomware Detection with Rollback and File Recovery in action.

Creating The Ransomware Policies

• On the Policies page, click Create Policy.

• The Create Policy modal will open.
• In the Type drop-down field, define the kind of policy you're creating by selecting Ransomware Detection.
• Enter a unique identifier for this policy in the Name field.
• Input a short summary of the policy's purpose in the Description field.

• Click Create to save your changes.

Editing Ransomware Policies

• On the Policies page, click the name of the policy you'd like to edit.
• The Edit Policy modal will open.

• Populate or change the fields desired and then click Save.
• Ensure you have selected the correct policy to enable as the Default Policy for your instance.
• When you apply a policy at the organization level, it will automatically apply to all locations within that organization. After you apply it, you can refine its scope on a location-by-location basis.

Applying a Ransomware Policy

• Navigate to the Organization or Location you are applying the policy to and click on Assign Policy.

• From the drop down menu, select the type of policy you want to assign, in the second drop down, the variation desired, and click Assign.

Important Information about the Ransomware Policy

• Ransomware Detection - The detection engine looks for the existence of crypto-ransomware on endpoints by using behavioral analysis of files.
• Host Isolation - If Ransomware behavior is suspected, the agent will automatically isolate the endpoint from all network connections except to the EDR Portal to attempt to mitigate the attack.
• Attempt to kill suspected ransomware process - The agent will attempt to terminate the processes associated with the attack, reducing the overall impact of the attack.
• Shut Down Host- The EDR agent can automatically attempt to shut down the host in a ransomware event. If Isolate host or Attempt to kill suspected ransomware process options are also enabled, The agent will attempt to complete those steps first. If the Host Isolation is successful, the agent will not execute the shut down response.
• Enable Rollback and File Recovery - Deploys the rollback agent and Rollback Driver Desktop application to all endpoints monitored by your ransomware policy.
• Ransomware Rollback currently supports Windows 10 and 11 operating systems.
• Ransomware Rollback is not recommended for use on Database, Domain Controllers, Exchange, Or AD Servers.
• Ransomware Rollback will not track changes on virtual disk images, including Hyper-v, VirtualBox, and Windows hard disk image files including AVHDX, AVHD, VHD, VHDX, and VDI.
• By default, Ransomware Rollback tracks changes to your operating system volume only. If you enable this option, the rollback agent will track changes to all internally-mounted disks on the endpoint.
• Exclude standard Windows folders - Excludes the following folders from tracking (cannot currently be disabled).
  • %SYSTEMDRIVE%\Windows
  • %SYSTEMDRIVE%\Program Files
  • %SYSTEMDRIVE%\Program Files (x86)
  • %SYSTEMDRIVE%\ProgramData
  • %SYSTEMDRIVE%\Users\*\AppData     (all AppData for all users on the system)
  • %SYSTEMDRIVE%\$WinREAgent     (Windows Update folder)
  • %SYSTEMDRIVE%\$.td     (Rollback agent data folder)
  • %SYSTEMDRIVE%\System Volume Information    (hidden folder used by Windows kernel)
• Maximum tracking history - Maximum history is a 7 day window. This time can be reduced to your needs.
• Cache size - Default cache relative size is 5% of disk size. If the cache size limit is met in less time than the cache time window, the agent will begin to purge the oldest files from history.
  • Minimum Absolute cache size is 1G.