Ransomware Canaries Technical Details

The Huntress "Ransomware Canaries" service is designed to detect ransomware activity on an endpoint. Similar to how miners used canaries in the coal mines to detect harmful gases like carbon monoxide, this feature works by deploying canary files in various directories and monitoring them for changes. When the Huntress Agent detects that a canary file has been altered, renamed, or deleted (such as when it gets encrypted by ransomware), it will alert our Threat Operations Team. Our team will review the conditions causing the alert and notify the Huntress partner of the incident details. 

NOTE: The ransomware canaries feature is part of a detection and alert platform and does not prevent ransomware from detonating or spreading. This warning capability allows for early alerting, leading to a faster response, and ideally better containment of an incident. It also allows for the easy identification of endpoints that were affected in a ransomware outbreak, assisting our partners in discovering the scope of an attack. 

This article covers the technical details of Huntress' Ransomware Canaries. if you are looking for a less-detailed version to pass to end-users, see our other version here: https://support.huntress.io/article/135-ransomware-canaries

Note on testing Ransomware Canaries: Partners often try to change the contents of a single canary file or delete it entirely. This is not the normal behavior of an actual ransomware event and may have delayed reporting (or no report at all) if only a single file is modified. 

Please note: if you enable canaries and later decide to turn them off or remove Huntress, you will need to manually remove the canary files

To enable Ransomware Canaries, click the "birdcage" icon from the left side of the home page and click "Enable"

Viewing Ransomware Canaries from the Huntress Portal

There are two places in the Huntress Portal, where you can find canary information, the Dashboard, and the "Monitored Files" view at the Agent level. 

The Dashboard View: Ransomware Canaries

To see the summary of all ransomware canary data for your account, click on the bird in the cage in the left-hand menu bar to see the dashboard view for your account's canaries.

In this view, you can see three states of a canary file: Armed, Pending, and Tripped. When viewing the agent details (see below), these states match to a variety of individual canary file states. 

Armed - Indicates the number of canaries that have been successfully deployed in your environment and are being monitored. (See the "Monitored" state below.)

Pending - Indicates the canary file has been queued to be placed on the Host and will be added the next time the Agent checks in. This is typical when a Huntress agent is initially deployed.

Tripped -  Indicates a canary file that is in either the "Modified" or "Missing" state (see below.) The Huntress Threat Ops team will investigate the canaries in this state, and incident reports will be generated if we find signs of ransomware activity. 

Agent Details View: Monitored Files

To view information on the ransomware canaries for a machine, log into the Huntress Dashboard, select the Agent, and click "Monitored Files" on the left side. 

Individual canary files will be in one of 4 states: 

Pending - Indicates the canary file has been queued to be placed on the Host and will be added the next time the Agent checks in. This is typical when a Huntress agent is initially deployed.

Monitored - Indicates the canary file has successfully been placed and the file is being monitored for ransomware activity.

Modified - Indicates the canary file has been modified but retains the same file name as its original state. If a canary is in this state, an investigation has been triggered and may result in an incident report. 

Missing - Indicates the canary file has been deleted or renamed. If a canary is in this state, an investigation has been triggered and may result in an incident report. 

Failed - Indicates Huntress was unable to place a canary file on an endpoint, depending on the reason why, we may try to replace this file. If this condition persists, contact Huntress support for assistance in resolution. 

Viewing the Ransomware Canaries on a Host

Canary files will be placed in several locations across a system commonly attacked by ransomware, such as %USERPROFILE%\Documents. The files, and the hidden directories they are placed in, are randomly named. The files are a mix of common file types targeted by ransomware such as .docx. These files are small and shouldn't have any measurable impact on disk usage. 

While most users shouldn't be aware the canary files are present, as they're hidden, some power users and administrators may have "Show Hidden Files" enabled in Windows Explorer. In that case, this is an example of what those files may look like: 

If the user decides they're still curious and opens the file, they will be presented with a document that looks similar to the one below. This is an example of a .docx canary file, but all file formats will have a similar message in them and open with their respective application. Each of the canary files contains a URL to our non-technical description of the canary file which you can review here.

Need help? Click here to Contact Us Click here to Contact Us