Ransomware is malware that employs encryption to hold a victim’s information at ransom. A user or organization’s critical data is encrypted so that they cannot access files, databases, or applications. A ransom is then demanded to provide access. Ransomware is often designed to spread across a network and target database and file servers and can thus quickly paralyze an entire organization.
SonicWall Capture Client, powered by SentinelOne’s next-generation AV engine, provides advanced malware threat prevention for Windows, macOS and Linux machines against known and unknown malware threats that are file-based or fileless.
In this KB we will go through some the key recommendations administrators should follow to deliver the best prevention, detection and response capabilities to their endpoints.
Capture Client offering
We recommend that for optimal ransomware protection and responses, customers should only activate and deploy Capture Client Advanced, which includes the ability to rollback endpoints. You can refer to the datasheet for the differences between various Capture Client offerings.
SentinelOne (S1) Agent Deployment
Ensure that you are running the Latest Release offered by SonicWall (both Capture Client and S1 Agents) to maximize protection and visibility on your endpoints. If you would like to stay up to date on the latest agents offered by SonicWall, we recommend that you bookmark this KB Article
Once the S1 agent is deployed, the endpoint must be rebooted as soon as possible to enable full functionality of the agent. Among other things, rebooting enables the behavioral engine that is required for detecting advanced threats including fileless malware. Refer this KB Article for more Details.
It is recommended to enable all engines to maximize protection with the least false positives. For more information on the engines that protect your endpoint, refer to this KB article
For policies applied to Windows endpoints, Snapshots should be enabled under the engine settings to allow for Rollback of any endpoints that where ransomware may have managed to encrypt some files. For more information on how Rollback works, please refer to this KB article. a. If VSS has been manually disabled on your endpoints, you will need to manually enable it again to allow the creation of Snapshots for the Rollback function to be effective. This KB article calls out how to manually re-enable VSS on your windows endpoints.
The best defense against ransomware is an aggressive security policy; apply these settings where your organizational policy allows for it. a. This policy may trigger disruptions if you use 3rd party applications that may generate false positives. We recommend that you run a pilot in the environment with relevant exclusions configured to minimize these disruptions. See this KB article for recommendations on how to enable interoperability with known 3rd party applications. b. Ensure that the Policy Mode is set to Protect for both Threats and Suspicious Events c. Configure Rollback as the preferred automatic mitigation action – this will trigger a Kill & Quarantine of related processes, remediation of system changes and, a rollback of the disk to the last available snapshot (Note: Rollback is only available on Windows endpoints and is reliant on the configuration of Snapshot and the availability of the Windows Volume Shadowcopy Services (VSS) d. Enable the “Disconnect Network” switch to isolate any infected endpoints which will prevent lateral movement and further spread.
As an alternative, for environments that need a more balanced policy: a. Ensure that the Policy Mode is set to Protect for Threats and is set to Capture ATP for suspicious b. Configure Kill & Quarantine as your minimum automatic containment actions c. Establish processes and systems for rapid response to threats detected. See section on Threat Analysis and Response below.
Threat Analysis and Response
Enable alert and notifications for threats and suspicious detections to the 3rd party platform of choice – we support email notifications, as well as collection of events via APIs or via Syslog into multiple platforms.
Stop the Volume Shadow Copy (VSS) service on the affected endpoints. a. If the service cannot be stopped locally, VSS Snapshots can be temporarily disabled via the Threat Protection policy. b. This will prevent the SentinelOne agent from overwriting shadow copies that contain known good file backups used for recovery purposes. Data recovery from VSS will be impossible if all shadow copies with known good file backups are removed from the endpoint.
Disconnect the relevant endpoints from the network
Blacklist hashes identified as malicious – these can be done by applying the “Mark as Threat” action for detected threats or by proactively creating Blacklist entries in your policy.
Issue rollback commands to affected systems as soon as detections are noticed
Minimally, remediate the relevant threats. Rollback is the recommended mitigation option for ransomware.
Analyze threats to determine the source of the ransomware. a. If you notice any Lateral Movement alerts, the IP address, and the user account performing the attack will be displayed in the alert name. b. Use Local IP to identify the endpoint causing the lateral movements, from "Devices" section of capture client Management console. c. If an endpoint is found, disconnect it from the network to stop it from spreading ransomware to additional endpoints. d. If no agent is returned in the search, then the network should be checked for any unprotected systems, which should be disconnected. e. Immediately reset the password of the displayed user account in the lateral movement detections.