Ransomware is the “new” disaster with which every data center, regardless of location, needs to be concerned. IT must take steps to protect the organization’s data, and even its brand from ransomware. A successful defense against ransomware requires user training and tighter security to limit the number of successful attacks. Eventually though some attacks will get through and backup is the safety net of choice when recovering from that attack. The problem is that backups themselves may become corrupted and they may backup the instigator of the attack, which upon restore, starts the encryption attack all over again.
Basic Ransomware Protection
Ransomware, generally, attempts to encrypt every file it encounters. Backup solutions need to provide organizations with the ability to protect a wide variety of files from attack rapidly, including database files and unstructured data. These backups need to occur throughout the day. Block level incremental backups are a must, so that repeated backup jobs can execute with minimal impact on network and server resources.
Once an attack has made it through security measures, it can rapidly infect hundreds of thousands of files. Identifying which files are infected and recovering just those files is a time consuming process. The backup solution needs to provide rapid recovery by either intelligently replacing infected files only or providing an instant recovery feature that enables the organization to live mount a volume, eliminating data movement altogether.
Advanced Ransomware Protection
Most backup solutions stop at the basic levels of protection, which are features that help with ransomware protection but were not specifically designed to deal with the ransomware epidemic. Ransomware will often attack backup files and snapshots, either as part of their haphazard walk through the mounted file systems or as intentional aspect of their design.
Ransomware designers are fully aware that backup is the defense mechanism that most organizations will use to protect themselves from a ransomware attack. In the past, they’ve counted on the lack of consistently successful backups to make it worthwhile for the organization to pay the ransom. Now though they are taking steps to make sure that they render even an organization’s successful backups useless by using an attack loop.
A ransomware attacker creates a typical attack loop by silently placing into the file system, executable code that does not execute immediately. Instead, it waits for a specific date for the code to activate. As a result, the malware code is backed up repeatedly. Then when the activation date arrives, it begins encrypting files. When IT resorts to its backup to recover from the attack, it keeps restoring the ransomware executable, which then starts encrypting files again. The organization ends up in an endless loop of encryption, which eventually forces them to pay the ransom.
Asigra Version 14 – Ending Ransomware Attack Loops
Asigra recently announced version 14 of its software, Cloud Backup Evolved. The new release provides improvements in a variety of areas including a new responsive management console and leverages RestFul APIs to simplify and automate the data protection process. It also includes specific GDPR protection and compliance enhancements as well as improving instant recovery and protection for Office 365 Groups.
Most notable in the new release though is Asigra’s efforts in protecting against Ransomware Attack Loops. Asigra has provided basic ransomware protection for a long time, but this release allows them to provide advanced protection features as well. It provides a zero-day attack loop protection by using bi-directional malware detection, zero-day exploit protection, variable repository naming, and two-factor authentication, creating a massive, full defensive wall against cyber-attacks.
Asigra version 14’s bi-directional malware detection performs realtime scans of files during backup and restoration to isolate malicious code. It uses a signatureless technology and does not require a database of known malware to identify unauthorized code. The variable repository naming creates a “moving target” which prevents malware from identifying and deleting backup copies of data. Finally, it also requires two-factor authentication to delete backup data from the repositories.
Ransomware is a real problem for IT and malware authors are getting more creative everyday in how to best infect the organization’s data permanently. Attack Loops and specific attempts to delete backup data are the two latest examples. The efforts taken by Asigra in version 14 may represent the most significant in the industry thus far in the battle against ransomware. It sets a new standard in not only protecting itself from the ransomware attack it also takes steps to insure that it is backing up and restoring “clean” data.