Getting Started with Ransomware Prevention

Ransomware Prevention is a Rapid7 Agent (Insight Agent) add-on that helps protect your endpoints from ransomware and other malicious behavior. It works alongside your existing endpoint security tools and integrates with SIEM (InsightIDR) to provide visibility, alerts, and investigation context across the Rapid7 platform.

This guide follows a recommended setup path so you can confidently deploy Ransomware Prevention without disrupting business-critical workflows.

Before you begin

Ransomware Prevention is designed to be rolled out gradually.

By default, the product starts in Detection Only mode, which allows you to:

• Observe how prevention rules behave in your environment
• Review alerts without blocking activity
• Tune exclusions before enforcement begins

How Ransomware Prevention works

Ransomware Prevention monitors endpoint behavior to detect activity commonly associated with ransomware and malware attacks. It uses Rapid7 prevention engines, which are collections of behavioral rules and known-bad signatures designed to detect threats at the point of initial access.

When suspicious behavior is detected:

• A prevention engine responds with an action (monitoring or blocking)
• An alert is generated and sent to SIEM (InsightIDR) for investigation

Ransomware Prevention includes all Rapid7 prevention engines except On-Access Scanning (Antivirus).

It functions as an Endpoint Protection Platform (EPP) and provides Endpoint Detection and Response (EDR) capabilities through its integration with SIEM (InsightIDR). Ransomware Prevention can run alongside third-party EPP and EDR solutions.

Step 1: Install Ransomware Prevention

To deploy the Ransomware Prevention add-on, choose one of the following installation methods:

• Option 1: Deploy using managed updates 
• Option 2: Deploy using an installation package 

After selecting an option, follow the linked instructions to install the add-on on systems running the Rapid7 Agent (Insight Agent).

Step 2: Organize assets using prevention groups

Once installed, assets are managed through prevention groups.

Prevention groups allow you to:

• Logically organize assets
• Apply consistent settings and Prevention Policies
• Manage exclusions at scale

Settings and exclusions are applied at the prevention group level, not per asset. When an asset moves between groups, it automatically inherits the new group’s configuration.

Learn more about configuring prevention groups .

Step 3: Start in Detection Only mode

Ransomware Prevention includes an organization-level setting called activation mode. By default, this is set to Detection Only, which is the recommended mode during initial rollout.

Detection Only mode

In Detection Only mode:

• Suspicious behavior is monitored but not blocked
• Alerts are generated and sent to SIEM (InsightIDR)
• Prevention group actions set to Block are ignored

This mode helps you understand how Ransomware Prevention interacts with your applications, scripts, and workflows before enforcement begins.

Active Prevention mode

In Active Prevention mode:

• Suspected malicious activity is actively blocked
• Events are logged and sent to SIEM (InsightIDR) for investigation

You should only switch to Active Prevention mode after reviewing alerts and configuring exclusions.

Learn how to change the activation mode .

Step 4: Review detections and alerts in SIEM (InsightIDR)

Once Ransomware Prevention is deployed, SIEM (InsightIDR) becomes your primary place to validate behavior and tune your configuration.

View Endpoint Detection rules

In SIEM (InsightIDR), detection rules are shared across endpoint capabilities.

To view detection rules:

1. Select Detection Rules from the left menu.
2. Apply the Endpoint Detection Rules filter.

These rules are used by Ransomware Prevention to generate alerts.

View Endpoint Detection alerts

By default, Endpoint Detection rules generate:

• An alert
• An associated investigation

These alerts apply to Ransomware Prevention and Next-Generation Antivirus.

Endpoint Detection alerts  include detailed fields that provide context about the process, behavior, and system involved. Reviewing these alerts helps you determine whether activity is malicious or expected.

Step 5: Create exclusions for known-good activity

Ransomware Prevention evaluates process behavior, not just files. As a result, legitimate processes may occasionally trigger alerts during Detection Only mode.

You can create exclusions to:

• Stop monitoring a process entirely, or
• Allow a process to run without interference

Exclusions are applied at the prevention group level.

After reviewing alerts in SIEM (InsightIDR), create exclusions for activity you determine is benign before switching to Active Prevention mode.

Learn how to configure exclusions .

Step 6: Protect the agent with Tamper and Password Protection

To prevent malicious or unauthorized changes, you can enable Tamper Protection and Password Protection.

Tamper Protection safeguards the Ransomware Prevention component of the Rapid7 Agent (Insight Agent) by preventing:

• File modification
• Service stoppage
• Unauthorized uninstallation

Password Protection adds an additional layer of control by requiring a one-time passcode (OTP) or a fixed password.

You can enable Password Protection at:

• The organization level
• Individual prevention groups that require additional security

Learn more about configuring Tamper Protection and Password Protection .

Step 7: Switch to Active Prevention mode

You’re ready to switch to Active Prevention mode  after you have:

• Reviewed alerts in SIEM (InsightIDR)
• Created exclusions for known-good activity
• Organized assets into prevention groups
• Enabled Tamper and Password Protection (recommended)

The time required to complete the switch depends on your environment, including the number of systems, applications, and teams involved. Once enabled, Ransomware Prevention will actively block suspected ransomware and malicious behavior across your protected assets.