Published on September 03, 2020 | By Infrascale
Preparing for a Ransomware Attack: Prevention & Detection
What is Ransomware?
Ransomware is a type of malware that encrypts a victim’s data, blocking access until a ransom is paid. There are multiple varieties of ransomware, however, they all share the same extortion-oriented goal: a demand for payment using digital currency, like bitcoin. Digital currencies are preferred as they are hard to track, making it difficult to find and prosecute the perpetrators. A common feature of recent ransomware attacks is the inclusion of a countdown timer. These timers badger the victim to pay before time runs out, else the ransomware will permanently delete the data. One example of ransomware that utilizes such a timer is called Jigsaw ransomware. Once Jigsaw infects a computer, it demands payment and starts deleting files (in groups) over the next 72 hours, until they are all gone. For added incentive (or terror), Jigsaw ransomware will delete a 1,000 files if attempts are made to disrupt the deletion process, including trying to reboot the computer.
Typical Vectors of Ransomware Infection
Reported ransomware attacks grew over 365% in 2019. A typical attack is carried out by tricking an end-user into clicking on a legitimate-looking file from a website or an e-mail attachment. Generally, for a virus or other security threat to work, they need root (or similar administrative) access to the computer. However, ransomware does not require this authority as it is only encrypting the user’s data (i.e., the user opening the attachment). Since ransomware does not require elevated access, and security software often sees the user activity as a normal, it is almost impossible to stop every infection. The best plan is to prevent as much as you can and have a plan for recovery.
Prevention First – Patch, Update, and Educate
The first tip to prevent ransomware attacks is to keep your operating system and application software updated and patched. This might sound obvious, but endpoints (like a laptop or desktop computer) are not as sophisticated as servers when running. Further, an end-user computer will typically execute/run a multitude of applications from different vendors. To overcome the patching dilemma, Microsoft has created built-in tools to help administrators and end-users manage patches. There are also third-party management tools (typically used by IT departments) to enforce policy around software application versioning. Those third-party tools may also block undesirable software, like ransomware, through application whitelisting, which only allows approved applications to run. IT policy management tooling is a godsend in protecting end-user’s computers, but requires a fair bit of management overhead. For example, when a new patch comes out, the application must be whitelisted separately each time – a burden to manage hundreds of applications and patches to make sure your users can perform their jobs.
All said, neither end-users self-updating applications nor updates driven thru IT policy management tools are enough. Application updates must be partnered with a good, up-to-date antivirus (AV) software.
Last, but not least, is the importance of education. End-user training is required to help them determine which emails not to open, and how to identify malicious senders and suspicious attachments. Training all end-users in an organization reduces the risk of downloading malware.
Endpoint Detection and Response (EDR)
Bad actors are getting better at hiding their attacks, making it harder to detect them. They are also finding ways around antivirus detection software. This causes AV software to be silent, even when under attack. This is where Endpoint Detection and Response (EDR) can help. The goal of EDR is to look for bad behavior and alert the end-user (or administrator). Earlier warning of infection increases response time to stop the spread of the infection – and better yet – illuminate the exact timestamp of infection so that the exact recovery point is known.
Endpoint Detection and Response operates via two key principles:
- Continuous monitoring / anomaly detection for new and changing files
- Immediate response to a detected threat
FYI: both principles are managed via the Infrascale Cloud Backup (ICB) product.
Continuous monitoring implies looking at either new or changing files on a continuous basis. When integrated with backup software, anomaly detection happens with the scanning of files as to ascertain which must be backed up for the first time (new) or to capture files that have changed since the last backup. In either case, anomaly detection occurs when finding non-typical backup activities, based on a statistical analysis of backup history. This approach relies on tracking the new and modified file count between the backup sessions. If a file has been moved, renamed, or newly created, systems will identify it as a “new” file. A file is considered to be “modified” when its content has been changed since the last backup, but the path and name are the same.
Example: Assume there are typically 10 new files per backup (known from history analysis) – and the backup software is cognizant of that “norm”. In the case of a potential ransomware attack, many precious files could be instantly encrypted and renamed. As a result of hundreds, or even thousands, of files being changed on your computer, the “new” file threshold, as compared to the “norm”, will be triggered.
Infrascale Cloud Backup provides anomaly detection for new files. Further, in order to make the technology trustworthy and prevent false positive alarms from occurring, ICB considers probable backup irregularities by adding weights to the time intervals between backups. Additionally, ICB considers the number of observed backups – of which there should be at least five prior, successful backups — to allow ICB to positively detect backup anomalies.
