PA File Sight can detect and protect against ransomware attacks caused by infected client computers that encrypt server files.
Detection happens via simple detection methods used by other products, as well as more advanced options. Once a ransomware attack is detected, the server is protected and information is shared with other servers so they are protected as well.
Automatically block infected users
Servers forward warnings to other servers
Read the step-by-step guide for setting up ransomware detection and protection using PA File Sight.
Defense in Depth
PA File Sight is a key piece of a layered security model. Servers need anti-virus and other products to protect them from direct attacks from software running on the server. PA File Sight adds a layer of protection by protecting server files from infected client computers that may attempt to encrypt or delete those files.
Ransomware Detection Techniques
Simple Detection - Honeypot
Some simple products create hidden folders with specific files that users should not touch. Anything that touches those files is considered a threat and alerted on. If the hackers that write the ransomware decide to not encrypt hidden files and folders, this detection method will fail. PA File Sight can support this simple method, but it also supports more robust detection methods.
Simple Detection - Filenames
Sometimes ransom notes with particular file names will be saved to the folder during a ransomware attack. Sometimes the files will be encrypted with a specific file extention (like Resume.docx.encrypted). Simple ransomware detectors watch for these cases, but this won't catch new variants of ransomware that come out later. PA File Sight supports this method, but it can also do better.
Robust Detection - Activity Monitoring
Ransomware attacks occur when a compromised client computer:
- Reads files from the server
- Saves the files back in an encrypted form
PA File Sight's advanced monitoring technology watches for a client computer doing reads and writes of many files in a short period of time, and runs alerts when the pattern is seen.
This feature is only available in the Ultra Edition. Compare Ultra vs Lite to see the differences.
Ransomware Server Protection
Automatically Block Infected Clients
PA File Sight can block the client account so it cannot access any more files on the server using the Add to Blocked User List action. This will prevent the compromised client account from accessing files on the server, without affecting other legitimate users still using the server.
Alert Other Servers Automatically
The Blocked Users List is actively shared among servers protected by the same PA File Sight installation, so other servers can be protected from the compromised client before it even attacks them.
Real Time Alerts
PA File Sight can alert system administrators about the attack with critical information such as the user account involved, and the client's IP address/computer name, giving system administrators a quickly respond and investigate.