Installing RansomStop for Google Drive
Overview
RansomStop can monitor Google Drive and automatically suspend compromised user account which exhibit ransomware activity, i.e. malicious encryption events. To do this RansomStop has to be installed in your Google Cloud Platform (GCP) environment as a serverless application in Google Cloud Run. Once configured, RansomStop will monitor all file changes, and if a file is encrypted, the compromised user account will be immediately suspended and logged off. This will limit the damages done from ransomware.
Steps
From your RansomStop Admin Portal:
Create the Site
- Navigate to the Sites page
- Click the "plus" icon in the top right to add a new site
- Enter the name of the site, e.g. Google Drive
- For Type, choose Google Cloud
- Click Save
Create the Analyzer
Navigate to the Analyzers page
- Click the "plus" icon in the top right to add a new analyzer
- Enter the name of the analyzer, e.g. google-drive
- Choose GDrive for the Storage Type
- Be sure to choose the site you created in the last sequence as the site
- For Policy, choose Detect Only to start, you can switch to enforce later
- Click Save
Return to the Sites tab
Locate the Site you just created and click on the deploy button, it looks like a rocket ship
This will download a Site installation script that you or your GCP Admin will need to run via: (Google Cloud SDK must be enabled to use the gcloud commands)
- % gcloud auth login
- % bash RansomStopGCPInstaller-xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx.sh
- follow the instructions on screen
Navigate to the Analyzers page
Locate the Analyzer you just created and click on the deploy button, it looks like a rocket ship
This will download an Analyzer installation script that you or your GCP Admin will also need to run via:
- % gcloud auth login
- % bash RansomStopAnalyzer-my-gdrive.sh
- follow the instructions on screen
Configure Google Drive Watcher
At the end of the Analyzer Install Script, you will be given a command to run that will look something like:
- % gcloud run services proxy rsanalyzer-gdrive --project plumesec-wxyz --region=<region>
Then point your browser to http://localhost:8080 to configure a watcher for each shared Google Drive you would like to protect
NOTE: You will need to configure a watcher for each shared Google Drive you would like to protect
- Enter the Admin Email address
- Click Dashboard
- Choose the Google Drive
- Click Setup Watcher
Related Articles
Installing RansomStop for Windows
Overview Before installation, you will receive a custom URL, a username, and a password. This guide walks you through logging in to the RansomStop dashboard and installing the Windows analyzer. Login to the Dashboard 1. Navigate to Your Custom URL ...Getting Started with the RansomStop Dashboard
Overview Welcome to the RansomStop Dashboard walkthrough. This guide covers the main features and navigation of the dashboard. Dashboard 1. Alerts The dashboard is the default log on screen. It gives you a quick overview of alerts and file activity. ...Integrating Active Directory
Overview For RansomStop to be able to suspend users in Active Directory, there is an integration that needs to be configured to allow RansomStop permissions to make those changes in real-time. In a nutshell, an AD service account is created with the ...Configure a Windows Active Directory Site
Overview Steps Configure A Windows Active Directory Site Deploy A Windows Active Directory Site Overview A site is a logical definition of a cloud account or an on-prem location. A site needs to be configured and deployed before you can deploy an ...Feature Spotlight: Forensic Collection
Overview After a ransomware attack, incident responders will want to be able to investigate how the attackers were successful. Some of this evidence can be collected afterwards during the investigation, but much of the data is temporary and needs to ...