Ransomware Canaries will now be enabled by default for all partners, including those who have not previously opted-in for this service.
How do canaries work?
Ransomware Canaries are small files placed on the endpoint and monitored for changes. Enabling this service allows our agent to kickstart an investigation with our ThreatOps teams when a change is detected, giving them additional visibility to identify ransomware incidents.
What is the impact?
The impact is extremely minimal for this service. Each canary file is very lightweight at approximately ~150 KB each with about ~500KB used per user profile. Our Huntress agent then reports any changes to these files in its periodic survey to trigger an incident investigation by our ThreatOps teams.
You will only be notified with an incident report if our ThreatOps team validates suspicious behavior potentially related to a ransomware incident.
Why are we doing this now?
With the news around Microsoft Exchange vulnerabilities, especially with the latest reported information indicating that these vulnerabilities are being used to install a new ransomware variant called DEARCRY, we believe it is important for us to continue doing what we can to protect our partners and the businesses you serve.
We will begin our phased rollout on March 12 with partners who are currently running Microsoft Exchange.
If you have any questions or concerns, please contact us at firstname.lastname@example.org.
If you would like to opt-out, please let us know by March 30th.