Ransomware is a type of malware that encrypts a victim\u2019s data, blocking access until a ransom is paid.\u00a0 There are multiple varieties of ransomware, however, they all share the same extortion-oriented goal: a demand for payment using digital currency, like bitcoin. Digital currencies are preferred as they are hard to track, making it difficult to find and prosecute the perpetrators.\u00a0 A common feature of recent ransomware attacks is the inclusion of a countdown timer. These timers badger the victim to pay before time runs out, else the ransomware will permanently delete the data. One example of ransomware that utilizes such a timer is called Jigsaw ransomware. Once Jigsaw infects a computer, it demands payment and starts deleting files (in groups) over the next 72 hours, until they are all gone. For added incentive (or terror), Jigsaw ransomware will delete a 1,000 files if attempts are made to disrupt the deletion process, including trying to reboot the computer.<\/p>\n
Reported ransomware attacks grew over\u00a0365% in 2019<\/a>.\u00a0 A typical attack is carried out by tricking an end-user into clicking on a legitimate-looking file from a website or an e-mail attachment. Generally, for a virus or other security threat to work, they need root (or similar administrative) access to the computer. However, ransomware does not require this authority as it is only encrypting the user\u2019s data (i.e., the user opening the attachment).\u00a0 Since ransomware does not require elevated access, and security software often sees the user activity as a normal, it is almost impossible to stop every infection. The best plan is to prevent as much as you can\u00a0and<\/u><\/em>\u00a0have a plan for recovery.<\/p>\n The first tip to prevent ransomware attacks is to\u00a0keep your operating system and application software updated and patched<\/u>. This might sound obvious, but endpoints (like a laptop or desktop computer) are not as sophisticated as servers when running. Further, an end-user computer will typically execute\/run a multitude of applications from different vendors. To overcome the patching dilemma, Microsoft has created built-in tools to help administrators and end-users manage patches.\u00a0 There are also third-party management tools (typically used by IT departments) to enforce policy around software application versioning.\u00a0 Those third-party tools may also block undesirable software, like ransomware, through application whitelisting, which only allows approved applications to run. IT policy management tooling is a godsend in protecting end-user\u2019s computers, but requires a fair bit of management overhead.\u00a0\u00a0 For example, when a new patch comes out, the application must be whitelisted separately each time \u2013 a burden to manage hundreds of applications and patches to make sure your users can perform their jobs.<\/p>\n All said, neither end-users self-updating applications nor updates driven thru IT policy management tools are enough.\u00a0\u00a0Application updates must be partnered with a good, up-to-date antivirus (AV) software.<\/u><\/p>\n Last, but not least, is the importance of education.\u00a0End-user training is required to help them determine which emails not to open, and how to identify malicious senders and suspicious attachments<\/u>. Training all end-users in an organization reduces the risk of downloading malware.<\/p>\n Bad actors are getting better at hiding their attacks, making it harder to detect them. They are also finding ways around antivirus detection software. This causes AV software to be silent, even when under attack. This is where Endpoint Detection and Response (EDR) can help. The goal of EDR is to look for bad behavior and alert the end-user (or administrator). Earlier warning of infection increases response time to stop the spread of the infection \u2013 and better yet \u2013 illuminate the exact timestamp of infection so that the exact recovery point is known.<\/p>\n Endpoint Detection and Response operates via two key principles:<\/p>\n FYI:\u00a0 both principles are managed via the\u00a0Infrascale Cloud Backup<\/a>\u00a0(ICB) product.<\/p>\n Continuous monitoring<\/u>\u00a0implies looking at either new or changing files on a continuous basis.\u00a0\u00a0 When integrated with backup software, anomaly detection happens with the scanning of files as to ascertain which must be backed up for the first time (new) or to capture files that have changed since the last backup.\u00a0 In either case,\u00a0anomaly detection<\/a>\u00a0\u00a0occurs when finding non-typical backup activities, based on a statistical analysis of backup history. This approach relies on tracking the new and modified file count between the backup sessions. If a file has been moved, renamed, or newly created, systems will identify it as a \u201cnew\u201d file.\u00a0 A file is considered to be \u201cmodified\u201d when its content has been changed since the last backup, but the path and name are the same.<\/p>\n Example:\u00a0 Assume there are typically 10 new files per backup (known from history analysis) \u2013 and the backup software is cognizant of that \u201cnorm\u201d. In the case of a potential ransomware attack, many precious files could be instantly encrypted and renamed. As a result of hundreds, or even thousands, of files being changed on your computer, the \u201cnew\u201d file threshold, as compared to the \u201cnorm\u201d, will be triggered.