Ransomware attacks are on the rise and becoming one of the top security threats for organizations. Unlike other types of cyber-attacks where the goal could be related to data destruction or data exfiltration, ransomware attacks are unique in that it’s a process that’s reversible; after paying the ransom, the victim should be able to decrypt the data.
Typical ransomware attacks start from similar attack channels like misconfigured or unpatched systems, accidently downloaded attachments from malicious or phishing web sites, and more. After infiltrating the internal systems, the perpetrator will discover files and connected resources (e.g., file shares) to find targets for encryption. Finally, when the real attack starts, they will quickly encrypt as many files as possible to maximize the impact of the attack. However, due to the need to encrypt data, this process is much slower than malware that simply deletes data.
Ransomware Protection
Similar to defense for other cyber threats, multiple layers of security measures are needed, including a strong password, MFA, regular patching, vulnerability assessments, intrusion detection, real-time anti-virus, end-point protection, and more. In addition, data backup is one of the most important aspects of this since ransomware attacks mainly target…well, data.
Microsoft 365 has some degree of built-in protection against ransomware. It mainly uses versioning, the recycle bin, or preservation libraries as ways to recover older clean data after files have been encrypted by ransomware.
Cloud Backup extends the protection against ransomware with full-fidelity, immutable backups and much longer retention periods than the Microsoft 365 native options. This is also one of the main reasons customers use our services as insurance against ransomware.
As mentioned above, a ransomware attack takes longer to finish due to the need to encrypt data. If it can be detected early, customers could have a chance to start an incident response sooner to reduce the impact scope. Ransomware Attack Detection functionality has now been added into our Cloud Backup product, including:
Early Event Detection: A function that uses machine learning algorithms to detect unusual activities as well as potential ransomware attack events. Admins can also be notified when such events are detected.
Quick Investigation: Ransomware attacks are serious security incidents. The IT and security teams need to perform incident investigation as soon as possible to have a better understanding of the impact to formulate a plan to remediate the risk. Cloud Backup provides top-down charts/reports to help admins quickly drill into the areas of question to nail down the impacted scopes, which could greatly help shorten the investigation and restore times.
Faster Restore From a Good Backup: After incident investigation is performed, users can then move to the remediation phase to restore data from a good backup. Cloud Backup provides easy-to-follow guidance with hints about the time range to restore from, which helps with faster and more precise recovery from backup data.
How Ransomware Attack Detection Works
Ransomware attack events have some unique behavior characteristics related to unusual activities and file encryption.
Anomaly Behavior Analysis
In each backup job, Cloud Backup has the intelligence to perform incremental backups (e.g., of new files, modifications, and deletions. Machine learning algorithms are used to monitor the change patterns to detect anomalies. Once unusual activities are detected, Cloud Backup will record that and surface them to administrators for visibility.
Unusual activities may not necessarily mean security issues. They may happen from time to time in real life, such as during migration projects or when users reorganize or clean up their content. However, visibility about this would still be very helpful for admins in identifying potentially risky situations.
File Encryption Detection
On top of the machine learning Anomaly Detection results, advanced heuristic analysis algorithms are also applied to various factors related to the files so that Cloud Backup can more accurately determine whether the files involved are from a ransomware attack.
One thing worth noting is that both Anomaly Detection and File Encryption Detection are based on machine learning and statistical analysis of the information already passed through Cloud Backup. No interpretation of the data is involved, so there’s no impact on privacy during the analysis.
As mentioned before, the most common scenarios are related to end-users, where the damage may seep into Microsoft 365 via a OneDrive sync. Cloud Backup’s ransomware detection will start from a OneDrive data source and later expand to other data sources.
Closing Thoughts
With its long-term immutable backup data, machine learning-based anomaly and ransomware attack detection, and easy-to-follow UI reporting and navigation, Cloud Backup is one of the most important tools for customers to defend against ransomware attacks and ensure business continuity. Experience the power of Cloud Backup yourself with a free demo!
George Wang brings more than 20 years of experience in software architecture and design – focusing on data protection, disaster recovery, archiving, database, storage, and large-scale distributed enterprise application systems – to his role as Chief Architect at AvePoint. George designed and created AvePoint’s award-winning platform recovery, replication, and storage management products as well as NetApp SnapManager for SharePoint, which features deep integration with AvePoint’s DocAve Software Platform. George holds a Master’s Degree in Electrical Engineering from Tsinghua University and currently resides in New Jersey.