Early ransomware detection incorporated into your system recovery process.
Applying patented file analysis techniques to combat ransomware.
Detecting ransomware encryption patterns.
To be effective, ransomware must encrypt files, that means it must read file contents from disk and then write encrypted file contents to disk. The way this is done will vary, some ransomware payloads will write to a different file, and then delete the original file. Some will write into the original file, and possibly rename the file after it has been encrypted. Therefore, watching for mass deletes and renames is part of the process, but this is just the tip of the iceberg. The actual encryption process also varies with some payloads encrypting fragments of files while others may encrypt the entire file. File encryption is detected by calculating the entropy of a file. File entropy measures the randomness of the data in a file and is used to determine whether a file contains hidden data or suspicious scripts. The scale of randomness ranges from 0, not random, to 8, totally random, such as an encrypted file. Of course, any backup process that is using encryption and/or data compression will also exhibit these properties including the renaming of files with an extension such as ‘.bak’ plus a subsequent increase in file entropy. Any file anomaly detection algorithm must therefore be able to determine between suspicious and expected behaviours to avoid presenting false positive alerts. Typical ransomware attacks will display characteristics which can be detected by Cristie’s anomaly detection algorithms through comparison against known patterns. The detection process can be run following every system backup. File activity reports and graded alerts are then presented via a security dashboard within the Cristie Virtual Appliance (VA) user interface. Alerts can also be provided by email and recorded in event logs.
How quickly can ransomware encrypt your data?
A recent article published by technology news platform ZDNET reported that researchers had tested how quickly 10 major ransomware strains could encrypt networks. At the time of writing, they found the fastest form of ransomware to be a malware strain called LockBit, which took a median time of just 5 minutes and 50 seconds to encrypt 100,000 files. In a subsequent test, it took LockBit only 4 minutes and 9 seconds to encrypt 53.83 GB of files across different Windows operating systems and hardware specifications. These figures demonstrate how quickly ransomware can become a major cybersecurity crisis for the victim of an attack. The ability to detect and alert on file activity which may be suspicious means that potential ransomware attacks can be identified in motion and immediate action taken.
Determining your safe recovery point following a ransomware attack.
Given the speed at which ransomware encryption can spread through an infected network, it is highly likely that system backups will contain malware encrypted files. This scenario would usually require an amount of cyber forensic investigation to determine the ‘last known clean’ copy of backup data that could provide a safe restore point. This can be a timely exercise resulting in extended downtime and potential loss of revenue. Cristie Software’s anomaly detection capability can help reduce this time since backup files can also be scanned for anomalies by comparison against multiple snapshots of previous backups which the VA can reference as part of normal operations.
Extending a holistic approach to cybersecurity.
Cyber threats come in many forms so for that reason a holistic approach is required to tackle them. Cybersecurity can seem a daunting task with so many loopholes to plug, but with a systematic approach you can achieve a great level of protection for your backup environment. Traditional antivirus software still plays a vital role although by its nature it is always on the back foot since it can only detect malware codes that are already known and present within virus definition files which require constant updates. Advanced techniques that employ machine learning, such as the file anomaly detection included within Cristie Software’s recovery and replication solutions, offer a powerful additional layer of protection which is much harder to circumvent since file encryption is harder to disguise than a new segment of malware code. Combining our recovery and replication solutions with existing cybersecurity measures and complimentary technologies such as immutable or air-gapped storage will significantly reduce your vulnerability and likelihood of a full recovery following a cyberattack, without paying any ransom.
In summary.
Automating system recovery, replication and migration has been the core focus of the Cristie Software suite since inception driven by innovative techniques and the latest advances in computing. Adding ransomware detection is a natural extension of our disaster recovery functionality and something that our software tools are uniquely positioned to tackle. All major cloud and virtualization platforms can be supported as replication or recovery targets and specific extensions are available to enhance system recovery from backup solutions including Dell Technologies Avamar, Dell Technologies Networker, IBM Spectrum Protect, Cohesity DataProtect, and Rubrik Security Cloud. Visit the CloneManager® and System Recovery product pages or contact the Cristie Data team for more information regarding the Cristie Software suite of solutions for system recovery, replication, migration, and ransomware protection.