Set Access Operations to include Create, Write, and Rename (typically there will be a create operation from generating an encrypted copy, then subsequent destruction of the original in most attacks). And then enter desired Wildcards (* and ? can both be used) as follows:
There are many more that can be included and are as flexible as desired. The naming conventions can also be difficult to Wildcard at times. Fortunately, these criminals have one common factor and that’s MONEY. There will always be an instruction set on how to pay them, so any file being generated as Decrypt.me, Decrypt.Instructions, etc. can be another indicator of an attack.
As new attacks emerge, knowing that encryption naming convention makes it easy to update and add additional Wildcards. Having separate Policies is a great way to delineate between definite attacks and activity to review. With a properly scoped Policy, this is one of the few quick wins a security professional can have with immediately actionable information. Incorporating scripts, and integrating with an existing SIEM can further automate your protection/visibility to these Perpetrators.
Jeff is a Senior Engineer at Stealthbits – Now part of Netwrix.
Proper data security begins with a strong foundation. Find out what you're standing on with a free deep-dive into the security of your Structured and Unstructured Data, Active Directory, and Windows infrastructure.Read more
Start a Free Stealthbits Trial!
No risk. No obligation.
Leave a Reply