How to Test Ransomware Functionality

search cancel

How to Test Ransomware Functionality

book

Article ID: 292196

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

How to test Ransomware functionality?

Environment

Carbon Black Cloud Sensor: All Supported Versions
Microsoft Windows: All Supported Versions

Resolution

In order to test ransomware functionality, a deletion action can be initiated against one or more canary files. In order to trigger ransomware detection, the binary performing the deletion action should be either:

• Unknown applications (and set to terminate by policy upon ransomware-like behavior) or
• Known but explicitly called to terminate by policy upon ransomware-like activity

For example, when testing, and in order to trigger a ransomware warning by deleting a canary file from windows explorer, its binary (**\explorer.exe) would have to be added to a "Blocking and Isolation" rule:

Application at path → **\explorer.exe → Performs ransomware-like behavior → Terminate process

The similar rule would have to be present and applied to the sensor if testing via any other binary that can attempt to delete a canary file.

Additional Information

Carbon Black Cloud: Why Aren't Decoy/Canary Files Hidden?
Endpoint Standard: What are these $XXXXXXXX files found on a computer?
Endpoint Standard: How To Enable Enhanced Ransomware Protection
Endpoint Standard: How to Verify a Decoy/Canary File is involved in an Alert

Feedback

thumb_up Yes

thumb_down No