Can Perch detect Ransomware?

A new-ish customer asked us this week about the quality of their ransomware detection coverage (based on the intel feeds they were pulling in), and how Perch handles ransomware. It was a great question, so I thought I would recap it here and share it with all of you.

Intel on ransomware:

Perch has a large and ever-growing amount of detections for ransomware. Here are just a few examples if you’d like to take a look.

EmergingThreats:Indicator-2024294

EmergingThreats:Indicator-2021163

Overall, Perch has really good coverage regarding intel sources for ransomware. We recommend every customer add Cisco Talos and Emerging Threats (at a minimum) to get a base level of coverage. They often produce intel around the threats that their research team is finding. The good news is that both of these feeds can be easily added. Here is a walkthrough for Cisco Talos.

If you’d like to see a few examples of Talos intel around ransomware, here’s some examples:

CiscoTalos:Indicator-34965

CiscoTalos:Indicator-28044

CiscoTalos:Indicator-28416

CiscoTalos:Indicator-50378

CiscoTalos:Indicator-50113

How does Perch handle ransomware?

So now that we’ve covered intel sources for ransomware, let’s dive a bit more into the deeper mechanics of how Perch handles ransomware. First, Perch is a detection tool. We are focused on discovering the threats that prevention tools miss. While prevention tools, like anti-virus, are helpful to block the known bad ransomware attacks, we’ve seen first-hand that no prevention tool is a silver bullet. All prevention eventually fails. Perch provides that critical second layer in the detection and response to ransomware. We aren’t a prevention tool, so we aren’t trying to stop it, we’re looking for possible ransomware attacks (among thousands of other threats!) that may have bypassed those prevention tools.

For notification, we of course drop an escalation into your alert queue which will notify you – and our standard operating procedure is to notify a customer via phone if there is a significant critical and actionable event such as ransomware. But your notification preferences are completely customizable, which you will have the opportunity to alter as part of our onboarding process. If you’re an MSP using ConnectWise Automate for RMM, we can leverage the RMM to push an isolation script to remove a host from the network in the event of a significant attack such as ransomware.

Side note for MSPs:

When we look at organizations (especially MSPs!) that have been breached of late, ransomware is usually not the source of the attack – it is the conclusion. Cyber criminals leverage RDP attacks and other vulnerabilities to gain access to a network. Because many SMB and MSPs do not have a threat detection tool like Perch, they are unaware that the cybercriminal has a foothold and is busy escalating privileges throughout the network. As a result, the bad guy reigns free until he is able to deploy ransomware across the entire customer base. Yikes. A tool like Perch is critical for MSPs because we can detect signs of network compromise far before the bad guy actually deploys ransomware. Detection is a critical step in stopping these attacks before they become worse.

I can’t tell you how many MSPs that we’ve talked to who have been hit by ransomware have told us: “We ran all of the necessary prevention tools. We thought we were covered, only to find out that once the attacker got access to our network, they turned all of those tools off. We were sitting ducks.” This is exactly why Perch, as a detection tool, is serving as that defense mechanism. We’ll pick up on those things that are signs of an impending attack. In many cases, Perch is the only way an attack like this would get caught.

Wes Spencer

Wes Spencer
Dictator 2020

Wes Spencer is a hands-on cybersecurity executive with a wealth of experience in the financial services industry and as a professor of information security. Wes built out one of the first threat intelligence platforms for a community bank. Wes is passionate about information security and has a knack for clearly articulating cybersecurity to all levels of the organization. While at FNB, Wes served as the chairman for the Financial Services Information Sharing and Analysis Center's (FS-ISAC) Community Institution Council, providing leadership to over 4,000 member financial institutions. Wes was also selected as a charter member of American Banker's Digital Leadership Council and is a frequently requested speaker at conferences throughout the country.