It is possible to identify and stop ransomware in its tracks. It’s also possible to recover from the damage that ransomware attacks cause. It requires a multi-level approach using intrusion detection systems, ransomware detection systems, and a backup and recovery system to clean up after an attack.
Prior to ransomware, attacks fell into three broad categories: mischief, vandalism, and corporate espionage. Mischief attacks were the kind that you see in the movie Wargames, where some hacker is hacking for the sake of hacking and doesn’t do any real damage. (Except accidentally start a global thermonuclear war.) Vandalism attacks can be more damaging, as they are often done by those who wish to do the company harm, such as a vigilante group like Anonymous. And, of course, corporate espionage can do a lot of damage, for example in instances where your company’s secrets are available to your competitors.
What all of these previous attacks had in common was that they required some level of hacking knowledge. Another thing they had in common is that there was usually not a financial motive, with the exception of large corporations hacking other large corporations. Today’s ransomware attacks are different in both respects. First, there are ransomware as a service companies that you can pay to hack for you and they require no hacking ability whatsoever. Ten minutes and some Bitcoin are all you need to begin deploying ransomware. Second, you can easily extract money from random strangers using these ransomware systems and anonymous payment systems like Bitcoin. The result is the number of these attacks will only increase.
The first line of defense should be an Intrusion detection systems, but they often don’t detect ransomware because it is brought into the environment on a laptop or a thumb drive. A recent study showed that 54 percent of drives dropped in a college parking lot were inserted into a system behind the college’s firewall. The first occurrence occurred within six minutes. In other words the “intrusion” is done via sneakernet. Intrusion detection systems are therefore adapting their methodologies and looking within as well.
The last line of defense against the ransomware system is a good backup system. As long as you have a solidly protected copy of your data, there should never be a need to even consider paying a ransomware demand. Wipe the infected systems and restore the infected files. Done.
But what about detecting the ransomware as it is happening? Acronis claims to do that with the Active Protection feature of Acronis Backup 12.5. The idea is its backup software is loaded on any system that is being backed up, and can watch and detect activity at the system level. It can detect things such as the number of files being modified or deleted, and it can stop the ransomware in its tracks. It can halt any changes and notify the system administrator. It caches affected files before they are overwritten, so they can simply be put back in place once the ransomware software has been identified and removed. An independent test of this feature declared it to be much better than its competitors at identifying and stopping malware.
Acronis Backup 12.5 added over a dozen other new features, including staging and replication to multiple destinations, Startup Recovery Manager for easily restoring Windows PCs, user-based scheduling of backups, and individual Exchange mailbox backup. The Advanced Edition adds features such as administrative roles, automation of bare metal recovery, and an interesting feature called Acronis Notary. The idea is that it will certify that particular backups have not changed during their entire chain of custody by leveraging blockchain.
We have not heard the last of ransomware, and every IT management product is going to have to come to the defense of your data. Backup software is going to be resident on every machine being backed up, so it makes sense to add ransomware detection and prevention to its feature set. Acronis offers some of the widest protection in the industry, allowing you to protect just about anything that’s deployed anywhere, and protect it to just about any storage. Adding a solid ransomware protection feature just makes sense.