Box Status
Print

Ransomware Activity Detection Rule

Shield , Box Shield , Detection , Ransomware

This detection rule is available only as part of the Shield Pro add-on.

The Ransomware Activity detection rule seeks to identify instances of mass encryption on Box that would indicate a user's device is compromised with ransomware. It monitors user activity and leverages Box machine learning to identify suspicious file extensions that may be indicative of a ransomware attack. 

The Ransomware Activity detection rule monitors activity from managed, external, and anonymous users. 

Create, edit, and delete Ransomware Activity detection rules 

To create or change this detection rule, you need admin rights (or co-admin rights with the Create, edit, and delete Shield configuration for your company permission enabled) in an account with the Box Shield add-on enabled.

See our dedicated page for guidance on how to create, edit, and delete a threat detection rule

Note: Only one Ransomware Activity detection rule can be created for each Box account. 

Ransomware Activity alerts

An alert will display in the Shield Dashboard when ransomware activity is detected. 

Alerts include the alert ID, date, the name and email address of the account holder whose activity triggered the alert, the risk score, and the IP address whose access triggered the alert. 

To view an alert's details:

  1. Go to Admin Console > Shield.
  2. Click the Dashboard tab.
  3. (Optional) Filter the alerts for Ransomware Activity.
  4. In the alert list table, click an alert.
  5. Box displays the alert detail page.

The alert detail page displays the following:

  • Alert Summary: overview of the alert including alert name, alert ID, alert type, risk score, alert created date, and the target user.
  • Activity Overview: information regarding the suspicious file extension found and associated anomalous activity, including total files renamed, unique file extensions modified, and content owners impacted.
  • Target User Details: information regarding the target user’s location when they triggered the alert, including IP address, IP registrant, and any available region/country data.
  • File Impact: summarizes the files impacted by the user’s activity, showing the top five content owners and file extensions impacted. File recovery can be started from here as well. 

Note: You can view the number of alerts in the past week from the Detection Rules page. For longer timeframes, check the Shield Dashboard.

A feedback box is displayed on the dashboard after an alert. This enables you to provide suggestions and comments to Box which helps to improve functionality. 

End user implications

  • If ransomware activity is detected from a user’s account, the end user is not notified – only Shield admins are alerted of the activity. 
  • If an admin chooses to terminate a user’s session in response to an alert, the user is notified of the action by email. 

Alert actions and remediation 

This detection rule has the following potential actions once suspicious file extensions that may be indicative of a ransomware attack have been identified: 

Terminate all active sessions 

Admins can terminate all of the active user sessions for a managed user who flagged a ransomware detection alert: 

  1. Navigate to the Ransomware Activity alert page.
  2. From the alert page, select Terminate Sessions.

Note: The Terminate Sessions button is disabled 29 days after the alert was created. 

After a managed user has their active sessions terminated, they are able to log back in to Box. 

The end user will see an email explaining what has taken place, when their session is terminated. 

Recover content 

Once a Ransomware Activity detection alert has been generated, you have the ability to remediate the actions caused by the ransomware.

You can initiate Content Recovery from the Shield Dashboard. To recover content:

  1. Navigate to the Ransomware Activity alert page.
  2. From the alert page, select Recover Content.
  3. A pop up will display asking if you are confident the incident is contained. If you select the checkbox, you can move forward with recovery. 
  4. The new Content Recovery task is displayed with information showing: 
    • The target user.
    • The start date/time, in the admin’s configured time zone.
      • Determined by the model’s detection time plus a 24-hour buffer.
    • End date/time in local time.
      • Determined by the time at which the admin selects the Recover Content button in the Shield alert.
  5. Select Recover Files.
  6. Review the details then select Recover. The content recovery process can’t be modified or paused once started.
  7. You will receive an email confirming the content recovery once complete.

For more information, view our about content recovery page. 

Notes

  • After a recovery task has been created, the Recover Content button is updated to link to the associated recovery task.
    • If the recovery task is deleted then the button returns to its original state, and you are able to create another recovery task (if within 29 days of the alert being created).
  • The Recover Content button is disabled 29 days after the alert is created.
  • If a recovery task is edited via Content Recovery, the recovery task is disassociated from the Shield alert.

Related articles