Anti-Ransomware

Ransomware is malicious software (malware) that employs encryption to hold a victim’s information at ransom. In a ransomware attack, data is encrypted, which prevents access to it, and the attacker demands a ransom payment in return for decrypting the files.

How Powertech Antivirus Prevents Ransomware Attacks

Powertech Antivirus prevents ransomware attacks by detecting and alerting for potential ransomware attacks, and can also be configured to automatically take action when an attack is detected.

Powertech Antivirus helps protect against ransomware attacks in two ways:

  1. The APEX (Access Pattern and Encryption Activity eXtended) detection method evaluates patterns in NetServer access to the Integrated File System (IFS). When APEX detects suspicious encryption activity, this suspicion level is compared to two thresholds:

  • a Message Threshold, which defines when a warning message is sent to the Powertech Antivirus message queue; and

  • a Block Threshold, which defines when the accessing user is blocked.

  1. Canary files can be defined. A canary file is a decoy file placed within the IFS by the system administrator. If a defined canary file is modified, renamed, or deleted, it will immediately block the user.

Using Anti-Ransomware

Use the following steps to activate and configure anti-ransomware.

Activating/De-Activating Anti-Ransomware Protection

  1. From the Powertech Antivirus Main Menu, choose option 50, Setup Menu, then option 10, Anti-Ransomware Settings. The Powertech Anti-Ransomware Menu appears.

  2. To activate and deactivate anti-ransomware protection, choose option 50, Activate/Deactivate Anti-Ransomware. The Activate/Deactivate Anti-Ransomware (AVACTAR) panel appears. Note that it will not be activated/deactivated until the QSERVER subsystem is restarted.

Configuring Anti-Ransomware

  1. From the Powertech Antivirus Main Menu, choose option 50, Setup Menu, then option 10, Anti-Ransomware Settings. The Powertech Anti-Ransomware Menu appears.

  2. Choose option 1 to open the Configure APEX Thresholds (AVCFGTHR) panel.

    1. For Send Message on Threshold, specify the threshold value to be used to determine when a message will be sent, warning of a possible ransomware attack. The message is sent to message queue AVMSGQ.

    2. For Block User on Threshold, specify the threshold value to be used to determine when a user will be blocked, in response to a possible ransomware attack. A message is sent to message queue AVMSGQ and the user is blocked within User Overrides.

  3. Press F3 to return to the Anti-Ransomware menu and choose option 2, Work with APEX Directory Exclusions. The Work with Directory Exclusions (AVWRKDIR) panel appears.

    1. Define the directories that will not be protected by Powertech Antivirus for IBM i Anti-Ransomware.

    2. Note that an override does not apply to sub-directories; it only applies to the directory specified.

  4. Press F3 to return to the Anti-Ransomware menu and choose option 3, Work with APEX User Overrides. The Work with User Overrides (AVWRKUSR) panel appears.

    Use this option to manage users in relation to anti-ransomware protection. You can define a different message and block thresholds for specific users and also define if a user is currently blocked. When a user is automatically blocked by the anti-ransomware protection, the user will have an entry within User Overrides.

  5. Press F3 to return to the Anti-Ransomware menu and choose option 10, Work with Canary Files. The Work with Canary Files panel appears.
    Use this option to define decoy files you have created within the Integrated File System (IFS), which should result in the immediate blocking of a user if modified, renamed, or deleted. This will be actioned, if active, even if the canary file is within a directory that has a Directory Override, excluding it from anti-ransomware protection.

NOTE: Anti-Ransomware detection will not work if files are already encrypted. As an alternative, place canary files into encrypted directories.