Description
BullWall Ransomware Containment considers the number of files modified to trigger detection. An authenticated attacker could encrypt a single (possibly large) file without triggering detection if thresholds are configured to require multiple file changes. The number of files to trigger detection can be configured by the user. Versions 4.6.0.0, 4.6.0.6, 4.6.0.7, and 4.6.1.4 are affected. Other versions may also be affected.
Impact
Affected Products and Versions
Solution
This behavior is driven by configurable thresholds.
BullWall can be configured to trigger on single-file encryption, and customers routinely tune thresholds based on operational tolerance for noise.
The advisory wording may suggest an inherent inability to detect single-file encryption, which is not accurate.
Mitigations / Workarounds
- Adjust detection sensors thresholds to improve sensor sensitvity level
- Configure additional detecion sensor dedicated to critical documents
Detections
BullWall does not currently provide a detection for this issue.
Acknowledgements
BullWall thanks the reporter for responsibly disclosing this issue.
