We've recently released an updated version of Ransomware Canaries that we're calling Canaries V2. Updates include new file types PDF and XLSX , system profile canaries, EFS visibility, the ability to add your own logo/support URL, and the ability to disable canaries. Please see Updates to Canaries (and below) for details!
The Huntress "Ransomware Canaries" service is designed to detect ransomware activity on an endpoint. Similar to how miners used canaries in coal mines to detect carbon monoxide, this feature deploys canary files in various directories and monitors them for changes. When the Huntress Agent detects that a canary file has been altered, renamed, or deleted (such as by ransomware encryption), it will alert our Security Operations Center (SOC). The SOC will review the conditions causing the alert in order to confirm ransomware and sending an incident report with incident details.
NOTE: The ransomware canaries feature is part of a detection and alert platform and does not prevent ransomware from detonating or spreading by itself, our Managed Host Isolation feature must be on for automatic action to take place. This warning capability allows for early alerting, leading to a faster response, and ideally better containment of an incident. It also allows for the easy identification of endpoints that were affected in a ransomware outbreak, assisting our partners in discovering the scope of an attack. It also allows Host Isolation if enabled.
This article covers the technical details of Huntress' Ransomware Canaries. if you are looking for a less-detailed version to pass to end-users, see our other version here: https://support.huntress.io/hc/en-us/articles/4404005090067-Ransomware-Canaries
IN THIS ARTICLE
- Enabling Ransomware Canaries
- Viewing Ransomware Canaries from the Portal
- The Dashboard View: Ransomware Canaries
- Agent Details View: Monitored Files
- Viewing the Ransomware Canaries on a Host
- Remediating Ransomware Canaries
- FAQ
Note on testing Ransomware Canaries: Partners often try to change the contents of a single canary file or delete it entirely. This is not the normal behavior of an actual ransomware event and may have delayed reporting (or no report at all).
To enable Ransomware Canaries, click the "birdcage" icon from the left side of the home page and click "Enable"
Ransomware Canaries must be enabled by a user who is an Administrator on the account. Canaries must also be enabled from the Account level, if a user attempts to enable Canaries from the Organization home page they will receive a message to contact the Account Administrator.
Viewing Ransomware Canaries from the Huntress Portal
There are two places in the Huntress Portal, where you can find canary information, the Dashboard, and the "Monitored Files" view at the Agent level.
The Dashboard View: Ransomware Canaries
To see the summary of all ransomware canary data for your account, click on the bird in the cage in the left-hand menu bar to see the dashboard view for your account's canaries.
In this view, you can see three states of a canary file: Armed, Pending, and Tripped. When viewing the agent details (see below), these states match to a variety of individual canary file states.
Armed - Indicates the number of canaries that have been successfully deployed in your environment and are being monitored. (See the "Monitored" state below.)
Pending - Indicates the canary file has been queued to be placed on the Host and will be added the next time the Agent checks in. This is typical when a Huntress agent is initially deployed.
Tripped - Indicates a canary file that is in either the "Modified" or "Missing" state (see below.) The Huntress SOC will investigate the canaries in this state, and incident reports will be generated if we find signs of ransomware activity.
Agent Details View: Monitored Files
To view information on the ransomware canaries for a machine, log into the Huntress Dashboard, select the Agent, and click "Monitored Files" on the left side.
Individual canary files will be in one of 4 states:
Pending - Indicates the canary file has been queued to be placed on the Host and will be added the next time the Agent checks in. This is typical when a Huntress agent is initially deployed.
Monitored - Indicates the canary file has successfully been placed and the file is being monitored for ransomware activity.
Modified - Indicates the canary file has been modified but retains the same file name as its original state. If a canary is in this state, an investigation will occur and incident reports will be generated if we find signs of ransomware activity.
Missing - Indicates the canary file has been deleted or renamed. If a canary is in this state, an investigation will occur and it may result in incident reports -- generated if we find signs of ransomware activity.
