Managing ransomware attacks

SES Evolution protects your organization’s workstations from ransomware attacks. It can detect operations that ransomware applications usually perform on a system, such as file modification or encryption, and quickly stop them. If ransomware encrypted some files before being blocked by SES Evolution, you can retrieve the lost data by performing a remediation.

WARNING
SES Evolution‘s creation of shadow copies cannot replace regular backups. You must have a dedicated parallel backup solution.

To block ransomware attacks, SES Evolution must be configured as follows:

  • Enable ransomware protection. If you are using Default policy or Backoffice component protection policies, this protection mode is enabled by default in the Anti-ransomware protection rule set.
  • Enable Windows shadow copies.
  • Optional: Prohibit the execution of malicious commands that specially aim to delete shadow copies. To do so, use application filtering via command line arguments. If you are using Default policy or Backoffice component protection policies, this protection mode is enabled by default in the Anti-ransomware protection rule set.

If you have enabled SES Evolution anti-ransomware protection and chosen the Block and kill or Block, kill and quarantine option, every ransomware attack generates an Alert level log and a context:

“The process process_name attempted to run a ransomware attack. Look up the list of encrypted files in the file_path file.

The log contains:

  • The name of the process behind the attack,
  • The path of the remediation file that identifies all the files that the ransomware encrypted before it was blocked. This file will be kept for 30 days in PROGRAMDATA%\Stormshield\SES Evolution\Agent\Diagnostics\Ransomware Protection on the same workstation where the SES Evolution agent has been installed.
  • The list of the first ten encrypted files (in the detailed log).

If you have set up the requirements, you can retrieve lost data with the help of a remediation task, which allows you to retrieve an older version of the lost files.

Stormshield recommends that you retrieve the data 5 days later as SES Evolution will continue to create shadow copies daily after an attack. Since only the last five copies will be kept, new shadow copies containing encrypted files will overwrite older shadow copies.

To retrieve lost data:

  1. Follow the procedure described in Managing remediation tasks.

  2. When creating the task, select actions such as Retrieve files encrypted by ransomware.

  3. Click on Start remediation.
    The Manual tasks panel appears and SES Evolution will start retrieving the encrypted files from the Windows shadow copies.
  4. Once the task is complete, click on Details to view the restored files.
  5. In Windows Explorer, check that the restored files have been saved in the original folder under their original names. The encrypted files will also be saved with a .bak extension.