Ransomware Detection
Overview
The Lightbeam Ransomware Detection feature is designed to identify ransomware notes within your organization's data sources. This feature automatically classifies text files that contain threatening language, contact information, and payment demands typically left by attackers after encrypting or compromising data.
Key Benefits
Automated Detection: Identifies ransomware notes without manual intervention
Policy-Based Alerting: Configure custom alerts when ransomware notes are detected
Classification: Provides classification labels for detected threats
Integration: Works seamlessly with existing Lightbeam data discovery workflows
Feature Capabilities
Detection Scope
File Types: Currently supports text files (.txt) only
Content Analysis: Identifies threatening language patterns
Contact Information: Detects attacker communication channels
Payment Demands: Recognizes ransom payment requests
Classification Labels
Files identified as ransomware notes receive the "Ransomware" sublabel classification
Detailed attributes and metadata capture
Prerequisites
Before configuring ransomware detection, ensure you have:
Data Source Access: Configured data sources in Lightbeam (Google Drive, file shares, etc.)
Scanning Permissions: Appropriate permissions to scan target directories
Policy Management: Administrative rights to create detection policies
Configuration Steps
Step 1: Access Data Sources
Navigate to Datasources in the main navigation menu
Select your target data source (e.g., "RSW" Google Drive)
Ensure the data source shows "Scanning" status
Step 2: Configure Scan Settings
Click on your data source name to access configuration
Navigate to Configuration in the left sidebar
Click on Scan settings.
Click on Edit to make changes.
Select one out of the given option to configure: i) Scan all Drives ii) Scan selected Drives iii) Scan folder
You have the option to Scan only shared drives if needed.
If you selected Scan all Drives, then ensure Exclusion lists are properly configured.
If you selected Scan selected Drives, then ensure Inclusion lists are properly configured.
Click on Save.
Once the scanning configurations have been saved, click on the '>' sign in the left sidebar to open it.
Click on the Files row.
If the scanning is finished, the screen will display the scanned datasource with document categories. You can also view each file in a row by clicking the row icon to the right.
Each file that has a ransomware threat will be highlighted with the label 'Ransomware Note' under Doc Classification.
Click on a file to open it.
Under the Details tab, the Classification section displays the label "Ransomware Note" and "Ransomware".
Creating Alert Policies
Step 1: Navigate to Policies
Go to Playbooks > Policies
Click Create New Rule Set or Create New in the Discovery & Classification section.
Step 2: Configure Policy Details
Policy Type: Select "Discovery & Classification: Detection" or ensure that it says Discovery & Classification: Detection.
Rule Set Name: Enter "Policy for Ransomware" (or custom name)
Rule Set Description: Add descriptive text
Step 3: Set Rule Criteria
Condition: Set to "Any of these (OR)"
Document Classification: Select "Ransomware Note". In the classification selection:
Check "Ransomware"
To ensure proper file type restrictions, click Add File Type Condition.
Check Text and Word Processing and keep all the file types that get automatically get checked on the right.
Step 4 : Data Source Selection
Select Data Sources: Choose your configured data sources
Verify "All drive(s) included" for comprehensive coverage
Step 5: Alert Configuration
Receive alerts: Set to "Enabled"
Assign Alert to: Select "Datasource Owner(s)" or specific users
Alert Notification: Configure notification preferences
Step 6: Finalize Policy
Review all settings in the Summary panel
Click "Save & Close" to activate the policy
Alert Management
Navigate to Playbooks > Alerts
Review triggered ransomware detection alerts
Alerts show detection notifications when ransomware notes are found
Last updated