Why didn't Huntress detect a malicious file/activity/ransomware?
Malicious Files and/or Activity
Huntress detects malware by looking for the footholds malware adds to start itself when the system boots or a user logs in. Huntress analyzes persistence mechanisms such as services, scheduled tasks, registry run keys, and other auto-start locations provided by Windows that can be used by malware to establish a foothold. Huntress focuses on finding these malicious footholds, leaving the complete scans, behavioral analysis, and network monitoring to preventive security solutions. The intent of this strategy is to find persistent malware that has slipped past these other solutions.
Ransomware detection was not the intent of Huntress, but occasionally Huntress will identify it as a byproduct of hunting for footholds.
Ransomware typically does its malicious activity and deletes itself, often without creating a foothold. Sometimes ransomware will encrypt a desktop.ini file within a user’s startup folder or place a ransom notice that opens when the user logs in. Huntress will flag these "footholds". Unfortunately, many newer ransomware variants only encrypt document files (PDF, Word, XLS, etc.) and don't drop a ransom notice, so those ransomware infections would not be seen by Huntress at all.