CONTACT US
forrester wave report 2023

Close your ransomware case with Open NDR

SEE HOW

Download our free guide to find hidden attackers.

Find hidden attackers with Open NDR

SEE HOW

cloud-network

Corelight announces cloud enrichment for AWS, GCP, and Azure

READ MORE

corelight partner programe guide

Corelight's partner program

VIEW PROGRAM

glossary-icon

10 Considerations for Implementing an XDR Strategy

READ NOW

ad-images-nav_0006_Blog

Don't trust. Verify with evidence

READ BLOG

video

The Power of Open-Source Tools for Network Detection and Response

WATCH THE WEBCAST

ad-nav-ESG

The Evolving Role of NDR

DOWNLOAD THE REPORT

ad-images-nav_0006_Blog

Detecting 5 Current APTs without heavy lifting

READ BLOG

g2-medal-best-support-spring-2024

Network Detection and Response

SUPPORT OVERVIEW

 

RANSOMWARE RESPONSE

Rely on the visibility of Open NDR to detect reconnaissance and respond effectively to ransomware events.

ransomware-mitigation

ELIMINATE VISIBILITY GAPS

Ransomware is a persistent, evolving threat that demands defensive investments beyond the endpoint. But most organizations lack visibility and detection around unmanaged devices, critical assets, cloud workloads, and lateral movement. Because of this, they miss ransomware early warning signs and struggle to quickly and cost effectively respond to attacks when they occur.  

Corelight's Open NDR Platform delivers complete network visibility and powerful new security capabilities to detect, investigate, respond to and recover from ransomware attacks that disrupt critical business operations. 

  • Spot ransomware reconnaissance
  • Identify SSH file upload & download activity
  • Illuminate encrypted remote desktop actions
  • Reveal lateral movement in Microsoft file shares

Close the case on ransomware

Early stage

Spot reconnaissance activities
Many adversaries survey their target environment before they drop ransomware payloads or exfiltrate stolen data. Corelight’s network visibility can reveal ransomware-related port scanning activity and suspicious probes.

 

Detect RDP brute forcing
Ransomware attacks often begin via a compromise of weak RDP servers [MP4]. Corelight detects RDP brute forcing and known RDP clients associated with ransomware attacks. 

 

Identify risky encrypted connections
Corelight brings light to the darkness by identifying early-stage encrypted connections, including hundreds of VPN clients, and illuminating activity such as the use of self-signed and expired certificates.

Mid stage

Illuminate lateral movement
After gaining an initial foothold, ransomware adversaries work their way toward your critical assets. Corelight detects lateral movement activity in SMB and DCE-RPC traffic such as those related to remote file copy events.

 

Detect Command & Control
Adversaries need to connect with a C2 server to drop ransomware payloads and exfiltrate data. Corelight detects over 50 different types of C2 activity on your network.

 

Spot suspicious SSH activity
Before the end stage of a ransomware attack, adversaries may test their infrastructure and foothold. Corelight illuminates adversarial behaviors such as large and small-file transfers over SSH or the presence of human keystrokes. 

Post event

Identify scope
Every connection in a ransomware attack generates a Corelight conn.log, which can be used in conjunction with other Corelight evidence around file and DNS activity to quickly determine the scope of a ransomware attack after a breach.

Recover files
Corelight extracts and reassembles over 200 different file types from wire traffic, which can be flexibly stored on-premise or in the cloud to support file recovery needs.

Verify containment
Use Corelight to provide ongoing network monitoring for IOCs and behaviors to confirm the adversary is out of your environment and can’t repeat the attack.

Filter out the noise

Growing alert noise from security tools plagues security teams and a lack of evidence makes it hard to validate if a given ransomware alert is a true positive or false positive. With complete visibility from Corelight, analysts can cut through the noise of third party tools, such as one Corelight customer who was unable to validate a ransomware alert from a third-party due to its total lack of context and visibility.

clear-alert

Call their bluff

In high stakes ransomware investigations, many security teams are unable to answer key questions and default to worst-case assumptions. With complete visibility from Corelight, teams can avoid costly overreactions. One customer, when confronted with a $10 million ransomware demand, used Corelight to prove the exfiltrated data being held for ransom had no real value while providing legal aircover for refusing to pay the ransom.

ebook-ransomware

 

Recommended for you

promo-card-9
BLOG
What is Network Detection and Response (NDR)?
What is NDR?
promo-card-7
REPORT
SANS 2022 Ransomware Defense Report
SANS 2022 Ransomware Defense Report
promo-card-2
VIDEO
Corelight CEO, Brian Dye talks to NYSE's Trinity Chavez on 'The Cyber Series'
Responding to ransomware case study

Related topics

  • Using Corelight to identify ransomware blast radius
  • The Gold Standard for Network Security Monitoring
  • SaaS Open NDR Investigator
  • Close cases faster with evidence

Have questions?

Talk with one of our experts today.

CONTACT US