Solution

Ransomware response

Rely on the visibility of Open NDR to detect reconnaissance and respond effectively to ransomware events.

Eliminate visibility gaps

Ransomware remains a dynamic threat, often exploiting gaps beyond the endpoint, such as unmanaged devices, critical assets, and lateral movement. Corelight's Open NDR Platform provides full network visibility and advanced security capabilities to detect, investigate, respond to, and recover from ransomware attacks efficiently.

Spot ransomware reconnaissance
Identify SSH file upload & download activity
Illuminate encrypted remote desktop actions
Reveal lateral movement in Microsoft file shares

Read white paper

Early stage

Spot reconnaissance activities
Many adversaries survey their target environment before they drop ransomware payloads or exfiltrate stolen data. Corelight’s network visibility can reveal ransomware-related port scanning activity and suspicious probes.

Detect RDP brute forcing
Ransomware attacks often begin via a compromise of weak RDP servers [MP4]. Corelight detects RDP brute forcing and known RDP clients associated with ransomware attacks.

Identify risky encrypted connections
Corelight brings light to the darkness by identifying early-stage encrypted connections, including hundreds of VPN clients, and illuminating activity such as the use of self-signed and expired certificates.

Mid stage

Illuminate lateral movement
After gaining an initial foothold, ransomware adversaries work their way toward your critical assets. Corelight detects lateral movement activity in SMB and DCE-RPC traffic such as those related to remote file copy events.

Detect Command & Control
Adversaries need to connect with a C2 server to drop ransomware payloads and exfiltrate data. Corelight detects over 50 different types of C2 activity on your network.

Spot suspicious SSH activity
Before the end stage of a ransomware attack, adversaries may test their infrastructure and foothold. Corelight illuminates adversarial behaviors such as large and small-file transfers over SSH or the presence of human keystrokes.

Post event

Identify scope
Every connection in a ransomware attack generates a Corelight conn.log, which can be used in conjunction with other Corelight evidence around file and DNS activity to quickly determine the scope of a ransomware attack after a breach.

Recover files
Corelight extracts and reassembles over 200 different file types from wire traffic, which can be flexibly stored on-premise or in the cloud to support file recovery needs.

Verify containment
Use Corelight to provide ongoing network monitoring for IOCs and behaviors to confirm the adversary is out of your environment and can’t repeat the attack.

Filter out the noise

Growing alert noise from security tools plagues security teams and a lack of evidence makes it hard to validate if a given ransomware alert is a true positive or false positive. With complete visibility from Corelight, analysts can cut through the noise of third party tools, such as one Corelight customer who was unable to validate a ransomware alert from a third-party due to its total lack of context and visibility.

Read case study

"If you have intelligence from the platform along with skilled people that know how to use it, you at least have a fighting chance against the evolving threat landscape."

Download our free ransomware guide to learn about:

In high stakes ransomware investigations, many security teams are unable to answer key questions and default to worst-case assumptions. With complete visibility from Corelight, teams can avoid costly overreactions. One customer, when confronted with a $10 million ransomware demand, used Corelight to prove the exfiltrated data being held for ransom had no real value while providing legal aircover for refusing to pay the ransom.

See how