SUMMARY
High data change rates can be a leading indicator of ransomware or other malicious activity. Unitrends software monitors for this proactively using predictive analytics and reports this information to users for action.
ISSUE
Ransomware as a threat continues to grow. A few of the more alarming facts:
- Almost 50% of businesses have been attacked with Ransomware. [Source: Osterman Research]
- There has been a 600% increase in Ransomware variants since December 2015. [Source: Proofpoint]
- More than 4000 Ransomware attacks have occurred every day since the beginning of 2016. That [Source: Computer Crime and Intellectual Property Section (CCIPS)]
- The number of phishing emails containing Ransomware grew to 97.25% during Q3-2016. This is up from 92% in Q1-2016. [Source: PhishMe 2016 Q3 Malware Review]
How Ransomware Works:
Ransomware is computer malware that installs covertly on a victim's device (e.g., computer, smartphone, wearable device) and that either mounts the cryptoviral extortion attack from cryptovirology that holds the victim's data hostage, or mounts a cryptovirology leakware attack that threatens to publish the victim's data, until a ransom is paid. Simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse, and display a message requesting payment to unlock it. More advanced malware encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them.[1] The ransomware may also encrypt the computer's Master File Table (MFT)[2][3] or the entire hard drive.[4] Thus, ransomware is a denial-of-access attack that prevents computer users from accessing files[5] since it is intractable to decrypt the files without the decryption key. Ransomware attacks are typically carried out using a Trojan that has a payload disguised as a legitimate file.
From <https://en.wikipedia.org/wiki/Ransomware>
RESOLUTION
Unitrends response:
Unitrends has developed a unique approach to counter the malware threat:
- Predictive analytics based proactive detection: Unitrends appliances protect on-premises physical and virtual workloads as well as provide local and cloud based continuity. As backups are performed by Unitrends appliances, the predictive analytics engine analyzes the data stream and utilizes a probabilistic method to identify anomalies to match behaviors a system would present if infected with ransomware. A notification is sent to IT administrators alerting them to check for malware in the affected system(s). This proactive detection capability is applicable to both physical asset and virtual asset backups. The predictive analytics engine uses various heuristics to detect aberrant behavior, change rate being one of those factors
New HTML5 Interface
- Click CONFIGURE from the Main Menu on the left.
- In the Appliances tab section, Select the appliance
- Click the Edit button above.
- Click on the Advanced tab.
- At the bottom, click the General Configuration button.
- Navigate to the ProactiveDetection and adjust the threshold_percentage_compared_to_avg_change (default=500):
last_time_window_hours=24 threshold_percentage_compared_to_avg_change=500
The higher the number, the less sensitive the predictive analytics engine to detect outlier patterns.
The system compares the average amount of unique data on the system of the asset against the amount of unique data in the most recent backup of the asset. The average amount of unique data is assessed after a number of backups are accumulated allowing a baseline to be identified. An alert is generated when five times more than average unique data is detected (assuming default value of 500). To lessen the sensitivity, increase this value to 600 to alert when six times the average unique data is detected.
If specific Vmware, Hyper-V virtual machines or physical machines must be excluded from the proactive detection, add a comma separated list of the cases-sensitive names of virtual machines to the respective fields in the [ProactiveDetection] section of the master.ini or via the UI steps listed above:
[ProactiveDetection] last_time_window_hours=24 threshold_percentage_compared_to_avg_change=500 exclusion_list_of_vmware_vm_names= exclusion_list_of_hyperv_vm_names= exclusion_list_of_xen_vm_names= exclusion_list_of_node_names=
*When excluding protected assets by name, the name must be listed exactly as it is seen in the ransomware alert. If the protected asset name has spaces, those spaces should be included in the name. For example, if there are two VMware VMs named "File Server" and "SQL Server" to be excluded, follow this example exclusion: "exclusion_list_of_vmware_vm_names=File Server,SQL Server". Note: Do not add additional spaces before or after the comma within the exclusion list.