Failed - Indicates Huntress was unable to place a canary file on an endpoint, depending on the reason why, we may try to replace this file. If this condition persists, contact Huntress support for assistance in resolution.
Viewing the Ransomware Canaries on a Host
Canary files will be placed in several locations across a system commonly attacked by ransomware, such as %USERPROFILE%\Documents. The files, and the hidden directories they are placed in, are randomly named. The files are a mix of common file types targeted by ransomware such as .docx. These files are small and shouldn't have any measurable impact on disk usage.
While most users shouldn't be aware the canary files are present, as they're hidden, some power users and administrators may have "Show Hidden Files" enabled in Windows Explorer. In that case, this is an example of what those files may look like:
If the user decides they're still curious and opens the file, they will be presented with a document that looks similar to the one below. This is an example of a .docx canary file, but all file formats will have a similar message in them and open with their respective application. Each of the canary files contains a URL to our non-technical description of the canary file which you can review here.
Remediating Tripped Canaries
Ransomware Canaries act like mousetraps in that when one is tripped (possibly by ransomware) the canary needs to be reset. After receiving an incident report and approving assisted remediation, or completing the manual steps, the Canary will be deleted and will automatically replicate itself on the host. This new Canary file will have the same file name as the former one.
After remediation, the incident will remain open. The report needs to be manually closed by Huntress. Reach out to us to close the incident. Please include the URL link to the Host and/or Incident report in your email.
FAQ
- Performance (resource consumption) - Do the Canaries use up more local resources? The Ransomware Canaries will not use any more resources than what the Huntress Agent already does. On initial rollout, the canaries will be dropped to each user profile folder on the machines (each file is a really small .docx file). From there, each time the Huntress Agent does a survey, it looks to see if the Canary file is there and sends the information to the Huntress Console--there is no computer-side processing.
- Can canaries be installed on shared/network drives? Ransomware Canaries currently reside in users' documents. We do not have the ability to add canary files to network drives (that may change in the future, here's a link to the feature request.
- Roaming profiles - Does the Ransomware Canaries Service support Roaming Profiles/Redirected Folders/etc.? Canaries are tied to the user profile GUID. If roaming profiles are being used, the canary associated with the roaming profile will travel across machines with it (and the Agent will know to match a canary to a specific user). If the canary is not present on the new host that the user logs into, it will be added.
- Will Canaries interfere with OneDrive Synchronization? When initially routing Known Folders to OneDrive, Canaries must first be deleted from the users' Documents folder. If using InTune to restore a user profile, Canaries must first be deleted before restoring Known Folders
Updates to Canaries (Canaries v2)
For partners who have joined Huntress more recently, Ransomware Canaries are now enabled by default and include additional capabilities. Existing partners should expect to see these new capabilities rolled out in early 2022.
Co-Branded Canaries
Co-branded canaries embed partner company logos and URLs into the canary files when pushed out to managed endpoints, allowing partners to own the security conversation with customers. You can add your own logo by going into the hamburger menu at the top right to Settings. Scroll down to Brand Settings. If you already have a logo uploaded, canaries will automatically be embedded with your company logo. An Alternative Canary URL can also be embedded into a canary to direct any users to a partner support page.
Expanded Visibility
Visibility is being expanded with 2 new canary file types.
Unique PDF and XLSX canaries are now rolled out along with DOCX in each individual user profile. In addition, canaries will also be added to the system profile.
Disabling Ransomware Canaries
This action allows you to remove all canaries off of managed endpoint machines and turn off the ransomware canaries service. The removal of canaries will be processed as a low priority task and may take a few hours before canaries are removed. This is NOT recommended as this will limit the visibility of the Huntress' SOC in alerting you of potential ransomware incidents.
If you are sure you do not wish to roll out canaries to your managed endpoints in your account, you can disable them by going to Settings and scrolling down to Ransomware Canaries. Disabling canaries will be logged.
Removing Ransomware Canaries: if you enable canaries and later decide to turn them off or uninstall Huntress, the canary files will automatically be removed from the host(s).
Comments
0 comments
Please sign in to leave a comment.