Ransomware Detection

What is Ransomware? Ransomware Protection Anti-Ransomware Security Detect Ransomware Recover from a Ransomware

Ransomware Detection

Generally speaking, when it comes to ransomware, your organization can be slotted into one of two categories, either you’ve confronted a ransomware attack or you’re due for one. With ransomware revenues topping $3 billion, there’s no indication that a let up is imminent. Trend Micro predicts that the number of ransomware attacks will increased by 25% in 2017.  Since these infections are an inevitability, you need to prepare to recover from a malware invasions as soon as the cyber criminals strike. One of the key defenses against the bad actors is to fend off the potential consequences of their programs by detecting the attack the moment it materializes.

Detection techniques include the monitoring of know ransomware extensions. If these extensions are found as part of your file names, it is likely that you’ve been hit with an attack. Similarly, network administrators can monitor an uptick in file renames. If large volumes of files are getting renamed it’s likely that the change was caused by ransomware. Additionally, machine learning and change rate monitoring can heighten your capacity to detect ransomware.

Find Ransomware

It is essential for IT professionals to employ an all-out, multi-pronged approach of endpoint, network, server, and backup level detection in order to protect data.  It is critical for organization’s detection defense to be everywhere, local and remote for both physical and virtual machines. The use of predictive analytics to determine the probability that ransomware is operating on a server, workstation, or desktop computer may be the most powerful tool to monitor attacks. The program can alert administrators if ransomware conditions are discovered. When ransomware is detected, communicated and confirmed, the IT staff is able to immediately restore their system to the last valid recovery point.
While not new, IT pros also have to be wary of “sleeper” ransomware. Malware that stealthily encodes your data files with un-decodable encryptions. Victims are unaware of its presence until the ransom demand appears. Backup files could fail because they may also contain the sleeper program. Even with backup, the time span between infection and detection, may create blocks of data that is no longer accessible.  However, if you can detect the attack as it occurs, you can spin up from your backup files allowing you to safely and securely restore your system.

Anti-Ransomware Tools

Antivirus programs are designed to run in the background and they try to block attempts by ransomware to encrypt data. They monitor for text strings know to be related to ransomware. Using massive databases of digital signatures, these programs detect known ransomware file matches. However, this technique is ineffective against new or obscure strains of ransomware. Another problem, for the budget-conscious, is that this options requires IT departments to install the client server on every network device. Additionally, some of the nastiest strains of ransomware will lock down file access without encrypting the victim’s data. Antivirus programs that are designed to block encryption cannot deter malware that work without encryption.

While some of the anti-ransomware tools and antivirus-for-ransomware providers work diligently to uncover ransomware threats and defeat attacks, the fact is, with 4,000 attacks daily (according to the FBI)  there are simply too many iterations for those programs to detect all these threats. Because of the constant evolution of variants, trying to detect or prevent ransomware with Blacklists, Whitelists or Signatures is futile. The software companies simply cannot keep pace with the multitude of threat deviations. Additionally, hackers are embedding their code into already whitelisted software, which slips past anti-virus detection software undetected.

Another example of where the best antivirus for ransomware programs come up short is with virtual machines (VMs). Even though they are designed to mimic physical appliances, VMs contain cues (files, processes, registry keys, etc.) that allow the VMs to be identified by ransomware software. Cyber programming criminals created codes that circumvent detection and attack configuration files, executables, registry entries, etc. This coding provides covert access to the VMs and creates a gateway for ransomware pirates to attack. This capability is referred to as “Anti-Sandbox” or “Anti-VM,” it avoids program discovery by even the best anti ransomware programs. So while these software programs claim that they offer the best anti ransomware tool, it is unrealistic to expect them to track and detect all the possible forms of attack.

Meanwhile, the bad actors are devising new ways to avoid discovery using worms, “drive-bys,” and other fileless attacks methods that require no human action to execute. These forms of ransomware infect your system though vulnerabilities in various browser plugins and despite their best efforts, anti-virus software is an ineffective tool for those who depend on it to find ransomware.

Unitrends Ransomware Detection

When backups are performed using Unitrends appliances, the predictive analytics engine analyzes the data stream and uses a probabilistic methodology to identify anomalies to match the activity a system would present if infected with ransomware. Change rate is one of the key factors in determining the uncharacteristic variations in files. The detection function uses various heuristics to detect atypical behavior occurring in the data. The sensitivity of the predictive analytics monitoring can be adjusted if it is determined that the algorithms are too aggressive in the detection. This flexibility is designed to minimize false positive alerts from the system.

Using machine learning, the program compares the average amount of unique data on the system against the amount of unique data in the most recent backup.  By analyzing the change blocks the patent-pending program can effectively identify ransomware conditions.  An alert is generated and sent to the organizations IT team to signal them that significantly higher than average unique data has been detected and that the conditions are cues of a probably ransomware attack. After confirmation of an attack technology pros can immediately restore to most recent secure backup.

Recovery Assurance
An additional instrument to assist in detection or ransomware is Unitrends Recovery Assurance. As one of the Unitrends solutions capabilities, this feature provides backup testing and verification. It is designed to ensure that your backup data can restore your system as planned. A component of that testing includes the ability to run a security check for ransomware. Your backups only have value if you can use them to recovery. Successful DR needs to be free of ransomware. Recovery Assurance allows you to assess the viability of your backup and it can be used to detect ransomware components which may disrupt your ability to recover.

At Unitrends we’ve identified 5 forms of defense that, in combination, offers you the best anti-ransomware protection against malicious attacks.

1. Protect
Use backup! Follow the 3-2-1- rule. Three copies of your data, 2 different types of media and 1 version stored off-site. If you do get hit by ransomware you’ll have an easy escape.

2. Secure
Ransomware predominantly targets the more prevalent Windows OS. Consider a purpose-built appliance written in hardened-Linux to prevent attacks and secure your backup architecture.

3. Test
You cannot recover from ransomware without a good backup – and making sure a backup is recoverable is often taken for granted.  Make sure you regularly test your backups for ransomware and other issues that could impact a successful recovery.  It’s critical to make certain your files, settings, applications and structured data are available for instant and successful disaster recovery.

4. Detect
Early ransomware detection means less data loss and downtime. Some backup systems are more intelligent these days.  They use predictive analytics and machine learning to look for anomalies and conditions typical of ransomware attacks and alert administrators of abnormal fluctuations.

5. Instant Recovery
If you’ve effectively backed up your data and tested its recoverability you will be ready to roll back your network to a safe restore point and avoid downtime and revenue loss.

This combination of solutions provides you with the most comprehensive anti ransomware tool. It’s a program that protects your data and safeguards your job.

Detecting ransomware is a functionality built into the Unitrends backup and continuity solution. We apply adaptive and predictive analytics against backup data. The program assesses data change rates, gauges abnormalities and quickly identifies and alerts users of ransomware conditions.

Early ransomware detection means faster recovery and it provides you will the tools you need to best meet your organization’s Recovery Time Objectives (RTOs). You can respond quickly in order to instantly access your backup recovery point (RPOs) and revert to pre-attack positions for you network. This process lets you render the ransomware virtually powerless.

Ransomware attacks have been ferocious. If you haven’t been attacked yet, it’s not a matter of if, but when you have to deal with this disaster…be prepared with an exhaustive line of defense at your endpoints, on your network, and within your backups.