Real-Life Ransomware Attacks and How GuardMode Helps to Mitigate the Damage
According to Statista reports, total enterprise data volume was estimated to increase significantly, rising from approximately 1 petabyte to 2.02 petabytes, which represents an average annual growth of 42.2% (Expected enterprise data volume by location 2022 | Statista ). It’s important to note that the majority of this data will be stored in internally managed data centers.
This is a lot of enterprise data. With the fast pace of cloud storage adoption, that is in some cases entirely transparent to the end user, we don’t even realize how much data we collect … and how much we have to protect.
Unfortunately, with the growing amount of data, and its importance, ransomware attacks continue to be a growing concern for businesses of all sizes. In recent years, the number of ransomware attacks has skyrocketed, causing significant damage to businesses and individuals alike. While traditional antivirus and anti-malware software can provide some level of protection, these solutions are often limited in their ability to detect early and track these types of attacks.
GuardMode is a solution that provides an additional layer of protection to a backup and recovery solution, specifically for ransomware and ransomware-like threat detection. GuardMode helps detect and alert administrators about suspicious activity in real-time, minimize the impact of an attack on the user’s data and systems, and help roll back just the affected data, without having to revert to a full point-in-time snapshot. In this blog post, we’ll explore two real-life examples of ransomware attacks and how GuardMode detects their abnormal behavior and then helps to mitigate and recovery from the damage.
WannaCry is one of the most famous ransomware attacks of all time. This strain of ransomware was discovered in May of 2017, and it quickly spread across the globe, infecting hundreds of thousands of computers in over 150 countries. The WannaCry attack used a vulnerability in Microsoft Windows to spread rapidly and infect systems. Reporter Connor Jones of ITPro points out in a recent article that many fail to realize that after 5 years, WannaCry’s ghost, still actively lurks on the ransomware landscape.
GuardMode, with its real-time monitoring’ and behavior-based detection techniques, as well as built-in decoy files deployment, is able to detect the abnormal file access patterns and unusual process execution associated with WannaCry. The software would then alert the backup admin and IT operations team immediately, allowing them to take action before the ransomware had the chance to encrypt their files.
With support for both Windows and Linux machines, GuardMode can detect suspicious patterns and ransomware-specific extensions on file shares. Repeated alerts trigger an automation that would lock down file-shares to read-only and would alert the IT and Security teams to take action immediately.
Furthermore, by integrating GuardMode with a backup and recovery solution such as Catalogic DPX, the orginazation gains an additional layer of recovery. Through the usage of a REST API and syslog, administrators get an option to automate on-demand snapshots or backups, and gain the ability to roll back just the affected data, given GuardMode is tracking all the encrypted files on the system.
Ryuk is another well-known strain of ransomware that has been responsible for significant damage in recent years. Ryuk is typically used in targeted attacks against large organizations, and it is known for its ability to cause substantial damage in a short amount of time. It’s important to remember that typically during a malware attack, the attackers map the network, identify critical systems and gather information about the target’s infrastructure, so later they can use techniques such as Remote Desktop Protocol (RDP) or Server Message Block (SMB) to move from one compromised system to another, escalating privileges and expanding their control over the network. Once the attackers have control over the target network, they run the Ryuk ransomware and encrypt files on the file shares, workstations, and servers. The ransomware will typically also delete shadow or backup copies of files and stop certain critical services.
With GuardMode in place, the software is able detect the abnormal behavior associated with Ryuk. With the ability to track file activity, GuardMode could be configured to detect new binaries being installed on systems where no installations should be performed. This allows IT admins to take action before the ransomware had the chance to encrypt their data. Additionally, as Ryuk is a rapid encryption ransomware, GuardMode can quickly detect typical thresholds being surpassed and send an alert allowing Administrators to take immediate action. Ryuk is known to place a RyukReadMe.txt file that contains detailed information about ransom payment – that is yet another thing that GuardMode is looking for to warn users as soon as possible. Furthermore, by integrating with a backup solution, GuardMode can make a copy of backup data available for recovery through a guided recovery mechanism, even if the ransomware was successful in encrypting files.
Ransomware attacks are a growing concern for businesses of all sizes, and traditional antivirus and anti-malware software can only do so much. Recent research from IBM (Cost of a data breach 2022) found that the average breach lifecycle takes 287 days, with organizations taking 212 days to initially detect a breach and 75 days to contain it. The same study revealed there was a 94.34% reduction in the average duration of ransomware attacks between 2019 and 2021, from over two months to just a little more than three days. Taking the above into account, it’s clear that with the advanced and more sophisticated ways of avoiding heuristic-based detection mechanisms, it’s more challenging to detect and block malicious software. GuardMode, with its real-time monitoring and behavior-based detection techniques, provides an additional layer of data protection that can do early detection and alert the administrator or other systems of these types of malware attacks.
By integrating GuardMode with a backup and recovery solution like Catalogic DPX, businesses can minimize the impact of a ransomware attack and ensure the rapid and precise recovery of their data. DPX offers an integrated web-based management console for GuardMode, allowing for easier configuration, maintenance, and alerting.
Contact us to learn more about GuardMode and how it can enhance your security posture and how can it seamlessly integrate with your existing infrastructure. We will demonstrate GuardMode in action, and help you integrate and fine-tune GuardMode to fully utilize its potential using your existing infrastructure.