Setting Reactions to Ransomware Attacks

In the Reaction To Attack screen, you can define two reactions to detected attacks, based on criteria set in the Threat Control Center screen, as shown in Setting Thresholds for Ransomware Detection.

To set the methods by which Anti-Ransomware responds to alerts of different levels, select 4. Reaction To Attack from the Anti-Ransomware main screen, as shown in Starting Anti-Ransomware.

The Reaction To Attack screen appears:

​                   ​         ​ Reaction To Attack​                     ​ RLDEV   ​                                                                                     ​ Anti-Ransomware mode . . . . .​  ​ Y​                         ​ Y=Yes, I=FYI, N=No​  ​ *FYI* is an acronym for "For Your Information".​                                                                                                                  ​ Reaction​                                                                        ​ Message to QSYSOPR . . . . . .​  ​ Y​                         ​ Y=Yes​               ​ Inform SIEM  . . . . . . . . .​  ​  ​                         ​ Y=Yes​               ​ Email system admin . . . . . .​  ​ orenc                                        ​                                                                                   ​ In *FYI mode, the following is not performed.​                                   ​ Stop attack of User from IP  .​  ​ Y​                         ​ Y=Yes​               ​ End system wide File Server  .​  ​  ​                         ​ Y=Yes​               ​ Stops all remote access to shares.      ​                                        ​ Hibernate/Shutdown attacker  .​  ​  ​                         ​ Y=Yes​               ​ See procedure and restrictions in SMZV/AVSOURCE ATP4RMT​                         ​ Submit/Call on this system . .​  ​  ​                         ​ S=Submit, C=Call​    ​   Program  . . . . . . . . . .​  ​           ​                ​ Name​                ​   Library  . . . . . . . . . .​  ​           ​                ​ Name *LIBL ​         ​ Program should be Thread Safe. See example program in SMZV/AVSOURCE ATPALERTR​                                                                                    ​ F3=Exit​                                                                         ​                                                                                                                                                                  ​

The body of the screen lists different possible reactions. You can also set further details and specifications for some of the reactions.

To choose that reaction, set the field in that column to Y (except as shown below). Otherwise, leave the field blank.

Possible reactions are:

Message to QSYSOPR

Send a system message to QSYSOPR.

Inform SIEM

Alert up to three SIEM systems as set from the iSecurity/Base System Configuration screen within the iSecurity Base System (STRAUD > 81). Additional information on SIEM support is available in the SIEM Support, Syslog Parameters, Triple Syslog Definitions (#1-#3), etc.

Email system admin

Send an email to the system administrator at the email address in this field.

Stop attack of user from IP

End the attack.

End system wide File Server

End all activity on the file server that is being attacked.

Hibernate/Shutdown infected PC

Hibernate or shutdown the PC with which the system is communicating.

See SMZV/AVSOURCE ATP4RMT for more information.

Submit/Call on this system

Set this to C to call the program or S to submit it. Enter the name and library of the program in the Program to run and Library fields, respectively.

See SMZV/AVSOURCE ATPALERTR for a sample program.