Anti-Ransomware Protection

Traps now extends its malware protection capabilities to protect against encryption-based activity associated with ransomware with the new Anti-Ransomware Protection module. The new malware protection module (MPM) adds a new layer to Trap’s existing ransomware prevention capabilities with the ability to analyze and halt ransomware activity before any data loss occurs.
In a ransomware attack, typically the attacker uses DLLs, macros, shellscripts and other methods to encrypt important data and holds the data hostage until the user pays a ransom to unlock the data. To combat these attacks, Traps employs decoy files to attract the ransomware. Although these decoy files are typically hidden from most legitimate processes, they can be visible in some cases. Traps names these files with special characters such as !!!!! or zzzz; However, Palo Alto Networks can distribute changes to both the names and locations of these files using content updates. When the ransomware attempts to write to, rename, move, delete, or encrypt the decoy files, Traps analyzes the behavior and prevents the ransomware from encrypting and holding files hostage.
Like other MPMs, you can configure the module to operate in either notification or prevention mode. When you configure the module to operate in prevention mode, Traps blocks the process attempting to manipulate the decoy files. When you configure this module in notification mode, Traps logs a security event for each process once per minute. This means that if the same process attempts to manipulate another decoy file within a minute of the first attempt, Traps ignores the event. This prevents the Traps agent from logging and reporting an excessive number of events.
The Anti-Ransomware Protection module is enabled by default on Windows endpoints that use the following file system formats: NTFS, FAT, and exFAT.
To disable or change your anti-ransomware protection policy:
  1. From the ESM Console, Configure Anti-Ransomware Protection.
  2. To view security events triggered by the Anti-Ransomware Protection MPM, see the Malware Modules pages:
    • Prevention events—Security EventsPreventionsMalware Modules.
    • Notification-only events—Security EventsNotificationsMalware Modules.
    Each security event identifies the source process which exhibited ransomware behavior, and the location of the target file.

Related Documentation