Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Ransomware

 

Use the JSA Ransomware Content Extension to closely monitor your Ransomware deployment.

About the Ransomware Extension

The Ransomware Content Extension detects when file access or modification events come from endpoints based on JSA Identifiers (QIDs) from Carbon Black, IBM Big Fix, and from MicrosoftWindows log source events that are observed at a high rate in a short amount of time. This content extension uses rules, custom properties, QIDs, and building blocks to indicate possible ransomware behavior on endpoints within an internal network.

This content extension requires JSA V2014.8 Patch 4 or later.

JSA Ransomware Content Extension V1.0.2

The following table shows the custom properties that are updated in JSA Ransomware Content Extension V1.0.2.

Table 1: Updated Custom Properties in JSA Ransomware Content Extension V1.0.2

Custom Property

Low level category

Capture Group

Enabled

Regex

Accesses

System.Information

1

No

Accesses[:\s\\=]*(.*?)\s+(?:Access (?:Check Results|Mask|Reasons)|Properties|Privileges|&&|$)

Process Name

User Login Failure

1

Yes

Process Name[:\s\\=]+(?:.*\\)?(.*?)\s+(?:Network Information|\s|&&)

JSA Ransomware Content Extension V1.0.1

The following table shows the custom properties that are updated in JSA Ransomware Content Extension V1.0.1.

Note

The custom properties that are included in this content extension are placeholders. You can download other content extensions that include custom properties with these names, or you can create your own.

Table 2: Custom Properties in JSA Ransomware Content Extension V1.0.1

Custom Property

Found in

Accesses

Microsoft Windows

Full File Path

Only Ransomware.

Updated regex to:

\s+path=\s*(.*?)(\s\s|$)

Process Name

The following table shows the rules and building blocks that are updated in JSA Ransomware Content Extension V1.0.1.

Table 3: Rules and Building Blocks in JSA Ransomware Content Extension V1.0.1

Type

Name

Description

Building Block

BB: File Access/Modification from Endpoint Security

Added more checks for Carbon Black and IBMBigFix log sources.

Building Block

BB: File Access/Modification from Microsoft Windows System

Added more checks for MicrosoftWindows Security Event log sources.

Rule

UBA: Ransomware Behavior from Endpoint Security Logs

Triggers when file access or modification events that come from Carbon Black and IBM Big Fix are observed at a high rate in a short amount of time. When this rule is triggered, it feeds the events into the User Behavior Analysis app and indicates possible ransomware behavior in the system.

Rule

UBA: Ransomware Behavior from Microsoft Windows Security Event Logs

Triggers when file access or modification events that come from the MicrosoftWindows system are observed at a high rate in a short amount of time. When this rule is triggered, it feeds the events into the User Behavior Analysis app and indicates possible ransomware behavior in the system.

JSA Ransomware Content Extension V1.0.0

The following table shows the custom properties in JSA Ransomware Content Extension V1.0.0.

Table 4: Custom Properties in JSA Ransomware Content Extension V1.0.0

Name

Optimized

Capture Group

Regex

Description

Accesses

True

1

[\s\s|\t]Accesses:\s{0,2}(.*?)($|\s+(Access\s(Check\sResults|Mask|Reasons)|Privileges):)

This event property is enabled by default for MicrosoftWindows log sources for events that are parsed by the MicrosoftWindows Security Event Log DSM.

Process Name

False

2

\s\sProcess\sName:\s(\s?)(.*?)(\s\s|$)

This event property is enabled by default for MicrosoftWindows log sources for events that are parsed by the MicrosoftWindows Security Event Log DSM.

Full File Path

True

1

\s+path=(\s?)(.*?)(\s\s|$)

This event property is enabled by default for Carbon Black log sources for events that are parsed by the Carbon Black DSM.

The following table shows the rules and building blocks in JSA Ransomware Content Extension V1.0.0.

Table 5: Rules and Building Blocks in JSA Ransomware Content Extension V1.0.0

Type

Name

Description

Building Block

BB: File Access/Modification from Endpoint Security

Detects if the event QIDs are present in the File Access/Modification QIDs reference set.

Building Block

BB: File Access/Modification from Microsoft Windows System

Detects if an attempt is made to access the object and whether that access is related to an object write or delete (which are present in the Access Request Information\Accesses reference set) coming from the MicrosoftWindows Systems.

Rule

Ransomware Behavior: Microsoft Windows Security Event Logs

Triggers when file access or modification events that come from the MicrosoftWindows System are observed at a high rate in a short amount of time. Triggering of this rule indicates possible ransomware behavior in the system.

This rule is enabled after the content extension is enabled.

Rule

Ransomware Behavior: Endpoint Security Logs

Triggers when file access or modification events that come from the endpoints Carbon Black and IBM Big Fix are observed at a high rate in a short amount of time. Triggering of this rule indicates possible ransomware behavior in the system.

This rule is enabled after the content extension is enabled.

The following table shows the reference data in JSA Ransomware Content Extension V1.0.0.

Table 6: Reference Data in JSA Ransomware Content Extension V1.0.0

Type

Name

Description

Reference Set

Access Request Information\Accesses

This reference set contains all the accesses that are related to object write or delete coming from the MicrosoftWindows event ‘4663: Success Audit: An attempt was made to access an object’ .

Reference Set

File Access/Modification QIDs

This reference set contains QIDs from the file access or modification events that come from the endpoints for Carbon Black and IBM Big Fix.

Reference Set

Microsoft Windows Event Processes Whitelist

This reference set contains all approved processes that access these files regularly in the events that come from MicrosoftWindows.

Reference Set

Endpoint Security Processes Whitelist

This reference set contains approved processes that access these files regularly in the events that come from the Carbon Black endpoint.

The following table shows the FGroup in JSA Ransomware Content Extension V1.0.0.

Table 7: FGroup in JSA Ransomware Content Extension V1.0.0

Type

Name

Description

Rule Group

Ransomware

A new rule group was added to the Offenses tab for rules and building blocks.