Continuous monitoring isn’t only about new – it must also be about existing files. Thus, as ICB scans for file changes, it scans files for signatures associated with ransomware! With this option enabled, each backup session includes scanning to compare new and changed files against the list of files types (and patterns) associated with ransomware. The ransomware definitions leveraged for this activity are updated on a daily basis to ensure Infrascale customers are protected against new strains of malware as they are discovered.
Immediate Response. In the scenarios above (detecting velocity of new or changing files – or detecting signatures of ransomware), the ICB software throws a red flag and generates warning notifications: “The attributes of this file indicate that there may be ransomware on this computer.” This red flag exists to prompt administrative action in real-time. Warnings are presented to administrators as:
- Available for real-time consumption in Infrascale API/SDK,
- Alerts to users on the Infrascale Dashboard, and
- Alerts in email – via the backup report (if enabled)
Enabling Ransomware Detection in Infrascale Cloud Backup
Enabling ransomware detection in Infrascale Cloud Backup is as easy as one, two, three.
The administrator must:
- Login to the Infrascale Dashboard and navigate to Settings > Monitoring page
- Check the box next to one or more of the available options:
- Enable anomaly detection for New Files
- Enable anomaly detection for Changed Files
- Scan backups for files associated with ransomware
- Save the Changes
After that, the settings will be automatically applied to all the backups of all the users.
In the case of a ransomware event, a warning will be registered in the Infrascale monitoring system. This warning is also forwarded to the admin, if email reports are enabled on the same Monitoring Settings page described above.
The administrator can configure the sensitivity of anomaly detection by setting the threshold for how they would like warnings to be triggered. The smaller the threshold, the more sensitive the system will be to send warnings. Higher thresholds allow more significant deviations from the standard before a warning is triggered.
Ransomware is a Virus; Like a Virus, Re-infections Happen Unless You Take Precaution
What should you do when you get hit by ransomware? The easiest way to recover is having a ZTI (Zero Touch Infrastructure) in place. The goal of a ZTI is to prevent having to reinstall the OS and apps on all of the infected computers. With Infrascale, this is accomplished with the Bare Metal Recovery option to image the endpoints – allowing administrators to boot up and recover the endpoint from a known, good backup, dated from before the attack.
Businesses often pay the ransom to get the decrypt key without talking to an IT professional first. After paying the ransom, the business may indeed have the decrypt key. However, thirty days later the infection re-emerges and re-encrypts – with the arrival of a new ransom demand. Victims must ensure to completely remove the ransomware, or remain in a continuous infection cycle. Using Bare Metal Recovery (BMR) is a great tool, but only effective when the copy is “offline” – not reachable, itself, by the ransomware. Further, since many ISP’s cut Internet connectivity to prevent spread of an infection, the administrative team will need a local copy – hopefully, one that is not always connected to your PC (and also infected). This can be accomplished with an external hard drive hooked up to a system once a week for the BMR backups – and a standard file backup process for the daily file updates. With Infrascale Cloud Backup there is no need to worry about your backups being infected. ICB uses an agent to push the data to the cloud. By using this agent — which uses SDK to communicate, not a file share – the backup is air-gapped from the original. This means that the ransomware has no way to access the data in the Infrascale cloud! The punchline: No need for cutting the internet, no need for separate backup technologies, nor a separate hard drive.
Always, Always, Always Verify That Your Backup and Recovery is Working
The last topics to cover are reporting and testing the solution. Reporting is essential, so you absolutely know the solution is backing up what you want and when you want it to be backed up. This ensures the data is available for a recovery. Infrascale Cloud Backup offers many reporting options that can be configured per partner, customer, or end-user. Infrascale has also integrated with 3rd party vendors like ConnectWise and Autotask for monitoring. Lastly, Infrascale also offers public API, enabling you to integrate the reporting right into your systems. The options are there – so implement at least one to verify backups are running.
However, monitoring & reporting only tells an administrator when an event has already occurred. A complete, well-rounded, and operational ransomware detection solution also requires testing the recovery plan and systems. Testing is probably the most overlooked part of having a good recovery plan, as people rarely utilize it. Once a month, you should test your monitoring, backups, AND RECOVERY to ensure that when the day comes, you are prepared for a ransomware attack.