Users that you suspect of triggering ransomware attacks can be blocked by adding them to a Blocked Users group. Blocked users are prevented from accessing the edge filer by all authenticated protocols, including SMB, NFS, FTP, and the edge filer user interface.
Users can be blocked automatically or manually. Users that trigger a ransomware incident can be automatically added to a Blocked Users group.
When users are added to the Blocked Users group, their existing SMB sessions are immediately closed. Existing connections via other protocols are not immediately terminated, but the user is not able to create a new session.
To block users automatically:
- In the Configuration view, select Security > Ransom Protect in the navigation pane.
The Ransom Protect page is displayed.
- Click Settings and slide Block Malicious Users on.
- If you made any changes, click Save, otherwise click Revert to revert to the last saved configuration.
Any incident that CTERA Ransom Protect identifies as a ransomware attack, whether via behavioral detection or honeypot detection, causes the user who initiated the incident to automatically be added to the Blocked Users group. The existing SMB session is immediately closed and the user is not able to create a new session.
Two separate incidents may be created for the same user, as the counting of behavioral and honeypot strikes is independent.
CTERA recommends blocking the user in Active Directory as well.
To block users manually:
- In the Configuration view, select Security > Ransom Protect in the navigation pane.
The Ransom Protect page is displayed.
- Click the number below Blocked Users.
The Specify Group Name window is displayed.
- Click Next.
The Select Group Members window is displayed.
- Select the user to block.
- Select Local Users, Domain domainName Users, or Domain domainName Groups.
- In the Quick Search box start entering the name of the user or group to block or click ... and select the user from the list.
- Select Local Users, Domain domainName Users, or Domain domainName Groups.
- Click Next.
The Wizard Completed window is displayed. - Click Finish.
The user is blocked from access to the edge filer.
Removing Users From the Blocked Users Group
A user that has been blocked from accessing the edge filer, can be unblocked.
To remove a user from the Blocked Users group:
- In the Configuration view, select Security > Ransom Protect in the navigation pane.
The Ransom Protect page is displayed.
- Click the number below Blocked Users.
The Specify Group Name window is displayed.
- Click Next.
The Select Group Members window is displayed.
- Select Local Users, Domain domainName Users, or Domain domainName Groups to display the blocked users in that group and click the
icon next to the user to remove from the list.
The user is removed from the Blocked Users list.