When it comes to ransomware organization are generally slotted into one of two categories: you’ve confronted a ransomware attack or you’re due for one. Global ransomware costs exceed $20 billion , with projections for triple digit growth over the next decade. With huge successes, there’s no indication of attackers stopping anytime soon; new variants of the malware are created and deployed every day. One of the key defenses against bad actors is to fend off the potential consequences of their programs by detecting the attack the moment it materializes.
Detection techniques include the monitoring of known ransomware extensions. If these extensions are found as part of your file names, you’ve likely been attacked. Similarly, network administrators can monitor an uptick in file renames. If large volumes of files are getting renamed, the change was likely caused by ransomware. Additionally, machine learning and change rate monitoring can heighten your capacity to detect ransomware by analyzing heuristic properties of data such as rates of change and entropy (randomness) which can be an indicator of ransomware threat conditions.
IT professionals need to employ an all-out, multi-pronged approach of endpoint, network, server, and backup level detection to protect data. It is critical for an organization’s detection defense to be everywhere, local and remote for both physical and virtual machines. The use of predictive analytics to determine the probability that ransomware is operating on a server, workstation, or desktop computer may be the most powerful tool to monitor attacks. The program can alert administrators if ransomware conditions are discovered. When ransomware is detected, communicated and confirmed, it is easier to restore systems to the last valid recovery point.
While not new, IT pros also have to be wary of “sleeper” ransomware. Malware that stealthily encodes your data files with un-decodable encryptions. Victims are unaware of its presence until the ransom demand appears. Backup files could fail because they may also contain the sleeper program. Even with backup, the period between infection and detection may create blocks of data that are no longer accessible. However, if you can detect the attack as it occurs, you can spin up from your backup files allowing you to safely and securely restore your system.
Antivirus programs are designed to run in the background and try to block attempts by ransomware to encrypt data. They monitor for text strings known to be related to ransomware. Using massive databases of digital signatures, these programs detect known ransomware file matches. However, this technique is ineffective against new or obscure strains of ransomware. Another problem, for the budget-conscious, is that this option requires IT departments to install the client server on every network device. Additionally, some of the nastiest strains of ransomware will lock down file access without encrypting the victim’s data. Newer variants will attempt to disable network utilities such as antivirus security and VSS writers (impacting the ability to create backups) before detonating their payload and encrypting data. Antivirus programs that are designed to block encryption cannot deter variants of the malware that work without encryption.
While some of the anti-ransomware tools and antivirus-for-ransomware providers work diligently to uncover ransomware threats and defeat attacks, there are simply too many iterations for those programs to detect all these threats.
Another example of where the best antivirus for ransomware programs come up short is with virtual machines (VMs). Even though they are designed to mimic physical appliances, VMs contain cues (files, processes, registry keys, etc.) that allow the VMs to be identified by ransomware software. Cybercriminals code with the intent of circumventing detection and attacking configuration files, executables, registry entries, etc. This coding provides covert access to the VMs and creates a gateway for ransomware pirates to attack. This capability is referred to as “Anti-Sandbox” or “Anti-VM,” it avoids program discovery by even the best anti ransomware programs. While these software programs claim that they offer the best anti-ransomware tool, it is unrealistic to expect them to track and detect all the possible forms of attack.
Meanwhile, the bad actors are devising new ways to avoid discovery using worms, “drive-bys,” and other file-less attack methods that require no human action to execute. These forms of ransomware infect your system through vulnerabilities in various browser plugins and despite their best efforts, antivirus software is an ineffective tool for those who depend on it to find ransomware.
Unitrends Ransomware Detection
When backups are performed using Unitrends appliances, the predictive analytics engine analyzes the data stream and uses a probabilistic methodology to identify anomalies to match the activity a system would present if infected with ransomware. Change rate and entropy are two of the key factors in determining uncharacteristic variations in files. The detection function uses various heuristics to detect atypical behavior occurring in the data. The sensitivity of the predictive analytics monitoring can be adjusted if it is determined that the algorithms are too aggressive in the detection. This flexibility is designed to minimize false positive alerts from the system.
Using machine learning, the program compares the average amount of unique data on the system against the amount of unique data in the most recent backup. By analyzing the change blocks the patent-pending program can effectively identify ransomware conditions. An alert is generated and sent to the organization’s IT team to signal them that significantly higher than average unique data has been detected and that the conditions are cues of a potential ransomware attack. After confirmation of an attack, IT pros can work quickly to isolate the infection, quarantine affect machines and restore to the most recent secure backup.
An additional instrument to assist in the detection of ransomware is Unitrends Recovery Assurance. This feature provides automated backup testing and verification. It is designed to ensure that your backup data can restore your system as planned. A component of that testing includes the ability to run a security check for ransomware. Your backups only have value if you can use them for successful recovery. Recovery Assurance allows you to assess the viability of your backup and can be used to detect ransomware components that may disrupt your ability to recover.
At Unitrends, we’ve identified 5 forms of defense that, in combination, offer you the best anti-ransomware protection against malicious attacks.
Use backup! Follow the 3-2-1-1 rule. Three copies of your data, 2 different types of media, 1 version stored off-site, and 1 copy that is immutable. It makes for an easy escape in the event you do get hit by ransomware.
Ransomware predominantly targets the more prevalent Windows OS. Consider a purpose-built appliance written in hardened Linux to prevent attacks and secure your backup architecture.
You cannot recover from ransomware without a good backup – and making sure a backup is recoverable is often taken for granted. Make sure you regularly test your backups for ransomware and other issues that could impact a successful recovery. It’s critical to make certain your files, settings, applications and structured data are available for instant and successful disaster recovery.
Early ransomware detection means less data loss and downtime. Some backup systems are more intelligent than others. They use predictive analytics and machine learning to look for anomalies and conditions typical of ransomware attacks and alert administrators of abnormal fluctuations.
5. Instant Recovery
If you’ve effectively backed up your data and tested its recoverability, you will be ready to roll back your network to a safe restore point and avoid downtime and revenue loss.
This combination of solutions provides you with the most comprehensive anti-ransomware tool. It’s a program that safeguards your data and protects your job.
Detecting ransomware is a functionality built into the Unitrends backup and continuity solution. We apply adaptive and predictive analytics against backup data. The program assesses data change rates, gauges abnormalities, and quickly identifies and alerts users of ransomware conditions.
Early ransomware detection means faster recovery; provides you will the tools you need to best meet your organization’s Recovery Time Objectives (RTOs). You can respond quickly to instantly access your backup recovery point (RPOs) and revert to pre-attack positions for your network. This process lets you render the ransomware virtually powerless.
Ransomware attacks are ferocious. It’s not a matter of if, but when …be prepared with an exhaustive line of defense at your endpoints, on your network and within your backups.