0

Following the recent ransomware attacks that leveraged the WannaCrypt0r malware and NSA-developed EternalBlue vulnerability exploit, there was plenty of advice that backup, backup, backup was the best mitigation. Data backups are, of course, an important part of any business continuity strategy. However, what happens when your backups are also encrypted by ransomware? There are variants out there, in the wild, that will target shared network drives, that will use cloud backup desktop sync clients to encrypt that data as well. There are variants that will not declare themselves and post the ransom demands until they have been successfully encrypting backups in the background for a few weeks and thus making it even harder to recover from the attack without coughing up. All of these things suggest that maybe a new backup strategy is required.

A relevant press release arrived from Acronis today regarding the business-oriented Acronis Backup software; the latest version of which (12.5) now includes 'Acronis Active Protection' amongst other things. This is something that I've been using here for a while now, but as a feature of the Acronis True Image 'new generation' product. The new generation premium version that includes it (along with 1Tb of online storage for one PC and unlimited mobile devices) doesn't come cheap at $99 per year, costly in comparison to the likes of CrashPlan and positively exorbitant if measured against the free Macrium Reflect backup software. Nor is it exactly lightweight, requiring half a gig of space to install. During the installation process you have to sign the EULA which, in effect, says that Acronis isn't responsible for any data loss. Something that I feel doesn't exactly fill you with confidence, although 'because lawyers' does apply I guess.

So what is this Active Protection that it brings to the backup party? As far as I can tell, it works by applying a heuristics engine to monitor your files. That's all files, all of the time; find it in your system tray from where it can be configured. What it's looking for are any unauthorized attempts to encrypt any data, excluding those that you have told it to ignore. If it spots anything then a user prompt pops up that displays the name of the encrypting process and the files that have been hit. The user can then either 'block' or 'trust' that process. Any files that had already been encrypted by the malware can then be restored if you select block.

I've tested this whole detection and restore process, and it does actually seem to work as intended. I'm not alone in putting it to the test, and here in the UK an independent testing lab called MRG Effitas has published a report comparing how well various backup solutions protect endpoints from ransomware compromise.

To be honest though, I'm not the greatest fan of the Acronis software UI, and this is especially the case when it comes to the restore functionality rather than the backup. I find it to be somewhat tedious when only wishing to restore a particular file or folder. That said, it's pretty easy to use when restoring the whole hard drive data shebang. The report goes as far as to state that "the ability to protect the machine from being encrypted entirely and the prospect of restoring the PC and user files after the infection was the most important testing metric in this comparative assessment." The Acronis option with Advanced Protection was the only one, out of the eight market leading products tested, that offered protection against the 10 ransomware strains thrown at them.

Obviously, not getting infected in the first place is the best mitigation against being held to ransom. And that means implementing a solid patch management plan, having resilient endpoint protection and educating users against unsafe practices. Yet, as it's looking at individual file encryption processes across the entire device rather than trying to spot the attacking malware itself, Active Protection should hopefully stand up well to new ransomware variants as they are released into the wild. Only time will tell. I've learned long ago not to underestimate the innovative ingenuity of coders in the criminal space. One things for sure though, we've all got to realise that just because you've backed something up that doesn't mean it will automatically save the day should ransomware strike. To paraphrase the Daleks: mitigate, mitigate, mitigate...

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

5
Contributors
7
Replies
49
Views
4 Months
Discussion Span
Last Post by Josh Ross
0

Great article. It is also nice to know the possible options from your standard every day copy and past to a different hard drive solutions.

0

Is there any permanent solution for eleminating ransomware?

We all just talk about saving our data and information.

0

That's like asking if you can eliminate malware, of which ransomware is just one variant. You can reduce the risk of infection, but you cannot eliminate it unless you write everything down on bits of paper and throw the computers into the skip...

0

Everything on the internet is vulnerable, you can't "eliminate" it completely. As Happygeek mentioned, you can reduce the risk of infection. The best way is either avoid the internet (which is not an option nowadays) or use a lot of common sense, awareness and general knowledge about how malware industry works to increase protection.

0

educating users against unsafe practices.

This might be beyond the scope of your article, but how does Randsomware work? Most of us have been educated at least to the point where we know to scan any executables that we download for KNOWN malware, to try to spot the difference between an OS popup versus a software popup, to use Limited Accounts instead of Admin accounts for day to day use, to adjust our browser settings regarding permissiveness and authorization for running scripts, etc., etc., all the normal stuff that applies to avoiding viruses. Is Randsomware any different from any other malware? Could a script-kiddy do it or does it require detailed knowledge and skill?

Basically, is this anything new or different that should change a computer user's behavior to change in order to prevent this? Everyone should already be using their computer(s) assuming bad guys everywhere are trying to exploit any possible chink in the armor.

Edited by AssertNull

0

That is the problem, people are still not assuming and are not aware. You would be surprised. The number of individuals that do not know that emails can contain malicious links and not all email files is necessarily legitimate, is quite high. New vectors of attacks are always emerging. Elaborate social engineering, ads (Plenty of users still do not know about adblock and similar technologies), bundled malware, scam and phishing approaches. And while the fact itself doesn't change, the way they do it changes, and we are not creating enough attention.

By the way, you say "All the normal stuff", but what you mentioned only 20 maybe 25% people are aware of. The amount of user compared to amount of education and awareness that we have, is proportionally low

Edited by Josh Ross

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.