Ransomware detection and enhanced recovery now included in the Cristie Software recovery and replication portfolio

Share This Post

Early ransomware detection incorporated into your system recovery process.

When cybercriminals orchestrate a human led cyberattack, they may have spent months identifying and overcoming defences to maximise the impact of their attack. Regardless of whether their entry was through commodity malware, or the exploitation of an outdated or misconfigured web server, the ultimate end goal will be file encryption to hold vital operational data to ransom. Hackers will typically use asymmetric encryption. This is cryptography that uses a pair of keys to encrypt and decrypt a file. The public-private pair of keys is uniquely generated by the attacker for the victim, with the private key to decrypt the files stored on the attacker’s server. Human led attacks attempt to spread laterally within an organization’s infrastructure, and when the encryption payload is executed, files can be encrypted at an alarmingly fast rate. Rapid detection of anomalies in file structure and naming can provide the earliest warning of an active cyberattack and this capability has now been introduced into Cristie Software’s portfolio of system recovery and replication solutions.

Applying patented file analysis techniques to combat ransomware.

We recently announced our UK patent award for the automatic self-healing of errors or failures encountered during a system restore or replication. This technology is built upon algorithms which analyse run-time log files to provide automatic system restore failure resolution through machine learning. The Cristie Software development team have applied these technologies to provide advanced file anomaly detection which can take place within the system recovery and replication process. System backups are a vital defence against ransomware and the backup process provides an ideal opportunity to compare file structure between subsequent backup job images. Certain files will be changing regularly throughout normal business operations due of actions being undertaken within their associated applications; however, the process of malicious file encryption will follow one of several detectable patterns. It is these patterns that the Cristie Software anomaly detection technology will seek to identify and provide the earliest possible warning that an attack is in process.

Detecting ransomware encryption patterns.

To be effective, ransomware must encrypt files, that means it must read file contents from disk and then write encrypted file contents to disk. The way this is done will vary, some ransomware payloads will write to a different file, and then delete the original file. Some will write into the original file, and possibly rename the file after it has been encrypted. Therefore, watching for mass deletes and renames is part of the process, but this is just the tip of the iceberg. The actual encryption process also varies with some payloads encrypting fragments of files while others may encrypt the entire file. File encryption is detected by calculating the entropy of a file. File entropy measures the randomness of the data in a file and is used to determine whether a file contains hidden data or suspicious scripts. The scale of randomness ranges from 0, not random, to 8, totally random, such as an encrypted file. Of course, any backup process that is using encryption and/or data compression will also exhibit these properties including the renaming of files with an extension such as ‘.bak’ plus a subsequent increase in file entropy. Any file anomaly detection algorithm must therefore be able to determine between suspicious and expected behaviours to avoid presenting false positive alerts. Typical ransomware attacks will display characteristics which can be detected by Cristie’s anomaly detection algorithms through comparison against known patterns. The detection process can be run following every system backup. File activity reports and graded alerts are then presented via a security dashboard within the Cristie Virtual Appliance (VA) user interface. Alerts can also be provided by email and recorded in event logs.

How quickly can ransomware encrypt your data?

A recent article published by technology news platform ZDNET reported that researchers had tested how quickly 10 major ransomware strains could encrypt networks. At the time of writing, they found the fastest form of ransomware to be a malware strain called LockBit, which took a median time of just 5 minutes and 50 seconds to encrypt 100,000 files. In a subsequent test, it took LockBit only 4 minutes and 9 seconds to encrypt 53.83 GB of files across different Windows operating systems and hardware specifications. These figures demonstrate how quickly ransomware can become a major cybersecurity crisis for the victim of an attack. The ability to detect and alert on file activity which may be suspicious means that potential ransomware attacks can be identified in motion and immediate action taken.

Determining your safe recovery point following a ransomware attack.

Given the speed at which ransomware encryption can spread through an infected network, it is highly likely that system backups will contain malware encrypted files. This scenario would usually require an amount of cyber forensic investigation to determine the ‘last known clean’ copy of backup data that could provide a safe restore point. This can be a timely exercise resulting in extended downtime and potential loss of revenue. Cristie Software’s anomaly detection capability can help reduce this time since backup files can also be scanned for anomalies by comparison against multiple snapshots of previous backups which the VA can reference as part of normal operations.

Extending a holistic approach to cybersecurity.

Cyber threats come in many forms so for that reason a holistic approach is required to tackle them. Cybersecurity can seem a daunting task with so many loopholes to plug, but with a systematic approach you can achieve a great level of protection for your backup environment. Traditional antivirus software still plays a vital role although by its nature it is always on the back foot since it can only detect malware codes that are already known and present within virus definition files which require constant updates. Advanced techniques that employ machine learning, such as the file anomaly detection included within Cristie Software’s recovery and replication solutions, offer a powerful additional layer of protection which is much harder to circumvent since file encryption is harder to disguise than a new segment of malware code. Combining our recovery and replication solutions with existing cybersecurity measures and complimentary technologies such as immutable or air-gapped storage will significantly reduce your vulnerability and likelihood of a full recovery following a cyberattack, without paying any ransom.

In summary.

Automating system recovery, replication and migration has been the core focus of the Cristie Software suite since inception driven by innovative techniques and the latest advances in computing. Adding ransomware detection is a natural extension of our disaster recovery functionality and something that our software tools are uniquely positioned to tackle. All major cloud and virtualization platforms can be supported as replication or recovery targets and specific extensions are available to enhance system recovery from backup solutions including Dell Technologies Avamar, Dell Technologies Networker, IBM Spectrum Protect, Cohesity DataProtect, and Rubrik Security Cloud. Visit the CloneManager® and System Recovery product pages or contact the Cristie Data team for more information regarding the Cristie Software suite of solutions for system recovery, replication, migration, and ransomware protection.