← Back to Blog

June 10th, 2021

How LimaCharlie helps in the fight against ransomware

Picture of Christoper Luft, LimaCharlie Co-Founder and Creative Technologist
Christopher Luft
LimaCharlie & Ransomware

How does LimaCharlie help in the fight against ransomware?

This is always a tricky one to answer. It is unrealistic to suggest that any approach is 100% effective in stopping a ransomware attack, especially from well resourced and sophisticated actors. A targeted ransomware attack will almost always involve weeks or months of dwell time as the actors seek to discover where the detonation points should be. It is during this reconnaissance stage that we have the best chance of stopping an attack.

Monitoring everything from one place.

LimaCharlie is effective in stopping ransomware during the reconnaissance stage because we can deploy everywhere. LimaCharlie gathers telemetry and external artifacts from a wide range of sources, normalizes it all to JSON and runs that data through its detection and response engine. This global view allows LimaCharlie to make correlations and identify intruders no matter how they move around and try to hide. LimaCharlie’s coverage allows it to detect intruders faster than the competition and in most cases before the malicious actors can lay an effective trap.

An unparalleled response capability.

In the unlikely event of a ransomware detonation, the second line of defense is mitigation. Sometimes, despite implementing best practices and having full-coverage the bad guys manage to evade detection and successfully lay their trap. In this scenario, LimaCharlie has a major advantage with a real-time, semi-persistent TLS connection that it maintains with the endpoints. This means that if there is detection logic in place to catch a ransomware event, a response action can be taken across the entire fleet in 100ms on average. Every box can be instantly isolated from the network while maintaining a line of command and control through LimaCharlie. This approach will minimize damage as it prevents further exfiltration of data or commands coming into the boxes, triggering more actions. It also offers analysts responding to the event access to all the machines and a full year’s history of telemetry. From this position analysts can run remediation scripts on the endpoints, kill process trees and hunt for any malicious presence.


An approach to detect when a ransomware detonation event has taken place, and before it may be able to proliferate, would be around FILE_TYPE_ACCESSED events from LimaCharlie indicating the first time a process accesses a new file type. This can be a great indicator of a malicious ransomware encrypting files in a quick succession. Here’s a sample rule:

YAML
event: NEW_PROCESS op: exists
path: event
with child:
  op: exists
  event: FILE_TYPE_ACCESSED
  path: event
  within: 10
  count: 3

Get started exploring LimaCharlie with our full featured free tier by signing up here.

Copyright © LimaCharlie 2024