How to Block Ransomware from Your Network
One way to stop the ransomware attack from occurring is to detect and block Indicators of Compromise (IoC) on your network with known association with the downloading of ransomware before it has a chance to execute.
It is well known that the Ryuk ransomware is seeded by the Trickbot Remote Access Trojan. The attack can be stopped by detecting and blocking Trickbot malware related IoCs.
See how Arbor Edge Defense detects and blocks outbound Indicators of Compromise (or IoCs) to stop the proliferation of malware before to prevent a ransomware attack.
For More Information
Dropping the Anchor
Trickbot has long been one of the key banking malware families in the wild. Despite recent disruption events, the operators continue to drive forward with the malware and have recently begun porting portions of its code to the Linux operating system.
How AED Can Be Used to Prevent a Ransomware Attack
NETSCOUT Arbor Edge Defense, or AED, is an industry leading DDoS attack protection solution that acts as a first and last line of smart, automated perimeter defense for your organization. It’s deployed on your premise, just inside the internet router and outside your firewall where it acts as a first line of defense, by blocking inbound DDoS attacks …. protecting the availability of your network, services or stateful security devices such as firewalls or VPN concentrators.
But AED can do more than just block inbound DDoS attacks. Acting as a last line of defense, AED can also be used to detect and block outbound indicators of compromise that have been missed by other tools in your security stack - to stop the proliferation of malware before a data breach or, as we’ll show in our example, before a ransomware attack occurs. More specifically, let’s take a look at how AED can be used to stop a Ryuk (Ri-yuke ) ransomware attack.
For the Ryuk ransomware, it is well known to be seeded by the Trickbot Remote Access Trojan. Therefore, you should be on the lookout for IoCs related to the Trickbot malware. Let’s demonstrate how AED does this. Armed with NETSCOUT’s ATLAS or 3rd party threat intelligence feeds, Arbor Edge Defense has the ability to detect and block both inbound and outbound threats or indicators of compromise.
Here we see that AED is blocking some outbound threats. Let’s investigate further. The ATLAS Intelligence Feed has categorized these threats as Command and Control and Malware.
Let’s drill in further to the Command and Control alert. We’ll adjust our time down to the last 5 minutes to see what’s happening most recently.
There we see a single IP address inside our organization actively communicating with a known command and control infrastructure outside our organization.
We can drill in further to get more details such as IP protocols and ports being used, timing of the event, total bytes or packets blocked…. and as we can see ATLAS has identified this threat as communication to a known Trickbot command and control infrastructure.
This communication was automatically blocked by Arbor Edge Defense. And because it’s deployed outside your firewall, it’s blocked communication that has been potentially missed by other tools in your security stack.
In other words, Arbor Edge Defense has acted as a last line of defense to block communication to the Trickbot malware and prevent the download of the Ryuk ransomware.
For more information on the NETSCOUT Arbor Edge Defense product, please visit the product page on netscout.com