Set up ransomware alert and response

Multiple file modifications in a short period of time and evidence of encryption are two telltale signs of ransomware. Using a few simple patterns, DataSecurity Plus can detect these signs of ransomware early on and identify attacks right as they happen. Follow the steps below to configure DataSecurity Plus' automated threat response mechanism to shut down any ransomware attack right at its inception.

how-to-detect-ransomware-alert-tab-new-alert-profile
  • 1. Run DataSecurity Plus Navigate to the Alerts tab
  • 2. Click New Alert Profile on the top right corner of the page.
how-to-detect-ransomware-severity-tab-critical
  • 3. Name the alert profile and include an appropriate description (e.g., "Potential ransomware attack”).
  • 4. In the Severity tab, select Critical.
  • 5. Switch on the Threshold Limit section and specify the number of events to be monitored (e.g., "100 file modifications in one minute")*.
how-to-detect-ransomware-navigate-to-the-criteria-section
  • 6. Navigate to the criteria section and add these filters under the tab:
    1. Actions: Create, modify, rename, and file extension change
    2. Monitor: All
    3. Monitor Type: Files and folders
    4. File Types: All
    5. Users: All
  • 7. Use the exclude tab to ignore individual files, organization specific file types, and folders for selective monitoring and to prevent false positive detections. and to reduce false positives.
how-to-detect-ransomware-navigate-to-email-notifications
  • 8. Navigate to Email Notifications and specify one or more email addresses you'd like to send alerts to. Set Email Priority to high.
  • 9. In the Execute Command text box, run the default script (e.g.,"{install_location}\bin\alertScripts\triggershutdown.bat %server_name%") which shuts down the infected system. Note: You can also execute other scripts that disable user account, disable network, or one of your own scripts tailored to your organization's needs.
  • 10. To save the configured alert, click Save.

You have now successfully configured DataSecurity Plus to detect and respond to a scenario where more than 100 files events such as create, modify, and rename are detected within one minute.

*The threshold limit will vary depending on the server size, the number of users, and on its usage level.

Email Download Link