Ransomware Prevention: Quick Start Guide
Welcome to Rapid7's Ransomware Prevention, an add-on offering for Managed Detection and Response and Managed Threat Complete customers!
What is Ransomware Prevention?
Ransomware Prevention is a Rapid7 Managed Detection and Response (MDR) add-on, which makes Endpoint Prevention technology available as part of the Insight Agent.
Endpoint Prevention adds an extra layer of protection to the assets that have the Insight Agent installed on them, acting as an Endpoint Protection Platform (EPP). Endpoint Prevention also offers Endpoint Detection and Response (EDR) capabilities by integrating with InsightIDR.
With Ransomware Prevention, you can monitor your assets for evasive and suspicious behavior associated with ransomware and malware attacks and prevent those attacks from occurring. The functionality can work alongside any existing third-party EPPs and EDRs.
Refer to the Endpoint Prevention overview to learn more about the Ransomware Prevention add-on and Endpoint Prevention technology.
Prevention engines
Ransomware Prevention is built on Rapid7’s prevention engines, which are categories of logical rules or known bad signatures designed to detect specific types of behavior at the time of initial access to your environment. When unintended behavior is detected, these prevention engines respond with an action and create an alert.
Ransomware Prevention grants access to all Rapid7 prevention engines, with the exception of On-Access Scanning (Antivirus).
Install Ransomware Prevention
For the Ransomware Prevention add-on, there are two options for deployment:
Once you have decided which installation option to use, you can follow the installation instructions to install Ransomware Prevention for your Insight Agent.
Configure Ransomware Prevention
Following installation and deployment, you can configure Ransomware Prevention to your organization’s specifications.
Organize assets in prevention groups
Assets that have the add-on deployed on them are managed using prevention groups, which help you logically organize your assets, defining prevention group settings and Prevention Policies that should be applied to them. Read about Prevention groups in the Insight Agent Help to learn how to organize your assets with prevention groups.
Monitor initial deployment with activation modes
Ransomware Prevention has an organization-level setting, called activation mode, which overrides Prevention Groups. To efficiently onboard Ransomware Prevention on your assets, the default activation mode is set to Monitor Only.
When the activation mode is set to Monitor Only, Ransomware Prevention actively monitors your assets, but does not interfere with suspicious activity, even if the Prevention Group settings are set to Block. In this mode, Ransomware Prevention still generates alerts in InsightIDR, allowing you to learn how the product interacts with existing business workflows and applications, so an appropriate exclusion can be applied, if necessary.
The other activation mode is Active Prevention. This activation mode actively blocks any suspected malicious activity and such events will be logged and sent to InsightIDR for analysis and further action, if necessary. You should only switch to Active Prevention mode after you have completed initial deployment.
Read how to change the activation mode in the Insight Agent Help documentation to learn more about activation modes.
View Endpoint Prevention detection rules in InsightIDR
In InsightIDR, you can view the detection rules that generate Endpoint Prevention alerts, which are also used for Ransomware Prevention.
To view Endpoint Prevention detection rules in Insight IDR, select Detection Rules in the left menu, then select the Endpoint Prevention Rules filter to narrow the list.
View Endpoint Prevention alerts in InsightIDR
By default, all Endpoint Prevention detection rules automatically generate both an alert and an investigation in InsightIDR. These alerts and investigations are also created for Ransomware Prevention.
Endpoint Prevention alerts, which apply to Ransomware Prevention, contain unique fields which can be helpful for gaining context about the alert and taking action on it. Alert details might vary based on the alert type, but this structure and raw data is fundamental to each one.
Create exclusions
Ransomware Prevention focuses on processes and their behavior. Because of this, you can configure exclusions so that Ransomware Prevention stops monitoring a process completely, or stops interfering with the actions taken by a process. Exclusions are applied to prevention groups, rather than individual assets. If an asset is moved to another prevention group, it receives the exclusions applied to that group and loses exclusions that were applied to the previous group.
After deploying Ransomware Prevention with activation mode set to Monitor Only, you might notice alerts in InsightIDR that show how Ransomware Prevention interacts with your daily processes, applications, and tasks. For activities that you determine are benign, we recommend adding exclusions before switching activation mode to Active Prevention.
Exclusions can be applied by your Managed Detection and Response team
All alerts from Ransomware Prevention are monitored by Rapid7’s Managed Detection and Response (MDR) service. In addition to creating exclusions on your own, you can also work with your MDR team to implement exclusions on your behalf.
Protect your assets using Tamper Protection and Password Protection
To ensure malicious activity does not affect Ransomware Prevention’s functionality, customers can configure Tamper Protection and Password Protection settings.
The Tamper Protection engine contains rules that protect the Ransomware Prevention add-on component of the Insight Agent, therefore protecting your assets continuously. When Tamper Protection is turned on, it prevents malware and bad actors from tampering with the files and functionality of Ransomware Prevention and the Insight Agent. Tamper Protection also offers the option of turning on Password Protection.
Using a one-time passcode (OTP) or a fixed password allows you to limit the users who can update, stop, or uninstall the Ransomware Prevention add-on. You can activate Password Protection at both the organizational level and for individual prevention groups that require extra security. For more details, read about configuring Tamper Protection and Password Protection in the Insight Agent Help documentation.
Switch to Active Prevention mode
After completing initial deployment, setting policies and exclusions, managing your assets in prevention groups, and enabling password protection, you must switch to Active Prevention mode.
The time it will take to switch from Monitor Only mode to Active Prevention mode will depend on the complexity and size of your organization - for example the number of systems, applications, and teams.