It should come as no great surprise that ransomware is one of the scariest challenges for data protection people today. Black hats have figured out they can make more money faster by going after small and medium businesses than simply targeting individuals who can only afford to pay a few hundred dollars. Ransomware attacks against businesses are now becoming commonplace, and some businesses simply aren’t prepared for them.
Some companies may feel they are more prepared than others because they installed some type of antivirus or anti-malware product. While these types of products are essential and do help, many ransomware attacks are specifically designed to get around these products. They use sophisticated phishing techniques that use the user id of an individual user to do their damage while looking like a normal user is on the network.
One of the biggest challenges with ransomware in a business environment is what some call “infection magnification.” This refers to how malware products start with one infected computer and spread throughout the environment. It’s a bit like terrorism, in that you have to catch all attacks to be successful, and the ransomware only has to succeed with one user that has access to your LAN. Current ransomware packages know to seek out all directories, including NAS directories mounted to the infected computer. The ransomware will immediately encrypt all files the individual user has access to.
Some companies may feel they are protected because they automatically replicate their data via a File Sync and Share product, or to some other type of off-site cloud storage company. However, replication simply amplifies the infection by replicating the corruption to the cloud, and then back down to other users sharing the same folders.
There are also reports of companies losing their backup data because the backup server gets infected. This may simply be because the backup system backs up the infected files and doesn’t realize they are infected, or it may be the backup server itself becomes infected and the backups become the target of the ransomware. This is the ultimate nightmare of someone running a Windows-based backup server with a network mounted drive as their backup storage.
The BackupAssist Response to Ransomware
BackupAssist recently announced a new feature it calls CryptoSafeguard that specifically looks for corruption in the source files, and prevents corrupted files from being backed up. It can detect things like changes in file and directory structure, as many ransomware products change the name or extension of the files as they encrypt them. It can also detect a file that should look like a Microsoft Word document, but instead looks like something else. There are other properties it can use to notice that files have been attacked by ransomware.
Once the product detects a ransomware infection by noticing infected files in the backup, it will immediately alert the backup administrator via SMS and email, and then preserve the last good backup by blocking future backup jobs from running. This prevents known good backups from being overwritten. The fewer versions you tend to keep in your backups, which is good data management up to a point, the more important this feature is. For example, if you only keep two versions in your backup software (which is too few), two backup jobs can overwrite all good backups you have.
CryptoSafeGuard also protects backups that have already been stored by preventing unauthorized access to those files. Using a Windows device driver, the product prevents any unauthorized processes from deleting, changing, or encrypting BackupAssist backup data. It allows only the authorized process – the BackupAssist product itself – to write to those directories.
This two-pronged approach of protecting the backups themselves from an attack and checking the contents of the backups for evidence of compromised files in the environment is a solid approach. The first allows companies to use a Windows-based backup system without the risk of their backups being corrupted. The second ensures typical backup practices don’t end up erasing the protected copies once an infection happens. This new product, combined with a solid intrusion detection and prevention system, should help a company remain healthy in a world where many people wish it harm.