IT Brief New Zealand - Technology news for CIOs & IT decision-makers
Story image
Ransomware threats evolving to attack backup programmes
Mon, 16th Jul 2018
FYI, this story is more than a year old

Security experts today are seeing signs of growing competition between ransomware distributors.

Attackers are starting to probe previously unreached countries, where users may not be prepared for fighting ransomware and where competition among criminals is lower.

Ransomware-as-a-Service is becoming more and more popular, with amateur cybercriminals trying to earn easy money.

Ransomware attacking backup files

The traditional defence against ransomware is having a disaster recovery solution in place, as users can restore their machines to the most recent backup copy before the attack.

This is leading modern cyber criminals to also attack and delete backup programmes and files to remove this as an option for their victims.

One of the few solutions in the market that has taken this into account is the Acronis Disaster Recovery Cloud.

The solution includes Acronis Active Protection, a robust self-defence mechanism that prevents any process in the system other than Acronis software from modifying backup files.

Acronis Australia and New Zealand general manager Neil Morarji says, “Ransomware puts everyone's data at risk.

“With Acronis' cyber protection solutions, including Acronis Disaster Recovery Cloud, we're

making ransomware a less viable tool for cyber criminals.

Better than signature-based threat detection

At the heart of Acronis Active Protection lies a heuristic approach to malware detection that is much more advanced than the traditional, signature-based approach.

While one signature can detect only one sample, heuristics analysis can detect multiple or even hundreds of samples of files that belong to one so-called family (usually similar in behaviour or patterns of actions).

The behavioural heuristics are a chain of actions (file system events, to be precise) done by a program that is then compared with a chain of events in a database of malicious behaviour patterns.

Acronis Active Protection checks any suspicious processes that it detects against the whitelist and blacklist.

Potential ransomware is stopped and placed into the blacklist, which prevents it from starting again on the next reboot.

This is important because the user does not have to repeat the process of blocking the ransomware all over again next time starts the machine.

Laying the bait

The Acronis Active Protection feature includes specially crafted honeypots used to find and disarm ransomware.

Like a bee is drawn to honey, ransomware is often looking for certain types of files.

If these types of files into controlled directories, you can catch and isolate the ransomware.

Because these directories are controlled by Acronis Active Protection, the infection can't spread.

Users won't see these files because they are hidden in the system and take up very little space on a hard drive, so this additional layer of security doesn't create any inconvenience.

Machine learning integration

Machine learning brings Acronis Active Protection to a whole new level, especially when it comes to zero-day threats.

It creates a model of legitimate processes, so even if bad actors find a new vulnerability or way to infiltrate the system, it will detect the ransomware's processes and put a stop to them.

Acronis machine learning infrastructure is built so that new anonymised user data will be uploaded regularly for analysis.

Machine learning not only raises detection level but also reduces any potential false positives as it acts like second authority for heuristics to make a final decision.

Security experts, the FBI and other organisations agree that ransomware attacks will continue to take place more frequently, especially in corporate and small business environments.

As such, organisations need to ensure that they're equipped to handle such threats because it's only a matter of time before they're attacked.

Acronis Disaster Recovery Cloud enables businesses to recover from attacks with minimum downtime, ensuring business continuity.