Managing ransomware attacks

SES Evolution protects your organization’s workstations from ransomware attacks. It can detect operations that ransomware applications usually perform on a system, such as file modification or encryption, and quickly stop them. If a workstation is under attack, SES Evolution logs allow you to find out whether files have been encrypted, and which ones. The procedure below explains how to retrieve lost data.

WARNING
SES Evolution‘s creation of shadow copies cannot replace regular backups. You must have a dedicated parallel backup solution.

To block ransomware attacks, SES Evolution must be configured as follows:

  • Enable ransomware protection. If you are using Default policy or Backoffice component protection policies, this protection mode is enabled by default in the Anti-ransomware protection rule set.
  • Enable Windows shadow copies.
  • Optional: Prohibit the execution of malicious commands that specially aim to delete shadow copies. To do so, use application filtering via command line arguments. If you are using Default policy or Backoffice component protection policies, this protection mode is enabled by default in the Anti-ransomware protection rule set.

If you have enabled SES Evolution anti-ransomware protection and chosen the Block and kill option, every ransomware attack generates an Alert level log and an incident:

“The process process_name attempted to run a ransomware attack. Look up the list of encrypted files in the file_path file.

The log contains:

  • The name of the process behind the attack,
  • The path of the remediation file that identifies all the files that the ransomware encrypted before it was blocked. This file will be kept for 30 days in PROGRAMDATA%\Stormshield\SES Evolution\Agent\Diagnostics\Ransomware Protection.
  • The list of the first ten encrypted files (in the detailed log).

If you have set up the requirements, you can retrieve lost data with the help of the ShadowCopyExpose utility developed by Stormshield. It allows you to display the contents of shadow copies on a workstation and retrieve an earlier version of lost files.

Stormshield recommends that you retrieve the data 5 days later as SES Evolution will continue to create shadow copies daily after an attack. Since only the last five copies will be kept, new shadow copies containing encrypted files will overwrite older shadow copies.

To retrieve lost data:

  1. Open the remediation file that matches the date and time of the attack. It contains the name and location of all the files that the ransomware encrypted.

  2. Download the ShadowCopyExpose.exe utility from your personal area. You will find it in Downloads > Downloads, then in Stormshield Endpoint Security Evolution > Evolution > Tools > Ransomware remediation tool.

  3. On the workstation that came under the ransomware attack, in a Windows or Powershell command window, go to the folder in which you downloaded the utility.

  4. Run the following command as an administrator:

    ShadowCopyExpose.exe --list

    The list of shadow copies from this workstation appears.

  5. Using the timestamp, identify the latest shadow copy made before the attack, and copy its GUID, including the curly brackets.

  6. Display the contents of the shadow copy in an unused drive by running the command:

    ShadowCopyExpose.exe --expose "{GUID}" drive_letter

    EXAMPLE
    ShadowCopyExpose.exe --expose "{12A8B00F-E89F-44E7-BC30-DC85CAC470A2}" R:

    - or -

    Display the contents of the shadow copy in an existing empty folder by running the command:

    ShadowCopyExpose.exe --expose "{GUID}" folder_path

    EXAMPLE
    ShadowCopyExpose.exe --expose "{12A8B00F-E89F-44E7-BC30-DC85CAC470A2}" C:\Recovery

    The contents of the shadow copy will appear in the drive or folder.

  7. Using the remediation file, identify the files that were encrypted and retrieve them via Windows Explorer in the specified drive or folder.

  8. Stop the display of the shadow copy by running the command:

    ShadowCopyExpose.exe --unexpose "{GUID}"

The table below lists all the parameters in the ShadowCopyExpose utility:

Parameter Description
--list
Lists the shadow copies with contents that can be displayed in the file system.
All copies that SES Evolution creates can be displayed and therefore appear on this list.
--list -v Displays additional information about the shadow copies.
--list -a Lists all the shadow copies found on the system, including those that cannot be displayed in the file system.
--expose {GUID}
drive_letter|folder_path

Displays the contents of the shadow copy identified by its GUID in the specified drive or empty folder.
--unexpose

Stops the display of the shadow copy.

The contents of a shadow copy can only be displayed in one place at a time. If they are already displayed in a drive, you must first stop the display before you can display them in an empty folder, for example.
--help Shows help.
--readme Shows document about the utility.