RANSOMWARE RESPONSE

Spot reconnaissance activities
Many adversaries survey their target environment before they drop ransomware payloads or exfiltrate stolen data. Corelight’s network visibility can reveal ransomware-related port scanning activity and suspicious probes.

Detect RDP brute forcing
Ransomware attacks often begin via a compromise of weak RDP servers [MP4]. Corelight detects RDP brute forcing and known RDP clients associated with ransomware attacks. 

Identify risky encrypted connections
Corelight brings light to the darkness by identifying early-stage encrypted connections, including hundreds of VPN clients, and illuminating activity such as the use of self-signed and expired certificates.

Illuminate lateral movement
After gaining an initial foothold, ransomware adversaries work their way toward your critical assets. Corelight detects lateral movement activity in SMB and DCE-RPC traffic such as those related to remote file copy events.

Detect Command & Control
Adversaries need to connect with a C2 server to drop ransomware payloads and exfiltrate data. Corelight detects over 50 different types of C2 activity on your network.

Spot suspicious SSH activity
Before the end stage of a ransomware attack, adversaries may test their infrastructure and foothold. Corelight illuminates adversarial behaviors such as large and small-file transfers over SSH or the presence of human keystrokes. 

Identify scope
Every connection in a ransomware attack generates a Corelight conn.log, which can be used in conjunction with other Corelight evidence around file and DNS activity to quickly determine the scope of a ransomware attack after a breach.

Recover files
Corelight extracts and reassembles over 200 different file types from wire traffic, which can be flexibly stored on-premise or in the cloud to support file recovery needs.

Verify containment
Use Corelight to provide ongoing network monitoring for IOCs and behaviors to confirm the adversary is out of your environment and can’t repeat the attack.