Ransomware Protection: CTERA Ransom Protect
  • 3 Minutes to read
  • Dark
  • PDF

Ransomware Protection: CTERA Ransom Protect

  • Dark
  • PDF

Article summary

Ransomware attacks have become an increasingly imposing threat to organizations. Double extortion, a tactic that combines data exfiltration and encryption, has become a widespread method used by cyber-criminals in ransomware attacks. Threat actors first exfiltrate sensitive information from their targets before launching the ransomware encryption routine. Encryption restricts access to critical files, systems, and applications. This encryption process happens silently in the background. Subsequently, the cyber-criminals demand a ransom payment to regain access to the encrypted assets and threatening to publicly expose the stolen data if the demand is not met promptly.

Taking proactive measures against ransomware attacks helps safeguard your data and ensures the continuity of your operations. Each user’s behavior is monitored and fed in to a machine learning algorithm trained on an extensive dataset of attack flows. Using this monitoring CTERA Ransom Protect is able to detect and block ransomware attacks within seconds.


CTERA Ransom Protect monitors Windows File Sharing (SMB) traffic. It does not monitor user behavior on other file sharing protocols such as NFS or FTP.

Key Features of CTERA Ransom Protect include:

  • Real-time detection: Advanced machine learning algorithms identify behavioral anomalies suggesting fraudulent file activity, and block offending users within seconds.
  • Data exfiltration prevention: Decoy files enable real-time detection and blocking of data exfiltration attacks.
  • Zero-day protection: CTERA Ransom Protect does not rely on traditional signature update services.
  • Incident management: An administrator dashboard provides real-time attack monitoring, comprehensive incident evidence logging and post-attack forensics.
  • Instant recovery: Near-instant recovery of any affected files from snapshots that are securely stored in an air-gapped, immutable cloud object storage.

In addition, CTERA Ransom Protect requires minimal configuration, requiring a single click to activate ransomware protection on the CTERA Edge Filer.

What is the Behavioral Engine

Data encryption restricts access to critical files, systems, and applications. This encryption process happens silently in the background.

Ransomware attacks involve recursively scanning the entire SMB share, searching for files of specific types. When it finds a target:

  • It opens the file for read/write, reads the file, encrypts the file in place and renames the file.
  • It opens the file for read, reads the file, in parallel, creates a new target file with a different file extension, writes an encrypted version and then deletes the original.

The CTERA Ransom Protect Behavioral engine quickly identifies encryption attacks and ends the user session that implemented the attack.

What in the Honeypot Engine

Data exfiltration typically involves a cyber criminal stealing data, through various cyber-attack methods and then threatening to sell this data to competitors. Exfiltration tools like Exmatter, StealBit and Ryuk Stealer are designed to automate the stealing of sensitive files, databases, and compressed archives. They target specific file extensions and upload them to pre-configured servers via SFTP or other protocols. These tools are often used in the moments before a full ransomware attack, putting immense pressure on organizations to pay a ransom.

The CTERA Ransom Protect Honeypot engine, when enabled, adds a visible and world-readable/writable virtual directory to every /cloud share and nested shares on the edge filer. The virtual directory includes subfolders and files to attract the cyber-criminal. These directories are not stored on disk and not synchronized to the cloud. The Honeypot engine enter this folder first, before having a chance to exfiltrate other files.


Local shares, that are not synced to the cloud, are not included in honeypot detection.

The following operations are treated as strikes by the Honeypot engine:

  • First read for a file.
  • First write of a file, including overwriting the file by moving a file on top of it.

Three honeypot strikes within 200 seconds is treated at a ransomware attack.


Enabling the Honeypot engine does not adversely impact system performance.


In order to notify administrators by email when a suspected ransomware attack has happened, the mail server must be correctly configured. For details, see Configuring Email Alerts .


CTERA Ransom Protect operates on the CTERA Edge Filer and does not rely on an Internet connection. It works even when the connection to the CTERA Portal is down.

Was this article helpful?