Jun 3, 2022
Can Wazuh be effective against ransomware attacks?
Wazuh is an agent-based endpoint security solution. It is usually included in the EDR section in the secure solutions category. It is used for file integrity, threat detection and intrusion detection. It is also a product with integration in cloud systems.
It compares the hash values of the determined important files and sends the log of this activity to Wazuh Manager in case the integrity of the files is corrupted. It can detect rootkits, and it does this by periodically scanning the system by looking for processes it thinks are harmful. It displays the logs via kibana.
Examines signature-based, pre-known indicators of distress (IOC). It warns in case of danger by comparing malicious network attack behavior, content of e-mail subject lines, file hashes (integrated with virus total) with known threats. Anomaly-based Detection is also available.
Log Collecting
Here’s how to collect logs: It keeps an inventory of running processes (in the background) and installed applications. If an application has a current vulnerability, it does this with the information it receives from operating system distributors and NVD (international vulnerability database). It enriches and warns the user about this issue with the cve code.
Prevent From Ransomware with Wazuh
Ransomware attacks use Open Distro alert, similar to Elastic Watcher (looking at what hours the processor is being used at high intensity), and can be blocked with the Active Response plugin (configured in the Manager).
Active response also works like this, the event from the agent activates the Active Response rule of the manager, then tells the agent to block it with Active Response, then the agent forwards the blocked log back to wazuh as a log.
So yes you can prevent ransomware attack with Wazuh.
