Ransomware – A Short Intro

Ransomware - A Short Intro

Ransomware is a type of malware in which the data on a victim's computer/server is encrypted and payment is demanded before the data is decrypted and access is returned to the victim. The malware specifically targets important files like documents, images, spreadsheets etc. 

The motive for ransomware attacks is usually monetary and the victim is usually notified that an exploit has occurred and is given instructions for how to recover from the attack. Payment is often demanded in a virtual currency, such as bitcoin, so that the cybercriminal's identity is not known 

The hard part is that many of them don’t send the decryption codes even after the payment has been made. Which is why prevention is so critical. 

There are many ways to help protect against ransomware, most of the below are used in conjunction. 

  • Endpoint protection with malware and ransomware addons. 
  • Next Gen Firewalls with client isolation. 
  • DNS protection with URL lookups 
  • Installing latest patches for softwares and Operating systems 
  • Whitelisting applications and so on. 

But even with the above security features in place, there are plenty of cases where the ransomware leverages zero day vulnerabilities and ends up infecting computers and corporate data. 

In such scenarios, the last resort is the backup that the companies maintain. These backups can be used to restore the corrupted data back to an earlier clean state. 

The scary part is that in recent months ransomware first targets the backup data and then the production, so companies don’t have something to fall back to and end up negotiating with the hackers on thier terms. 

This is why we need the 3-2-1 lifesaver rule for backups 

  1. Have at least 3 copies of your data 
  1. Utilize two different media formats 
  1. Have one of the copies to be offsite or in an Air Gapped/Protected Vault 

Three copies of your data means that one copy is the original data supported by two separate backup copies.   

Your data should reside on two separate mediums such as that of a network share, an SSD drive on some type of storage array.  It can also be traditional tape media that seems so legacy today, but is mobile enough to take offsite to a secure location such as a separate site used by your organization.  

A possible solution which satisfies both conditions of two media types and a remote location is utilizing the snapshotting feature of your SAN infrastructure.  By snapshotting your data at regular intervals throughout the day to an identical environment at a disaster recovery location, you can easily recover from an attack on a virtual host server or VM.  

But what if the ransomware is able to reach the DR site as well, how can the data there be protected. 

This can be achieved using products like the Dell Cyber Recovery Vault. 

Dell Cyber Recovery Vault 

Cyber Recovery vault offers multiple layers of protection to provide resilience against cyber attacks even from an insider threat. It moves critical data away from the attack surface, physically isolating it within a protected part of the data center. 

CyberSense is fully integrated with the Dell EMC’s Cyber Recovery solution for ransomware protection. Dell EMC leverages the backup workflow to copy and secure critical business records in an isolated vault using backup software such as Networker and Avamar. 

Once data is replicated to the vault CyberSense scans the backup image and generates analytics, without the need for the original backup software in the vault. Analytics look inside the files and databases to uncover unusual behavior that is indicative of a cyberattack. This includes file corruption, encryption of files or pages in a database, or deletions and creations. 

The statistics are then analyzed using machine learning algorithms that have been trained on the latest ransomware threats to make a deterministic decision on whether the data has been attacked. If an attack has occurred and data corrupted, CyberSense delivers forensic tools to find the corrupt files, report on the user account that caused the corruption, so this account can be locked, and also will report on the application that made the changes to the file. With these forensic tools you can recover and diagnose a ransomware attack and replace corrupted files with the last good copy. 

Together these solutions provide a secure and powerful solution against ransomware attacks. If an attack does get past the real time defenses, and corrupts files or databases, CyberSense can detect it quickly and within a backup cycle the last good copy of the data can be retrieved. 

This enables business operations to continue without any interruption and cyberattacks to be thwarted quickly and painlessly.