Early ransomware detection incorporated into your system recovery process.
When cybercriminals orchestrate a human led cyberattack, they may have spent months identifying and overcoming defences to maximise the impact of their attack. Early ransomware detection is therefore vital to ensure damage limitation. Regardless of whether their entry was through commodity malware, or the exploitation of an outdated or misconfigured web server, the ultimate end goal will be file encryption to hold vital operational data to ransom. Hackers will typically use asymmetric encryption. This is cryptography that uses a pair of keys to encrypt and decrypt a file. The public-private pair of keys is uniquely generated by the attacker for the victim, with the private key to decrypt the files stored on the attacker’s server. Human led attacks attempt to spread laterally within an organization’s infrastructure, and when the encryption payload is executed, files can be encrypted at an alarmingly fast rate. Rapid detection of anomalies in file structure and naming can provide the earliest warning of an active cyberattack and this capability has now been introduced into Cristie Software’s portfolio of system recovery and replication solutions.
Applying patented file analysis techniques to combat ransomware.
Detecting ransomware encryption patterns.
To be effective, ransomware must encrypt files, that means it must read file contents from disk and then write encrypted file contents to disk. The way this is done will vary, some ransomware payloads will write to a different file, and then delete the original file. Some will write into the original file, and possibly rename the file after it has been encrypted. Therefore, watching for mass deletes and renames is part of the process, but this is just the tip of the iceberg. The actual encryption process also varies with some payloads encrypting fragments of files while others may encrypt the entire file. File encryption is detected by calculating the entropy of a file. File entropy measures the randomness of the data in a file and is used to determine whether a file contains hidden data or suspicious scripts. The scale of randomness ranges from 0, not random, to 8, totally random, such as an encrypted file. Of course, any backup process that is using encryption and/or data compression will also exhibit these properties including the renaming of files with an extension such as ‘.bak’ plus a subsequent increase in file entropy. Any file anomaly detection algorithm must therefore be able to determine between suspicious and expected behaviours to avoid presenting false positive alerts. Typical ransomware attacks will display characteristics which can be detected by Cristie’s anomaly detection algorithms through comparison against known patterns. The detection process can be run following every system backup. File activity reports and graded alerts are then presented via a security dashboard within the Cristie Virtual Appliance (VA) user interface. Alerts can also be provided by email and recorded in event logs.
How quickly can ransomware encrypt your data?
Determining your safe recovery point following a ransomware attack.
Given the speed at which ransomware encryption can spread through an infected network, it is highly likely that system backups will contain malware encrypted files. This scenario would usually require an amount of cyber forensic investigation to determine the ‘last known clean’ copy of backup data that could provide a safe restore point. This can be a timely exercise resulting in extended downtime and potential loss of revenue. Cristie Software’s anomaly detection capability can help reduce this time since backup files can also be scanned for anomalies by comparison against multiple snapshots of previous backups which the VA can reference as part of normal operations.
Extending a holistic approach to cybersecurity.
Early ransomware detection - In summary.
Automating system recovery, replication and migration has been the core focus of the Cristie Software suite since inception driven by innovative techniques and the latest advances in computing. Adding ransomware detection is a natural extension of our disaster recovery functionality and something that our software tools are uniquely positioned to tackle. All major cloud and virtualization platforms can be supported as replication or recovery targets and specific extensions are available to enhance system recovery from backup solutions including Dell Technologies Avamar, Dell Technologies Networker, IBM Spectrum Protect, Cohesity DataProtect, and Rubrik Security Cloud. Visit the CloneManager® and System Recovery product pages or contact the Cristie Software team for more information regarding the Cristie Software suite of solutions for system recovery, replication, migration, and ransomware protection.
 
								 
															 
															 
															 
															