Ransomware Protection

PA File Sight can detect and protect against ransomware attacks caused by infected client computers that encrypt server files.

Detection happens via simple detection methods used by other products, as well as more advanced options. Once a ransomware attack is detected, the server is protected and information is shared with other servers so they are protected as well.


Executive Summary

Detection

User file activity monitoring Behavior analytics / activity monitoring
Ransomware protection with Honeypots Honeypots
Ransomware protection with known filenames Known filenames

Protection

Realtime ransomware alerts Real-time alerts, including IP address
Realtime blocking of infected users Automatically block infected users
Servers spread alert Servers forward warnings to other servers


Get a step-by-step guide for setting up ransomware detection and protection using PA File Sight.

  Setup Guide for Server Ransomware Protection

Defense in Depth

PA File Sight is a key piece of a layered security model. Servers need anti-virus and other products to protect them from direct attacks from software running on the server. PA File Sight adds a layer of protection by protecting server files from infected client computers that may attempt to encrypt or delete those files.

Ransomware Detection Techniques

Simple Detection - Honeypot

Some simple products create hidden folders with specific files that users should not touch. Anything that touches those files is considered a threat and alerted on. If the hackers that write the ransomware decide to not encrypt hidden files and folders, this detection method will fail. PA File Sight can support this simple method, but it also supports more robust detection methods.

Simple Detection - Filenames

Sometimes ransom notes with particular file names will be saved to the folder during a ransomware attack. Sometimes the files will be encrypted with a specific file extention (like Resume.docx.encrypted). Simple ransomware detectors watch for these cases, but this won't catch new variants of ransomware that come out later. PA File Sight supports this method, but it can also do better.

Robust Detection - Activity Monitoring

Ransomware attacks occur when a compromised client computer:


PA File Sight's advanced monitoring technology watches for a client computer doing reads and writes of many files in a short period of time, and runs alerts when the pattern is seen.

This feature is only available in the Ultra Edition. Compare Ultra vs Lite to see the differences.

Ransomware Server Protection

Automatically Block Infected Clients

PA File Sight can block the client account so it cannot access any more files on the server using the Add to Blocked User List action. This will prevent the compromised client account from accessing files on the server, without affecting other legitimate users still using the server.

Alert Other Servers

The Blocked Users List is actively shared among servers protected by the same PA File Sight installation, so other servers can be protected from the compromised client before it even attacks them.

Real Time Alerts

PA File Sight can alert system administrators about the attack with critical information such as the user account involved, and the client's IP address/computer name, giving system administrators a quickly respond and investigate.

Learn more about PA File Sight

Download Free Trial
No signup needed
30-day full trial - no credit card needed
 
BTW we LOVE PA Server Monitor - it's a fantastic tool!
Helen D., DDT, United Kingdom more customer quotes...
see customer list...