Hello. This demo shows how you can use InTrust and Change Auditor to mitigate a ransomware attack without a specialized malware detection solution in place. By ransomware, we mean the kind of malware that encrypts your files and tries to extort money from you for the promise of decryption. We're going to use this rule, Multiple File Creation Events. It's available out of the box in InTrust, and it's a good match for the symptoms of ransomware in action.
It's got a threshold of five events by the same user within one minute. The rule retaliates by denying access to the share that's under attack and by disabling the user for good measure. It's important that change order for Windows file servers must be logging access to the share. That's a must.
So the rule is applied in such a way that it sends a couple of notifications. Firstly, notify someone on the security staff, and secondly, it looks at the user who's causing the alert and finds the account of that user's manager in AD. That's achieved by this dynamic notification operator that's available out of the box. in InTrust.
Before the attack, the user has access to some shares with important-looking names. And now for the evil part. We're going to use a PowerShell script to simulate what ransomware does-- encrypt files and leave the encrypted copies in place of the originals. Let's see how far we can get.
OK, seven files are ruined, and we're denied access. That means the response actions have kicked in. Let's see. We can't open the shares now. Oh yeah, here's our notification message. It tells everything. It even includes a link to IT Security Search to put the situation in context and lets you investigate right away.
03:31