Elisha Riedlinger, COO at NeuShield
Next Generation Ransomware Recovery
The FBI says ransomware is the fastest growing cyberthreat they track, with more than 4,000 ransomware attacks every day . Their advice is simple: Take steps to prevent ransomware attacks in the first place and create a rock-solid plan to recover from attacks should they occur.
The first step is relatively easy – most organizations deploy endpoint protection and train staff about phishing software. The second step — recovering from a ransomware attack — is where organizations struggle. Once ransomware bypasses the existing security measures and encrypts data it can be extremely time consuming and costly to recover, even with a backup.
Thus, we see that endpoint security and backup products are very important, but they do not fully protect against ransomware. What organizations need is a solution that is simple to manage and deploy and that offers nearly instantaneous recovery.
In this article we will talk about endpoint security software and backup software, how they work, what their weaknesses are and how NeuShield can fill these gaps.
Endpoint Security Software
We will start out by discussing endpoint security products. There are three main techniques that security products use to protect a device from ransomware. Some products only use one of these techniques while other products use more than one of these. Let’s discuss each of these techniques one-by-one.
1. Detecting and blocking
Many products attempt to protect against ransomware through detection. Some use signatures while others use machine learning, heuristics, or other means. Detecting and blocking is the typical way that antivirus software works and is effective for known ransomware. However undetected ransomware cannot be blocked with these solutions. To make matters worse, ransomware authors will routinely check their ransomware against services like VirusTotal to ensure that their ransomware cannot be detected. Relying on detection alone is not an adequate way to protect your device from ransomware.
2. Rollback and backup techniques
Some anti-ransomware solutions will create a backup of files to another location on disk before they are modified so that once the ransomware is detected they can roll these files back to a pre-encrypted state.
Rollback solutions may use Microsoft’s Volume Shadow Copy Service (VSS) or homegrown technologies. Backing up files and rolling them back works pretty good for detected ransomware, however there several problems with this approach.
- First, most rollback solutions limit how much data they store for rollback. Therefore, if a machine were hit with ransomware and all data was ransomed, they would only be able to rollback part of the data.
- Secondly, many security products will only allow rollback once the ransomware is detected. If the ransomware remains undetected, they cannot restore any of the data.
- Another problem with rollback is that it has slow recovery times. Rollback requires each file to be restored (copied) back one-by-one. If lots of data was affected by the ransomware it can take many hours to rollback the data, assuming the anti-ransomware program can even store enough data to roll these files back.
- When it comes to performance, backing up files also doubles the disk activity (I/O) because each file that is modified needs to be backed up one-by-one, meaning it causes a significant performance hit.
- Additionally, many ransomware programs will start out by attempting to delete all backups before encrypting the original file. In this case there may be no way to recover since the backup has been destroyed.
- Finally, we see ransomware programs, such as NotPetya and Shamoon, that will do full disk encryption or simply wipe the disk of all data. For these cases backing up the files will not help since the disk itself is overwritten.
As we can see, rollback solutions have many limitations, such as, slow recovery time when lots of data is ransomed, only rolling back files for detected threats and being unable to recover from disk lockers (ransomware that encrypts the entire disk). These limitations reduce the usefulness of rollback in cases where the ransomware goes undetected, or a hacker is remotely accessing your computers.
3. Protecting specified folders
Another approach that some ransomware solutions take is to block write access to unknown programs and only allow access to approved applications. This way ransomware is blocked from encrypting files in protected folders.
At first glance this sounds like a good approach. However, enabling a feature like this can be problematic since it is difficult for users to figure out which applications need to be approved. For managed environments this can cause continuous complaints from users when different third-party applications don’t work because they cannot access the protected data.
Also, a potentially worse problem is that allowing an application opens a backdoor to allow ransomware in. Ransomware can simply use these approved applications to encrypt data. For example, there are ransomware programs that use Microsoft Word macros to encrypt files. In addition, this does not help against ransomware that encrypts or wipes the full disk of all data.
Like endpoint security, backup is an important component but has limitations with regard to ransomware. For backup software we will talk about two main categories. The first is traditional backup software and the second is cloud-based backups, of which the most common is cloud drives. Let’s discuss each of these one-by-one.
1. Traditional Backup
Traditional backup is still an obvious choice to make sure your files are fully backed-up. But there are several reasons that backups fall short when it comes to ransomware:
- Ransomware now targets backups, destroying the backup files before encrypting an organization’s data.
- Recovery from backups is hardly ensured. Some sources show recovery from backups fail as much as 50 percent of the time.
- Backing-up is difficult. The backup process is labor-intensive and slows networks to a crawl during the backup.
2. Cloud Drives
To solve this last problem new cloud offerings are emerging. Dropbox, Google Cloud and OneDrive all work to effortlessly replicate your files to the cloud. These solutions take the labor out of protecting your data, but they are still susceptible to ransomware.
The problem is that ransomware is altering your files (by encrypting the file). Services like Dropbox are set-up to instantly recognize when a file has been changed and to replicate the file instantly to the cloud. By the time an organization realizes it has been hit by ransomware it may well find that some (or possibly ALL) of its valuable files are encrypted in the cloud as well.
NeuShield: A different way
What organizations really need to ensure a smooth recovery from ransomware attacks is a solution that is as simple and easy as cloud storage, yet provides instant, reliable recovery from ransomware attacks. And that is precisely what NeuShield’s new Data Sentinel delivers.
NeuShield Data Sentinel takes a completely different approach by creating a protective shield between your files and applications. When ransomware or other application tries to make changes, the original files stay intact allowing users to revert any unwanted change that has been made.
While other products will create backup copies of your files which can dramatically increase disk usage and cause a significant performance overhead. NeuShield’s revolutionary technology can preserve the original file without requiring a backup which allows Data Sentinel to protect files with virtually no additional disk activity (I/O).
When it comes to recovery time, NeuShield offers virtually instant recovery because it does not need to copy or restore files back to the disk. All that is needed is for the changes on the overlay to be deleted and the original file is back.
In addition, the boot portion (MBR) of your drive is monitored to prevent aggressive types of ransomware from overwriting the boot record and leaving the device unable to boot. NeuShield also monitors and blocks raw disk access to prevent wipers and malicious ransomware programs from destroying or encrypting the data on your hard drive.
With NeuShield a corporation’s key data is protected allowing them to recover quickly from both external and insider threats.