Since October, Datto has been conducting testing designed to quickly detect ransomware in backup data sets. Here’s why: Ransomware has become a major threat to individuals and businesses over the past few years, and the cyber extortionists behind these attacks operate with increasing sophistication. SMBs can be particularly vulnerable to attacks and are more likely to pay a ransom to get their data back than large businesses.
In many cases, these attacks are conducted by large criminal organisations using wide-reaching botnets to spread malware via phishing campaigns. Victims are tricked into downloading an e-mail attachment or clicking a link using some form of social engineering. Fake email messages might appear to be a note from a friend or colleague asking a user to check out an attached file. Or, email might come from a trusted institution (such as a bank) asking you to perform a routine task. Sometimes, ransomware uses scare tactics such as claiming that the computer has been used for illegal activities to coerce victims. When the malware is executed, it encrypts files and demands a ransom to unlock them.
Antivirus software is obviously essential, but on its own it isn’t enough. Many attacks still get through. So, a proper ransomware protection strategy also requires employee education and backup. It’s also critical to keep applications patched and up to date to minimise vulnerabilities. Education, antivirus, and patch management can help you avoid attacks to begin with. Backup allows you to recover if those measures fail.
Also, many people assume that ransomware only locks the files on a single device. While this was the case in the early days, today’s ransomware is designed to spread itself out across entire networks. So, the sooner that you can detect the attacks that do slip by security measures the better. Recovering files for a single machine is obviously much easier than recovering files for infected machines across an entire network—stopping the infection at Patient Zero, if you will.
Two test types
Backup presents an opportunity for early detection, because each time a backup is performed, it can be compared against previous backups to look for changes. Not all ransomware operates the same way, but there are a number of common themes. For example, ransomware always encrypts user documents and directories (e.g., photos, files stored in “My Documents” folder, etc. It also encrypts “work” related files (e.g., docx, xlsx, etc). Also, ransomware is constantly changing to avoid detection, which is why antivirus software is not always capable of blocking the malware. Antivirus software relies on a virus signature database that must be constantly updated. Since Datto is not an antivirus provider and does not maintain such a database, testing focused on detecting known ransomware characteristics.
Our team devised two types of tests to identify these characteristics. Both were designed to run fast enough to keep up with frequent backups, rely only on information captured in snapshots, and not boot the box or risk further infection. The first, known as file upheaval testing, looks for whether files have changed between backups. For example, about 80 per cent of the ransomware tested changed file names when encrypting files. Upheaval testing designed to look for batches of changes to files that could indicate that ransomware is present. The remaining 20 per cent of ransomware tested did not change file names when encrypting data. The second type of test, known as entropy testing, looks for specific conditions that indicate that files have been encrypted. All files, including images, have some degree of organisation and structure. Encrypted data, however, is completely randomised. High levels of entropy in backup data can also indicate the presence of ransomware.
Based on the information gathered during the months of ransomware testing, we were able to develop a new ransomware detection feature. When ransomware is detected, an alert is sent allowing businesses and other users to diagnose the issue and restore data quickly to a point in time before the infection. There is a growing trend to develop similar technologies that are capable of combating the ransomware epidemic via backups. This is vital for those occasions when ransomware gets through firewalls and antivirus protections.
Unfortunately, the popularity of ransomware among cyber criminals does not appear to be waning. Recently, Datto surveyed more than 1,000 IT service providers located across the world about the current state of ransomware and found that a staggering 97 per cent of respondents said ransomware attacks on small businesses are becoming more frequent, a trend that will continue over the next two years. The survey found that 91 per cent of respondents reported their clients were victimised by ransomware; 40 per cent of whom had experienced six or more attacks in the last year. Nine out of ten IT service providers reported ransomware attacks among their small business customers. The number one cause of ransomware infection? Almost half, 46 per cent of respondents said that phishing emails were to blame. The survey found that the average ransom requested was typically between £400 and £1,600 but ten per cent of respondents reported the ransom average to be greater than £4,000.
However, the ransom is just a fraction of the losses businesses can incur from a ransomware attack. The downtime following the attack can be crippling. According to the survey, 63 per cent of respondents mentioned that a ransomware attack led to business-threatening downtime. Finally, there is a disconnect between IT service providers and their small business customers when it comes how they perceive the threat of ransomware. The majority of IT service providers are “highly concerned” about ransomware but indicated that their customers are generally not, likely due to lack of awareness.
The most important lesson we learned from infecting ourselves with ransomware is that early detection matters. This allows IT professionals to:
• remotely diagnose the extent of damage
• contain and minimise infection
• identify ‘last good’ backup quickly
• differentially update production machines to restore known good versions of compromised files
If an infection is addressed before it spreads to other systems, recovery is considerably faster. For IT service providers, early detection reduces the time and effort required to perform complex recoveries of data and applications and allows them to better serve their customers.
Robert Gibbons, chief technology officer, Datto
Image Credit: WK1003Mike / Shutterstock