Ransomware meets Backup – Cyber Attack Detection System

If they are used well, backup tools can play a key role in the battle against ransomware attacks. Contrary to popular opinion, they do not have to be limited to simply creating backup and recovering data.

This article will not only discuss the advanced functionalities of resource protection software in detecting threats, such as the monitoring of data processing. We will also ask the question of whether backup can be an effective solution when compared to antivirus software in the face of the ever-increasing number and sophistication of hacking attacks.

The evolution of ransomware

The first ransomware attacks took place in 2013. The criminals followed a simple plan: encrypt files and then demand a ransom for providing the decryptor. The model hasn’t changed much since then, and unfortunately is still effective. It is not without reason that cyberattacks are called the plague of the 21st century. In the meantime, ransomware gangs have introduced two key innovations. The first is that the attackers started to encrypt not only local data, but all network resources available to the logged on system user, including backup. Since last year, however, the majority of attackers have used dual tactics. In practice, this means that in addition to encrypting files, the criminals also threaten to publish the data seized. If the victim refuses to pay the ransom, the attackers publish part of or all of the information acquired.

According to DarkTracer data, to date 34 ransomware gangs have published data belonging to 2100 firms on the net. The most active among them in this regard was Maze (266 leaks), which has since ceased operations, and Sodinokibi / Revil (222 leaks). It is due to the possibility that sensitive company data may be published that it is considered that creating backup does not guarantee complete security. Interestingly, security experts have observed that some entrepreneurs are more worried about data leaks than about data being encrypted. Unfortunately, relying only on software that will block any attack, without regular data backup, is a much worse and highly risky solution. Learn more about how to protect your business from ransomware.

Data backup encryption is another matter. It is true that in theory this can easily be prevented by using offline data storage such as USB discs or tapes. However, this type of solution is rather outdated because backup is not carried out automatically at defined time intervals. It is also possible that the malicious software may activate at the moment when the data storage device for making backup is connected to the infected computer.

Is detecting hacker attacks fundamental?

Analysts predict that the coming years will see further escalation of hacking attacks. With the appearance of ransomware as a service software (RaaS), cyber criminals do not even need to be particularly cunning or have specialist knowledge. Oleg Skulkin from Group-IB, a cyber security firm, shared his observation on ZDNet that

partnership programmes make this type of attack more attractive for cyber criminals, and their huge popularity has made practically every firm a potential victim, irrespective of size or branch of industry.

So why would cyber criminals give up such as lucrative business?

Unfortunately, the forces for good do not have the strength to hold back the ransomware gangs’ offensive. According to Gartner, by 2025 at least 75% of IT departments will have to face up to one or more such incidents. Experts partly base their predictions on 2020 data, when there was a seven-fold increase in ransomware attacks. This state of affairs means that the people responsible for IT security should make a comprehensive assessment of their defensive fortifications in terms of their ability to counteract malicious ransomware software.

Responsibility for blocking and detecting attacks lies with antivirus software and EDR (Endpoint Detection and Response) systems. Every worthwhile antivirus software manufacturer offers such functionality as anti-malware and anti-ransomware, but their effectiveness leaves a lot to be desired. Antivirus software monitors text strings that are known to be linked to ransomware software.

Unfortunately, antivirus software is still based to a large degree on an updated virus signature database, while this technique is highly ineffective in the case of attacks carried out using new versions of malicious software. EDR provides a decidedly greater range of options in terms of detecting attacks, although using the tool can be a problem. While it does supply a great deal of valuable information, analysis of this data requires specialists in cyber security. As a result, EDR remains a product that is out of reach for smaller or even medium-sized firms. For good reason, there is a growing number of voices which say that part of the tasks related to detecting attacks can be shouldered by backup system suppliers. Lern more about how to reduce the damage caused by a ransomware attack.

The unknown and unappreciated side to backup tools

Ransomware attacks are targeted toward data, which is why backup platform security is of fundamental importance for data recovery. Manufacturers of backup tools are aware of this and are adding new functionality to help organisations in three areas:

  • detecting attacks
  • protecting backup systems
  • rapid data recovery after a cyber attack

While the last two are accepted without question, attack detection is not associated with backup tool functionality. The first line of defence against ransomware is early detection of suspicious activity. In the majority of organisations, this task is carried out, as mentioned earlier, by antivirus software protecting both company servers and employees’ laptops. Unfortunately, the increasing success rate of ransomware attacks puts into question the effectiveness of antivirus software. As a result, there is a need to use additional security measures.

Of course, backup systems cannot plug all the holes in security, but they can play a part in the security system. Malicious software detection by backup applications works in two ways. One of these is the detection of any anomalies that appear. The latest backup applications use algorithms based on artificial intelligence/machine learning to detect unusual input/output patterns. For example, this could be a change in the daily incremental backup size. Once the software detects an inconsistency, it sends an alert to the administrators. This information is valuable for two reasons: firstly, it warns the organisation about a possible attack, and secondly, it helps to identify the last known good backups during the recovery process.

The next method that is used to detect ransomware is scanning. After backup has been made, the copied data can be scanned using various tools to detect any malicious software. Importantly, this process does not affect the efficiency of production processes. The operation can also be carried out retroactively, on condition that the signatures for previously undetectable malicious software are available. In such a scenario, deep scanning can go back through existing backup data to determine whether the malware was identified in previous backup tasks, in order to isolate it and define when the attack began.

The functions described are not an ideal defence against ransomware attacks, and should not be seen as replacements for traditional scanning tools based on hosts. However, it is worth using them as they provide an additional layer of protection, which may help in early detection of attacks.

Pawel Maczka

text written by:

Pawel Maczka, CTO at Storware