Ransomware has one fatal flaw. Organizations that know how to exploit this flaw can almost eliminate this cyber-attack from their list of concerns. Ironically the flaw is found in their very action it takes to hold organizations hostage – it encrypts data. Three steps are required to encrypt data; a file is read, its bits are reordered and it is written to disk. Detect and stopping one of these steps and organizations can eliminate ransomware or at least minimize the threat.
Identifying a Ransomware Attack
Detecting malware activity is key. Data protection vendors need to provide the ability to monitor for the read, reorder, and write activity. Essentially what they are looking for is the ability to identify a user or device that is modifying dozens of files per minute. If a solution can see that pattern then the data protection software can alert and even take action. A key though is to make sure all it can monitor the various points of entry (laptops, desktops, devices and servers). Identification can’t be limited to the monitoring software sitting on a file server and waiting for the attack to reach it.
Preventing the Attack
Anytime a ransomware strain achieves a level of success, the experts are quick to blame IT for not updating servers to the latest service pack. That’s a cheap shot.
In a large data center there may be hundreds of servers to confirm patch level. There may also be devices in place with network access the organization does not own. And if the organization has a hundred servers, they probably have more than 1,000 users with laptops and smartphones. Making sure those are all up to date is a herculean task.
Certainly IT should make best efforts to get everything up to date but it’s understandable why something might slip through. A ransomware package will probably, eventually slip through even the best of defenses. That breach is where identification fits in.
Identification can be a service or application that runs on every device, laptop or desktop that looks for suspicious activity, like a single user changing attributes on dozens of files in a short period of time. The next step is to take action and suspend or remove the account or service to stop the attack.
Once the attack stops, IT will likely have to restore at least some of the files, maybe a few dozen. But a few dozen is better than a few hundred thousand. With proper integration the auditing component could send the change file list to the backup application to trigger an automatic restore of the impacted files.
Ransomware only has three moves, it opens a file, rearranges that files bit and then writes the rearranged file to disk. Detecting these moves enables the organizations to stop the ransomware attack, integration with backup software allows them to quickly recover.
To Learn more more about ransomware and more importantly how to protect your organization from it, sign up for our on-demand webinar, “15 Minute Ransomware Survival Guide“, and learn the three “P”s to ransomware survival.