Javascript must be enabled to download our products and perform other essential functions on the website.

ionicons-v5-m
ionicons-v5-j
Buy Now Download Free Trial
ionicons-v5-m
ionicons-v5-f

Ransomware Protection

ransomeware protection

PA File Sight can detect and protect against ransomware attacks caused by infected client computers that encrypt server files.

Detection happens via simple detection methods used by other products, as well as more advanced options. Once a ransomware attack is detected, the server is protected and information is shared with other servers so they are protected as well.

Executive Summary

Detection

ionicons-v5-e Behavior analytics / activity monitoring

ionicons-v5-e Real-time rules check all file I/O

ionicons-v5-e Honeypots

ionicons-v5-e Known filenames

Protection

ionicons-v5-e Real-time alerts, including IP address

ionicons-v5-e Only allow Trusted Applications to run

ionicons-v5-e Automatically block infected users from the server

ionicons-v5-e Servers forward warnings to other servers

ionicons-v5-h

Read the step-by-step guide for setting up ransomware detection and protection using PA File Sight.

Setup Guide for Server Ransomware Protection

Defense in Depth

PA File Sight is a key piece of a layered security model. Servers need anti-virus and other products to protect them from direct attacks from software running on the server. PA File Sight adds a layer of protection by protecting server files from infected client computers that may attempt to encrypt or delete those files.

Ransomware Detection Techniques

Simple Detection - Honeypot

Some simple products create hidden folders with specific files that users should not touch. Anything that touches those files is considered a threat and alerted on. If the hackers that write the ransomware decide to not encrypt hidden files and folders, this detection method will fail. PA File Sight can support this simple method, but it also supports more robust detection methods.

Simple Detection - Filenames

Sometimes ransom notes with particular file names will be saved to the folder during a ransomware attack. Sometimes the files will be encrypted with a specific file extention (like Resume.docx.encrypted). Simple ransomware detectors watch for these cases, but this won't catch new variants of ransomware that come out later. PA File Sight supports this method, but it can also do better.

Robust Detection - Activity Monitoring

Ransomware attacks occur when a compromised client computer:

  • Reads files from the server
  • Saves the files back in an encrypted form

PA File Sight's advanced monitoring technology watches for a client computer doing reads and writes of many files in a short period of time, and runs alerts when the pattern is seen.

This feature is only available in the Ultra Edition. Compare Ultra vs Lite to see the differences.

Robust Detection AND Prevention - Real-time Rules

The Trusted Application feature checks all file access against a list of rules. This includes when an application is trying to start, which means you can whitelist those applications that are safe, or that act in a safe manner.

Ransomware Server Protection

Automatically Block Infected Clients

PA File Sight can block the client account so it cannot access any more files on the server using the Add to Blocked User List action. This will prevent the compromised client account from accessing files on the server, without affecting other legitimate users still using the server.

Block File Access Based on Real-Time Rules

Every read, write, delete and move/rename is checked against a list of rules. These rules can consider the file's path, the process accessing the path, what company created the process, whether it is digitally signed, what group the user is in and many more options. These checks are very fast. If file access is blocked alerts can be sent to IT administrators. The Lite version can run these rules on the server. The Ultra version can run them on the server, and also on client computers with the light weight Endpoint agent.

Alert Other Servers Automatically

The Blocked Users List is actively shared among servers protected by the same PA File Sight installation, so other servers can be protected from the compromised client before it even attacks them.

Real Time Alerts

PA File Sight can alert system administrators about the attack with critical information such as the user account involved, and the client's IP address/computer name, giving system administrators a quickly respond and investigate.

Learn more about PA File Sight

Very very good job!

Fabrizio B., BESTIT s.r.l., Italy ionicons-v5-b