Ransomware attacks have evolved significantly, with cybercriminals increasingly exploiting the Server Message Block (SMB) protocol to target network shares remotely. This method allows attackers to encrypt and exfiltrate data across network shares without deploying malicious code directly on the target device, effectively bypassing traditional endpoint protections. To counter this sophisticated threat, CrowdStrike has introduced File System Containment within its Falcon® Prevent endpoint security solution, designed to halt malicious file system actions over SMB shares promptly.
SMB, a network protocol primarily used for sharing access to files, printers, and serial ports, has become a favored vector for ransomware attacks. Adversaries exploit SMB to move laterally across networks, accessing and encrypting files on shared drives. This technique is particularly insidious because it often originates from unmanaged systems or involves compromised credentials, allowing attackers to operate undetected. By leveraging SMB, cybercriminals can delete backups, deploy additional payloads, and disrupt business operations without executing malicious code on the target endpoint.
CrowdStrike's research indicates that access to unmanaged systems was central to big game hunting (BGH) ransomware operations throughout 2024. Adversaries commonly exploited unmanaged internet-facing systems to gain initial access, then located internal systems for staging, lateral movement, and remote encryption. Groups such as PUNK SPIDER and WANDERING SPIDER have been observed accessing unmanaged systems to remotely encrypt files over SMB shares. In other cases, BGH adversaries dumped credentials from backup tools or staged additional tools for broader compromise. However, when they targeted Falcon-protected systems, those same actions were immediately stopped.
Source: CrowdStrike Stop Remote Ransomware Over SMB with Falcon Endpoint Security
The Rising Threat of SMB-Based Ransomware Attacks
SMB, a network protocol primarily used for sharing access to files, printers, and serial ports, has become a favored vector for ransomware attacks. Adversaries exploit SMB to move laterally across networks, accessing and encrypting files on shared drives. This technique is particularly insidious because it often originates from unmanaged systems or involves compromised credentials, allowing attackers to operate undetected. By leveraging SMB, cybercriminals can delete backups, deploy additional payloads, and disrupt business operations without executing malicious code on the target endpoint.CrowdStrike's research indicates that access to unmanaged systems was central to big game hunting (BGH) ransomware operations throughout 2024. Adversaries commonly exploited unmanaged internet-facing systems to gain initial access, then located internal systems for staging, lateral movement, and remote encryption. Groups such as PUNK SPIDER and WANDERING SPIDER have been observed accessing unmanaged systems to remotely encrypt files over SMB shares. In other cases, BGH adversaries dumped credentials from backup tools or staged additional tools for broader compromise. However, when they targeted Falcon-protected systems, those same actions were immediately stopped.
Introducing File System Containment
To combat the threat of SMB-based ransomware attacks, CrowdStrike's Falcon Prevent includes a feature called File System Containment. This capability is designed to automatically block ransomware at the file access level, stopping destructive activity even if it originates from outside of your managed environment. File System Containment is not automatically enabled by default to give security teams full control. Enabling it is as simple as checking a single box in the Falcon UI. Once active, Falcon Prevent will block malicious behaviors like mass encryption, suspicious file modifications, and backup deletions targeting SMB shares.How File System Containment Works
File System Containment operates by monitoring file system actions over SMB shares and identifying behaviors indicative of ransomware activity. When such behaviors are detected, Falcon Prevent intervenes to block the malicious actions, effectively halting the ransomware's progress. This approach ensures that even if an attack originates from an unmanaged system or involves compromised credentials, the ransomware's ability to encrypt files over SMB shares is thwarted.Real-World Effectiveness
The effectiveness of CrowdStrike's Falcon platform, including its File System Containment feature, has been validated through independent testing. In the 2024 SE Labs Enterprise Advanced Security (EDR) Ransomware Test, the Falcon platform achieved a perfect score of 100% in detection, protection, and accuracy, earning the prestigious AAA Award for Advanced Security EDR Protection for the third time in a row. The evaluation simulated real-world attack scenarios from 15 known ransomware families, employing tactics such as using stolen credentials to gain access and moving laterally across systems. The Falcon platform detected and blocked 100% of ransomware files and protected endpoints across multiple stages during all simulated ransomware attacks. These results underscore the power of the Falcon platform’s unified, cloud-native architecture and continuous AI innovation, stopping all threats across systems and attack paths with unparalleled speed and precision.Conclusion
As ransomware tactics continue to evolve, leveraging protocols like SMB to evade detection, organizations must adopt advanced security measures to protect their networks. CrowdStrike's File System Containment within Falcon Prevent offers a proactive solution to this challenge, effectively stopping remote ransomware attacks over SMB shares. By enabling this feature, organizations can enhance their defense against sophisticated ransomware threats, ensuring the integrity and availability of their critical data.Source: CrowdStrike Stop Remote Ransomware Over SMB with Falcon Endpoint Security
