Search
Close this search box.

Ransomware detection and enhanced recovery now included in the Cristie Software recovery and replication portfolio

Share This Post

Early ransomware detection incorporated into your system recovery process.

When cybercriminals orchestrate a human led cyberattack, they may have spent months identifying and overcoming defences to maximise the impact of their attack. Regardless of whether their entry was through commodity malware, or the exploitation of an outdated or misconfigured web server, the ultimate end goal will be file encryption to hold vital operational data to ransom. Hackers will typically use asymmetric encryption. This is cryptography that uses a pair of keys to encrypt and decrypt a file. The public-private pair of keys is uniquely generated by the attacker for the victim, with the private key to decrypt the files stored on the attacker’s server. Human led attacks attempt to spread laterally within an organization’s infrastructure, and when the encryption payload is executed, files can be encrypted at an alarmingly fast rate. Rapid detection of anomalies in file structure and naming can provide the earliest warning of an active cyberattack and this capability has now been introduced into Cristie Software’s portfolio of system recovery and replication solutions.

Applying patented file analysis techniques to combat ransomware.

We recently announced our UK patent award for the automatic self-healing of errors or failures encountered during a system restore or replication. This technology is built upon algorithms which analyse run-time log files to provide automatic system restore failure resolution through machine learning. The Cristie Software development team have applied these technologies to provide advanced file anomaly detection which can take place within the system recovery and replication process. System backups are a vital defence against ransomware and the backup process provides an ideal opportunity to compare file structure between subsequent backup job images. Certain files will be changing regularly throughout normal business operations due of actions being undertaken within their associated applications; however, the process of malicious file encryption will follow one of several detectable patterns. It is these patterns that the Cristie Software anomaly detection technology will seek to identify and provide the earliest possible warning that an attack is in process.

Detecting ransomware encryption patterns.

To be effective, ransomware must encrypt files, that means it must read file contents from disk and then write encrypted file contents to disk. The way this is done will vary, some ransomware payloads will write to a different file, and then delete the original file. Some will write into the original file, and possibly rename the file after it has been encrypted. Therefore, watching for mass deletes and renames is part of the process, but this is just the tip of the iceberg. The actual encryption process also varies with some payloads encrypting fragments of files while others may encrypt the entire file. File encryption is detected by calculating the entropy of a file. File entropy measures the randomness of the data in a file and is used to determine whether a file contains hidden data or suspicious scripts. The scale of randomness ranges from 0, not random, to 8, totally random, such as an encrypted file. Of course, any backup process that is using encryption and/or data compression will also exhibit these properties including the renaming of files with an extension such as ‘.bak’ plus a subsequent increase in file entropy. Any file anomaly detection algorithm must therefore be able to determine between suspicious and expected behaviours to avoid presenting false positive alerts. Typical ransomware attacks will display characteristics which can be detected by Cristie’s anomaly detection algorithms through comparison against known patterns. The detection process can be run following every system backup. File activity reports and graded alerts are then presented via a security dashboard within the Cristie Virtual Appliance (VA) user interface. Alerts can also be provided by email and recorded in event logs.

How quickly can ransomware encrypt your data?

A recent article published by technology news platform ZDNET reported that researchers had tested how quickly 10 major ransomware strains could encrypt networks. At the time of writing, they found the fastest form of ransomware to be a malware strain called LockBit, which took a median time of just 5 minutes and 50 seconds to encrypt 100,000 files. In a subsequent test, it took LockBit only 4 minutes and 9 seconds to encrypt 53.83 GB of files across different Windows operating systems and hardware specifications. These figures demonstrate how quickly ransomware can become a major cybersecurity crisis for the victim of an attack. The ability to detect and alert on file activity which may be suspicious means that potential ransomware attacks can be identified in motion and immediate action taken.

Determining your safe recovery point following a ransomware attack.

Given the speed at which ransomware encryption can spread through an infected network, it is highly likely that system backups will contain malware encrypted files. This scenario would usually require an amount of cyber forensic investigation to determine the ‘last known clean’ copy of backup data that could provide a safe restore point. This can be a timely exercise resulting in extended downtime and potential loss of revenue. Cristie Software’s anomaly detection capability can help reduce this time since backup files can also be scanned for anomalies by comparison against multiple snapshots of previous backups which the VA can reference as part of normal operations.

Extending a holistic approach to cybersecurity.

Cyber threats come in many forms so for that reason a holistic approach is required to tackle them. Cybersecurity can seem a daunting task with so many loopholes to plug, but with a systematic approach you can achieve a great level of protection for your backup environment. Traditional antivirus software still plays a vital role although by its nature it is always on the back foot since it can only detect malware codes that are already known and present within virus definition files which require constant updates. Advanced techniques that employ machine learning, such as the file anomaly detection included within Cristie Software’s recovery and replication solutions, offer a powerful additional layer of protection which is much harder to circumvent since file encryption is harder to disguise than a new segment of malware code. Combining our recovery and replication solutions with existing cybersecurity measures and complimentary technologies such as immutable or air-gapped storage will significantly reduce your vulnerability and likelihood of a full recovery following a cyberattack, without paying any ransom.

In summary.

