What to expect when testing Ransomware Canaries

Team: Huntress EDR
Environment: Ransomware Canaries 
Summary: Below is what you should expect when testing ransomware canaries 

We get it, you want to test out the capabilities of our ransomware response by tinkering with the Ransomware Canaries! We've got you covered but we want to be sure you know what to expect when testing Ransomware Canaries. 

What to expect when testing

Generally, we will be able to spot when a canary has been tripped by legitimate ransomware or if someone is just poking around with it. In cases where it is obvious that a canary is just being tested we will still report on it but it might take a little longer if we have other more pressing investigations to attend to. 

The incident report we will push to your dashboard and PSA integrations (If they are set up) will be a Low report and the canaries will be automatically reset. Inside the incident report, we will give you some information about how we discovered that it was someone testing and not the real deal.

How to test our Canaries

• Deploying ransomware 
• Modifying/Encrypting canary files
• Relocating (or "hiding") canary files

Below is an example of a response to a canary tripped by testing: