Cisco AMP Ransomware

Cisco Advanced Malware Protection for Endpoints

What you will learn

This document describes the new engine added to Cisco® Advanced Malware Protection for Endpoints as a part of AMP Connector Version 6.1.5 for Windows—Malicious Activity Protection. This engine is part of Cisco® Advanced Malware Protection for Endpoints. In this paper, we will explain the technology behind Malicious Activity Protection and provide some guidance on how to evaluate its value as an addition to the current security stack that comes with the product, among other things. There is a clear explanation of how the engine works, as well as brief instructions for Proof of Value testing and demonstrations.


Ransomware attacks can manifest themselves in a variety of different ways. Ransomware is a type of malicious software that attempts to encrypt the files on a victim’s computer in exchange for a ransom payment. After successfully encrypting the victim’s data, the ransomware demands payment before the data can be decrypted and the victim’s access restored.

Malicious payloads are typically used in ransomware attacks, and they are distributed in the form of an innocent-looking file that tricked the user into downloading or opening it when it arrived in an email attachment. However, there have been instances of ransomware attacks that have spread without the involvement of the victim’s computer. In almost all cases, ransomware attacks are motivated by financial gain, and unlike other types of attacks, the victim is usually notified when an attack has occurred. A set of instructions is then provided to the victim on how to recover from the attack. Payment is frequently demanded in a virtual currency to prevent the cyber criminal’s identity from being easily traced. An important point to remember is that paying the ransom does not guarantee data decryption, and in fact, doing so encourages the development of new ransomware. For more information, visit the Cisco TalosTM website ( to learn about recent ransomware attacks and foundational guidelines for minimising the risks.

The AMP for Endpoints Malicious Activity Protection (MAP) engine, which is included in the AMP Connector Version 6.1.5 for Windows, protects your endpoints by monitoring the system and identifying processes that exhibit malicious activity when they execute and then disabling them from continuing their operations. Because the MAP engine detects threats by observing the behaviour of the process while it is running, it can be used to determine whether a system is being attacked by a new variant of ransomware or malware that has eluded other security products and detection technology, such as legacy signature-based malware detection, in a generic fashion. On the endpoint, the MAP engine’s first release is focused on the identification, blocking, and quarantining of ransomware attacks.

A lattice of endpoint protection using AMP

The protection capabilities of AMP for Endpoints are comprised of several technologies that work together to prevent, detect, and remediate malicious code on the end-user computer.

The following are the primary in-memory prevention technologies:

Exploit Prevention protects endpoints against memory injection attacks, which are commonly used by malware, as well as zero-day attacks on unpatched software vulnerabilities that exist in protected processes.

System Process Protection protects critical Windows system processes from being compromised by other processes attempting to inject memory into the system.


The following are the primary on-disk detection technologies:

A great breadth of knowledge is provided to the AMP Connector through one-to-one hash lookups, the use of a generic signature engine, and the use of a machine learning engine provided by the AMP Cloud. The global intelligence database is constantly being updated and enhanced with new detections.

This traditional signature-based antivirus engine, which runs on the endpoint and provides on-disk malware detection capabilities, is a component of the AMP Connector for Windows security solution (ClamAV is an offline engine for Mac and Linux).

Malicious Activity Protection (MAP) detects and prevents abnormal behaviour of a running programme on the endpoint at the time of detection (for example, behaviours associated with ransomware).

Through the ability to define custom signatures and enforce blocked lists, Custom Detections help the security administrator achieve the goal of providing robust control capabilities to the user community.

A related image, diagram, or screenshot is shown in Figure 1. AMP for Endpoints – Protection Lattice.

The following are the primary post-infection detection technologies:

CTA uses machine learning and artificial intelligence to correlate traffic generated by users in order to reliably identify command and control traffic, data exfiltration, and potentially unwanted applications already running in the environment; it requires a proxy that provides weblogs or a Cisco Stealthwatch® Flow Collector that provides NetFlow.

Device Flow Correlation allows for the monitoring of network activity and the determination of what action should be taken by the AMP Connector when connections to malicious hosts are detected.

When suspicious behaviours are observed on endpoints, Cloud Indication of Compromise (IOC) is a feature that allows for the detection and alerting of malware patterns. Cloud IOCs do not imply active blocking of malicious behaviour.

Endpoint IOC is a powerful incident response tool for scanning post-compromise indicators across multiple computers. It can be imported from open IOC-based files that are written to trigger based on file properties, and it can be used in conjunction with other incident response tools.

These security features form the basis of the overall approach to pervasive advanced malware protection, which is based on a combination of technologies. While Cisco recommends that all of these engines be used in conjunction with one another in order to maximise the value of the product, customers can choose whether to enable or disable one or more of these features through a configuration policy. The MAP feature, which is the subject of this whitepaper, is only one of the many important pieces of functionality that AMP for Endpoints provides. These technologies, though listed separately, work together as a detection lattice to provide improved visibility and increased control across the entire attack continuum, despite being listed separately.

A detailed description of the additional functionality of AMP for Endpoints, such as dynamic analysis and retrospective detection, can be found in the user guide, which can be found on the Cisco website at

Malicious activity detection and prevention technology

Malicious actions that are taking place on the endpoint at the time of detection are identified by the MAP engine, which is a behavioral-based detection engine. A rule set has been developed based on extensive research with many variants of ransomware samples observed in the wild. This rule set is part of the engine and is located on the AMP Connector itself, which makes it easy to use.