Automating system recovery, replication and migration has been the core focus of the Cristie Software suite since inception driven by innovative techniques and the latest advances in computing. Adding ransomware detection is a natural extension of our disaster recovery functionality and something that our software tools are uniquely positioned to tackle. All major cloud and virtualization platforms can be supported as replication or recovery targets and specific extensions are available to enhance system recovery from backup solutions including Dell Technologies Avamar, Dell Technologies Networker, IBM Spectrum Protect, Cohesity DataProtect, and Rubrik Security Cloud. Visit the CloneManager® and System Recovery product pages or contact the Cristie Data team for more information regarding the Cristie Software suite of solutions for system recovery, replication, migration, and ransomware protection.

Cristie Data GmbH: Your Partner for HPC Data Backup & Archive

Cristie Data GmbH: Your Partner for HPC Data Backup & Archive The High-Performance Computing (HPC) sector generates unprecedented amounts of data critical to scientific research, engineering simulations, and cutting-edge technological development. This data is as vast as it is valuable, and effective backup and archiving strategies are not just an

The IBM TS1170: A Game-Changer for HPC Data Storage

The IBM TS1170: A Game-Changer for HPC Data Storage In 2023, IBM and Fujifilm made a significant breakthrough in data storage technology with the release of the IBM TS1170 tape drive and its compatible 3592 JF tape cartridges. This innovation offers game-changing advantages for High-Performance Computing (HPC) users, addressing the

Have you heard of CO2 neutral data protection?

Have you heard of CO2 neutral data protection? Data centers consume vast amounts of electricity for servers, cooling, and infrastructure, with most receiving their power from traditional sources such as nuclear, coal or gas. This is not just old-fashioned; it also emits a huge amount of CO2 which causes climate

The Cybersecurity Crisis in Healthcare: Germany Under Attack

The Cybersecurity Crisis in Healthcare: Germany Under Attack The healthcare sector has become a prime target for cybercriminals in recent years. The sensitive nature of health data, often coupled with outdated legacy systems and limited cybersecurity budgets, makes healthcare institutions vulnerable targets. Germany has seen a surge in cyberattacks targeting

Outsourcing Cybersecurity: Why Companies Are Turning to the Experts

Outsourcing Cybersecurity: Why Companies Are Turning to the Experts In today’s rapidly evolving digital landscape, cybersecurity stands as one of the most critical and complex challenges organizations of all sizes face. The growing sophistication of cyberattacks, the ever-present risk of data breaches, and increasingly stringent compliance regulations place tremendous pressure

Is your “cold data” burning a hole in your pocket and the environment?

Is your “cold data” burning a hole in your pocket and the environment? This week we caught up with our CTO Christof Gedig who had just returned from a visit to our windfarm data center facilities in partnership with windCORES and undertook a short Q&A session regarding the environmental and

SiteLock

Save the Data - Event Registrierung

Thank you for your registration!






Participation subject to availability.

Schauen Sie sich das DORA Video an

Thank you for submiting your email address. Press the button below to download the pdf.

Watch the Spectra Tape Video

Thank you for submiting your email address. Press the button below to download the pdf.

Schauen Sie sich das NIS2 Directive Video an

Thank you for submiting your email address. Press the button below to download the pdf.

Save the Data - Event Registrierung

Thank you for your registration!






Teilnahme nach Verfügbarkeit.

Arctic Wolf - Security Breakfast

Thank you for your registration!





Teilnahme nach Verfügbarkeit.

Arctic Wolf - Security Breakfast Event

Thank you for your registration!





Participation subject to availability.

eBook: Transform Your Business with Mature Data Management

Thank you for submiting your email address. Press the button below to download the pdf.

Understanding LTO-9 Tape Technology – Whitepaper

Thank you for submiting your email address. Press the button below to download the pdf.

Understanding LTO-9 Tape Technology – Whitepaper

Thank you for submiting your email address. Press the button below to download the pdf.

Contact Info

Nordring 53-55, 63843 Niedernberg,
An der Burg 6, 33154 Salzkotten,
Germany

Monatliches Angebot für Cloud-Schutz anfordern

Thank you for your registration!

Wählen Sie mehrere aus, indem Sie beim Auswählen die Taste strg oder cmd drücken.

*Sie können die Anzahl der zugewiesenen Lizenzen in Microsoft 365 ermitteln, indem Sie zur Seite Microsoft 365 Admin center > Billing > Licenses navigieren.

** Die folgenden Abonnements werden von Cristie Cloud Backup für Google Workspace nicht berechnet:
Google Voice Starter (SKU ID: 1010330003)
Google Voice Standard (SKU ID: 1010330004)
Google Voice Premier (SKU ID: 1010330002)

Auf dem Weg zur intelligenten Welt – Whitepaper

Da neue Technologien wie 5G, IoT, Cloud Computing und Big Data in der digitalen Transformation eingesetzt werden, bewegt sich die IT-Architektur von Unternehmen in Richtung eines hybriden Frameworks aus „traditioneller IT + privater Cloud + öffentlicher Cloud + Edge“.

Thank you for submiting your email address. Press the button below to download the pdf.

Striding Towards the Intelligent World – White Paper

As new technologies, such as 5G, IoT, cloud computing, and big data, are being applied in digital transformation, enterprise IT architecture is moving towards a hybrid framework of “traditional IT + private cloud + public cloud + edge”. This report provides an in-depth outlook on the development of the data storage industry.

Thank you for submiting your email address. Press the button below to download the pdf.

Zero Trust Data Security for Dummies

Thank you for submiting your email address. Press the button below to download the pdf.