Set Access Operations to include Create, Write, and Rename (typically there will be a create operation from generating an encrypted copy, then subsequent destruction of the original in most attacks). And then enter desired Wildcards (* and ? can both be used) as follows:
There are many more that can be included and are as flexible as desired. The naming conventions can also be difficult to Wildcard at times. Fortunately, these criminals have one common factor and that’s MONEY. There will always be an instruction set on how to pay them, so any file being generated as Decrypt.me, Decrypt.Instructions, etc. can be another indicator of an attack.
As new attacks emerge, knowing that encryption naming convention makes it easy to update and add additional Wildcards. Having separate Policies is a great way to delineate between definite attacks and activity to review. With a properly scoped Policy, this is one of the few quick wins a security professional can have with immediately actionable information. Incorporating scripts, and integrating with an existing SIEM can further automate your protection/visibility to these Perpetrators.
Start a Free Stealthbits Trial!
No risk. No obligation.