What it is and how it works

The MAP engine continuously monitors the protected system for certain changes (which will be explained in greater detail later) in order to identify the processes that should be prosecuted when the activities outlined in the behavioural rule set are matched. Depending on how the policy is configured, the following actions can be taken on processes that are detected by the MAP:

If the identified malicious process is not blocked by MAP, the detection will be logged in the AMP for Endpoints console. If no malicious process is identified, the detection will not be logged. (If you’re using Audit mode, there will be no blocking or quarantine action taken, but the detection will be recorded.)

• Block process execution: In this mode, the malicious binary is identified and blocked, and the process is no longer allowed to run. • Block process execution: (similar to how the Application Blocking feature works).

– Quarantine process: This mode terminates the offending process and moves the files into a quarantine folder for further investigation.

The MAP engine’s set of detection rules is responsible for looking for anomalies in the system. It is possible, for example, for the rule to be triggered to take action on the process when it reads, writes, and renames a set of files in an extremely short period of time. Instead of deleting the original files, if the process reads and writes the content of one file to another file and then deletes the original files, the MAP engine can be triggered to perform the action specified in the policy. These are just a couple of examples of the rules that are included in the rule set in question. It is the developers who have access to the rules, which are never exposed to the public and are not configurable by the public. The engineering and research teams at AMP for Endpoints are constantly assessing the techniques used by malware and ransomware in the wild in order to improve the anticipated protection levels for endpoints.

When processes are identified by the MAP engine as exhibiting malicious activity, they are checked against guardrails to ensure that legitimate applications and operating system components are not accidentally blocked or quarantined. This helps to reduce the number of false-positive detections.

It is possible that some files will be encrypted by the offending process until the MAP engine determines that the process meets the criteria for being labelled as malicious, even if the AMP Connector is able to detect and prevent ransomware from completely compromising data on the system. The AMP Connector will notify you of any files that have been modified by the offending process, allowing you to restore them from backups as quickly as possible if necessary. The MAP event, which is displayed in the AMP for Endpoints console, contains the information about the file history.

Figure 2 shows the flow of the MAP engine detection.

Image, diagram, or screenshot that is related

The AMP for Endpoints Connector for Windows includes the MAP component. For more information on the operating systems that are supported, please see the release notes.

Performance and compatibility are important considerations.

The impact on performance is a significant component of the endpoint security selection criteria. The performance of the system is not adversely affected by AMP for Endpoints. In addition, there are no significant performance penalties or changes to the end user experience associated with making use of the MAP engine. The anticipated increase in CPU utilisation associated with enabling the MAP engine is approximately 5 percent, with no significant impact on memory, disc, or network performance.

It is critical for any endpoint security solution to be compatible with the software that has been installed on the device in order to function properly. There are no known compatibility issues with third-party security software with the MAP engine, according to the manufacturer. Please refer to the AMP for Endpoints user guide for more information on known issues and how to resolve them.


It may be necessary to exclude from MAP monitoring legitimate applications that are used in a customer environment and exhibit behaviour that is similar to ransomware. Archiving software, for example, is a straightforward example. To prevent the AMP for Endpoints from monitoring applications, and optionally their child processes, for the presence of malicious activity by the MAP engine, process exclusions can be applied. It is important to note that child processes that are created by an excluded process are not excluded automatically.

In general, exclusions can be used to resolve conflicts with other security products or to mitigate performance issues by excluding directories that contain large files that are frequently updated, such as databases, from the scanning process. If you require additional information, please refer to the AMP for an Endpoints user guide.

Take a look at it in action.

Despite the fact that MAP is a generic ransomware stopper that can be used to stop ransomware at runtime regardless of the exploitation vector, propagation abilities, hash of the sample, targeted files, file extensions, or other factors, it may be useful for testing purposes to relate to a number of examples of attacks that may be blocked or quarantined by the engine during the testing phase. Several virtualization environments, as well as bare-metal machines running supported operating systems, were used in the testing process. The engineering and research teams at AMP for Endpoints are constantly evaluating the techniques used by ransomware authors in order to improve the protection levels available.

SamSam, WannaCry, JigSaw, Jeff, Cerber, TeslaCrypt, CryptoFortress, and many other ransomware families were among those that were either blocked or quarantined at run time by MAP.

Because the MAP engine searches for activities based on their behaviour, it is impossible to evade detection by making simple changes to file hashes or obfuscating data with the use of packers.

store the process that was incorrectly convicted and quarantined, the normal AMP for restoring processes must be used.

The process of restoring endpoints. Following that, it should be added to an allowed list or excluded from AMP inspection using the AMP for Endpoints console, and any occurrences of this nature should be reported to engineering via the Cisco Technical Assistance Center.

When it comes to the use case of malicious code being injected into a legitimate process and used for data encryption, does MAP have a solution for you?

In addition, the AMP Connector’s guardrails may prevent a legitimate process from being condemned by the MAP engine because they are built into the connector’s design (even though it may contain malicious code inside, as a result of using process hollowing or other code injection techniques). Use of code injection techniques may be prevented by exploit prevention and system process protection engines that may be enabled through AMP’s policy.

Is it possible for the MAP engine to prevent ransomware from being launched from a connected USB drive?

When connected USB drives are detected, the MAP engine checks them for ransomware processes and blocks or quarantines those that are launched from them.

Is there a guarantee that all ransomware samples found in the wild will be blocked or quarantined by the MAP engine? Question:

A guarantee of this nature can never be provided. AMP’s research and development teams, on the other hand, conduct continuous efficacy testing and make ongoing investments in the development of the feature to provide customers with higher levels of protection.