<\/p>\n Infrascale Cloud Backup provides anomaly detection for new files.\u00a0 Further, in order to make the technology trustworthy and prevent false positive alarms from occurring, ICB considers probable backup irregularities by adding weights to the time intervals between backups. Additionally, ICB considers the number of observed backups \u2013 of which there should be at least five prior, successful backups \u2014 to allow ICB to positively detect backup anomalies.<\/p>\n Continuous monitoring isn\u2019t only about new \u2013 it must also be about existing files.\u00a0 Thus, as ICB scans for file changes, it\u00a0s<\/u>cans files for signatures associated with ransomware<\/u><\/em>!\u00a0 With this option enabled, each backup session includes scanning to compare new and changed files against the list of files types (and patterns) associated with ransomware.\u00a0 The ransomware definitions leveraged for this activity are updated on a daily basis to ensure Infrascale customers are protected against new strains of malware as they are discovered.<\/p>\n Immediate Response<\/u>.\u00a0 In the scenarios above (detecting velocity of new or changing files \u2013 or detecting signatures of ransomware), the ICB software throws a red flag and generates warning notifications:\u00a0\u00a0 \u201cThe attributes of this file indicate that there may be ransomware on this computer.\u201d\u00a0\u00a0 This red flag exists to prompt administrative action in real-time.\u00a0\u00a0 Warnings are presented to administrators as:<\/p>\n Enabling ransomware detection in Infrascale Cloud Backup is as easy as one, two, three.<\/p>\n The administrator must:<\/p>\n After that, the settings will be automatically applied to all the backups of all the users.<\/p>\n In the case of a ransomware event, a warning will be registered in the Infrascale monitoring system. This warning is also forwarded to the admin, if email reports are enabled on the same Monitoring Settings page described above.<\/p>\n The administrator can configure the sensitivity of anomaly detection by setting the threshold for how they would like warnings to be triggered. The smaller the threshold, the more sensitive the system will be to send warnings. Higher thresholds allow more significant deviations from the standard before a warning is triggered.<\/p>\n What should you do when you get hit by ransomware? The\u00a0easiest way to recover is having a ZTI (Zero Touch Infrastructure) in place<\/u>. The goal of a ZTI is to prevent having to reinstall the OS and apps on all of the infected computers.\u00a0 With Infrascale, this is accomplished with the\u00a0Bare Metal Recovery<\/a>\u00a0option to image the endpoints \u2013 allowing administrators to boot up and recover the endpoint from a known, good backup, dated from before the attack.<\/p>\n Businesses often pay the ransom to get the decrypt key without talking to an IT professional first. After paying the ransom, the business may indeed have the decrypt key. However, thirty days later the infection re-emerges and re-encrypts \u2013 with the arrival of a new ransom demand.\u00a0\u00a0Victims must ensure to completely remove the ransomware, or remain in a continuous infection cycle<\/u>. Using Bare Metal Recovery (BMR) is a great tool, but only effective when the copy is \u201coffline\u201d \u2013 not reachable, itself, by the ransomware.\u00a0\u00a0 Further, since many ISP\u2019s cut Internet connectivity to prevent spread of an infection, the administrative team will need a local copy \u2013 hopefully, one that is not always connected to your PC (and also infected). This can be accomplished with an external hard drive hooked up to a system once a week for the BMR backups \u2013 and a standard file backup process for the daily file updates.\u00a0 With Infrascale Cloud Backup there is no need to worry about your backups being infected.\u00a0\u00a0 ICB uses an agent to push the data to the cloud.\u00a0 By using this agent \u2014 which uses SDK to communicate, not a file share \u2013 the backup is air-gapped from the original.\u00a0 This means that the ransomware has no way to access the data in the Infrascale cloud!\u00a0\u00a0 The punchline: No need for cutting the internet, no need for separate backup technologies, nor a separate hard drive.<\/p>\n The last topics to cover are reporting and testing the solution. Reporting is essential, so you absolutely\u00a0know the solution is backing up what you want<\/u>\u00a0and\u00a0when you want it to be backed up<\/u>. This ensures the data is available for a recovery. Infrascale Cloud Backup offers many reporting options that can be configured per partner, customer, or end-user. Infrascale has also integrated with 3rd<\/sup>\u00a0party vendors like ConnectWise and Autotask for monitoring.\u00a0 Lastly, Infrascale also offers public API, enabling you to integrate the reporting right into your systems.\u00a0\u00a0 The options are there \u2013 so implement at least one to verify backups are running.<\/p>\nPrevention First \u2013 Patch, Update, and Educate<\/strong><\/h3>\n
Endpoint Detection and Response (EDR)<\/strong><\/h3>\n
\n
\n
Enabling Ransomware Detection in Infrascale Cloud Backup<\/strong><\/h3>\n
\n
\n
Ransomware is a Virus; Like a Virus, Re-infections Happen Unless You Take Precaution<\/strong><\/h3>\n
Always, Always, Always Verify That Your Backup and Recovery is Working<\/strong><\/h3>\n