Summary: While almost all of Third Wall's policies utilize Automate's standard, group-assigned monitor structure, the Ransomware Monitor employs a custom solution. This change in standardization has caused some questions. This paper will describe the operations of this policy in full with a focus on Automate components and ticketing.
Advantages: Although this method adds complexity to the alerting process, it also provides a near-instant response to a Ransomware event. This could not be done if a standard monitor were employed as Automate monitors are, by definition time-based, repeating events. By using the method described below, Third Wall is able to both execute an Alert Action (such as Isolating the computer from the network) and deliver administrative notification without a delay.
Policy Initialization: When the policy is enabled and the setting saved to the Location, an 'Update Config' Automate command is issued to all remote computers within the Location. This causes all remote computers to run the arming process. This process:
- Checks for current console users. When none are found it terminates (exception below)
- When a user is found the SID of that user is pulled. Then the registry (HKLM\Software\LabTech\plugins\ThirdWall\Store) is searched for any entries beginning with 'TWMM:' and contains the SID.
- When none is found, one is created and the process continues
- When one if found, its cycle number is noted. When the number is < 12 the process stops. When > 12, the count is reset and the process continues.
- The Automate Tray, running in the context of the locally signed-in user, looks up its assigned path to \documents
- The Automate Tray checks the path exists and four bait files are contained within it. If either condition is not met, it will be auto-fixed (i.e. File path created and/or file(s) created).
- Windows File Watchers are applied to all four files. These watchers are instructed to call ThirdWall.dll upon any change, deletion or rename event.
Enabling the Policy for a Location also makes changes to Automate:
- All Location members are added to the ThirdWallV2\Security Monitoring and Logging\Ransomware Monitor group.
- This group membership applies the TW - Ransomware Monitor monitor to all computers.
- The monitor (by default) runs once every five minutes.
- The monitor's job is to perform the arming process, described above.
Static Path: When a Static Path is assigned to Third Wall Settings (Dashboard -> Config -> Integration -> Third Wall) an additional action will be performed by the Automate Service, the arming process will be run for the assigned Static Path. This arming process is almost identical to the arming process for user \documents with one change. Modifications are not contingent on there being a locally signed-on user. The process will create and maintain bait files on the Static Path, regardless if a user is signed in or not.
Detection Actions: In the event one of the assigned bait files registers a change, deletion or rename event, the ThirdWall.dll is called. The dll then does two things:
- Any assigned Third Wall Detection Actions are executed. This can include AV Scan, Isolate, Disable VSS, and/or shutdown.
- The assigned Automate Alert Action will be called, by ID number. This is the mechanism that results in an Automate ticket being generated.
Ticket Assignments: This policy has two different tickets assigned to it, each declaring a different issue. It is important that administrators differentiate between the two. Tickets titled simply 'TW - Ransomware Monitor' are alerting you to an issue with the Policy's setup and should not be confused with tickets titled 'TW - Ransomware Monitor tripped on computer...'. The former ticket is alerting you that Third Wall could not setup the bait files as expected, the latter is alerting you that one or more of those bait files have been manipulated. When in doubt, check the body of the ticket. It will always describe the cause of its issuance.
Administrator Notes: As this policy has two effective (but one actual) monitor assigned, there are two different tickets which can be issued from this one policy:
Setup tickets, 'TW - Ransomware Monitor' tickets are assigned by the Group and have the ability to auto-close. Like most Third Wall monitors, once the plugin sees the conditions which failed the monitor have now been fixed, you will see TW - Ransomware Monitors auto-close once it can confirm the bait files have been applied to all locally signed-on users.
Alert tickets, 'TW - Ransomware Monitor tripped on computer...' tickets are assigned on the policy itself, on the Location Screen and do not have this ability to auto-close. They require a manual close the ticket once the threat has been removed or discounted. If the ticket is not manually closed, any subsequent alerts from the same computer will not generate a new ticket. Instead, the alert will be appended to the existing, open ticket. This may or may not impact your visibility.