Updated on 2024-09-25 GMT+08:00

Enabling Ransomware Prevention

Ransomware is one of the biggest cybersecurity threats today. Ransomware can intrude a server, encrypt data, and ask for ransom, causing service interruption, data leakage, or data loss. Attackers may not unlock the data even after receiving the ransom. HSS provides static and dynamic ransomware prevention. You can periodically back up server data to reduce potential losses.

If the version of the agent installed on the Linux server is 3.2.10 or later or the version of the agent installed on the Windows server is 4.0.22 or later, ransomware prevention is automatically enabled with the HSS premium, WTP, or container edition. Deploy honeypot files on servers and automatically isolate suspicious encryption processes (there is a low probability that processes are incorrectly isolated). You are also advised to enable backup so that you can restore data in the case of a ransomware attack to minimize losses. For details, see Enabling Ransomware Backup.

If the version of the agent installed on the server is not one of the preceding versions or the ransomware protection function is disabled, you can perform the operations in this section to enable ransomware protection.

Prerequisites

You have enabled HSS premium, WTP, or container edition.

Step 1: Creating a Protection Policy

  1. Log in to the management console.
  2. In the upper left corner of the page, select a region, click , and choose Security & Compliance > HSS.
  3. Choose Server Protection > Ransomware Prevention.

    If your servers are managed by enterprise projects, you can select the target enterprise project to view or operate the asset and detection information.

  4. Click the Policies tab and click Add Policy.
  5. Configure policy parameters. For more information, see Table 1.

    Figure 1 Protection policy parameters
    Table 1 Protection policy parameters

    Parameter

    Description

    Example Value

    OS

    Server OS.

    Linux

    Policy

    Policy name

    test

    Action

    Indicates how an event is handled.

    • Report alarm and isolate
    • Report alarm

    Report alarm and isolate

    Dynamic Honeypot Protection

    After honeypot protection is enabled, the system deploys honeypot files in protected directories and other random locations (unless otherwise specified by users). The honeypot files deployed in random locations are automatically deleted every 12 hours and then randomly deployed again. A honeypot file occupies a few server resources. Therefore, configure the directories that you do not want to deploy the honeypot file in the excluded directories.

    NOTE:

    Currently, Linux servers support dynamic generation and deployment of honeypot files. Windows servers support only static deployment of honeypot files.

    Enable

    Honeypot File Directories

    Directory that needs to be protected by static honeypot (excluding subdirectories). You are advised to configure important service directories or data directories.

    Separate multiple directories with semicolons (;). You can configure up to 20 directories.

    This parameter is mandatory for Linux servers and optional for Windows servers.

    Linux: /etc

    Windows: C:\Test

    Excluded Directory (Optional)

    Directory that does not need to be protected by honeypot files.

    Separate multiple directories with semicolons (;). You can configure up to 20 excluded directories.

    Linux: /etc/lesuo

    Windows: C:\Test\ProData

    File Type

    Types of files to be protected.

    More than 70 file formats can be protected, including databases, containers, code, certificate keys, and backups.

    This parameter is mandatory for Linux servers only.

    Select all

    (Optional) Process Whitelist

    Paths of the process files that can be automatically ignored during the detection, which can be obtained from alarms.

    This parameter is mandatory only for Windows servers.

    -

  6. Click OK.

Step 2: Enabling Ransomware Prevention

  1. Log in to the management console.
  2. In the upper left corner of the page, select a region, click , and choose Security & Compliance > HSS.
  3. Choose Server Protection > Ransomware Prevention.
  4. Click the Protected Servers tab.
  5. In the Ransomware Prevention Status column of a server, click Enable.

    You can also select multiple servers and click Enable Ransomware Prevention above the server list.

  6. In the Enable Ransomware Prevention dialog box, confirm the server information and select a protection policy.
  7. Click OK.

    If the Ransomware Prevention Status of the server changes to Enabled, ransomware protection is enabled successfully.