ExtraHop package captures files before ransomware encrypts them

ExtraHop package captures files before ransomware encrypts them

The best defense against ransomware has been comprehensive backup, but ExtraHop is introducing a way to capture files just before ransomware encrypts them, making it possible to restore them but without relying on the backups.

+More on Network World: Cisco: Potent ransomware is targeting the enterprise at a scary rate+

A software upgrade to ExtraHop’s Ransomware Detection bundle picks up on precursors to ransomware encrypting files and captures them before the malware has the chance to encrypt.

The software includes triggers that detect ransomware indicators of compromise, kicking in packet capture (PCAP) to record the content of files being encrypted. The PCAP files are opened with Wireshark to recreate the original files that were encrypted.

So the bundle doesn’t stop ransomware from doing its mischief, but it can help businesses get their encrypted files back without paying ransom.

If ExtraHop doesn’t pick up on ransomware at work before it encrypts a file, customers would have to rely on backups, hope for a decryption key or pay ransom to recover files.

The ExtraHop package has a view of network traffic between user endpoints and file servers to see who is using what files and how they are using them – writing, modifying, deleting, etc. It does this by analyzing SMB/CIFS-protocol traffic. When it identifies enough suspicious activity it triggers alerts.

What’s new is that the suspicious activity also triggers packet capture to buffer file content as the ransomware reads files from the file server. So the content captured is the latest version of the file.

Opening the PCAP files in Wireshark is still a manual process, but it does enable restoring the affected files.

+ RELATED: Be careful not to fall for these ransomware situations +

The ransomware detection bundle has APIs so alerts could be sent to other platforms such as SIEMs and could potentially trigger enforcement actions by next-generation firewalls, ExtraHop says.

Some of the things the bundle looks for are more than 200 known bad file types indicating ransomware, spikes in read/write activity, patterns of behavior not typical of human users, such as opening scores of files in rapid succession.

The new packet-capture software upgrade is available now. It requires customers to have either an ExtraHop Trace or Discover appliance on which to run the software and to monitor network traffic.

IDG Insider


«No, the MacBook Pro's Touch Bar isn't a precursor to a touchscreen Mac


Executives still mistrust insights from data and analytics»
IDG Connect

IDG Connect tackles the tech stories that matter to you

Our Case Studies

IDG Connect delivers full creative solutions to meet all your demand generatlon needs. These cover the full scope of options, from customized content and lead delivery through to fully integrated campaigns.


Our Marketing Research

Our in-house analyst and editorial team create a range of insights for the global marketing community. These look at IT buying preferences, the latest soclal media trends and other zeitgeist topics.



Should the government regulate Artificial Intelligence?