Ransomware Detection is Not Enough

This week we’re happy to have Frank Jablonski, Vice President, Global Product Marketing and Communications at Acronis offer his thoughts on the WannaCry ransomeware attack, and how partners can effectively respond to the security needs of their customers in light of the media attention from this high profile attack. Talk to AVANT to add Acronis and other security solutions to your portfolio. – Lily Weibel, AVANT Marketing

The recent worldwide WannaCry ransomware attacks brought unprecedented attention to the fastest-growing malware threat of the 21st century. For the first time, ransomware became the focus of newspaper headlines, lead stories on cable network news programs, and security briefings to political and business leaders. Educating your customers on complex data protection issues is never easy, but the scale and destruction of WannaCry has served up an opportunity to do so with vivid examples of crippled transportation systems, hospitals, public safety departments and government agencies still fresh in their minds. As an AVANT partner, you can help guide your customers at this critical moment when they finally understand the urgency of the ransomware threat. Acronis is here to help.

When the WannaCry attack brought down hundreds of thousands of computers in 150 countries, it woke up the world to a new reality. Cybercriminals have gotten much more dangerous, developing malware payloads that exploit newly-discovered, often not-publicly-disclosed vulnerabilities in operating systems and applications. Their distribution methods have also gotten much more effective, from the commonplace but very large-scale phishing attacks used by Ransomware as a Service operators, to the lethal, fast-propagating worms of the type developed by and stolen from the US National Security Agency that was used in the WannaCry attack.

This new tide of cyberattacks puts businesses in jeopardy, threatens to destroy the personal data of countless individual consumers, and even puts lives at risk when the targets are healthcare, government and critical infrastructure. To respond, public officials and corporate leaders must start investing in comprehensive data protection and defenses against ransomware intrusions.

Vendors of IT security and data protection products have come up with a broad range of responses to the ransomware epidemic. A variety of techniques are employed in detection: signature matching against known threats (the endpoint anti-virus approach), sandboxing (placing unknown apps into virtual environments to observe what they do before allowing them to run on production servers and workstations), and behavioral analysis (monitoring live apps for malicious behavior). Ransomware developers are keenly aware of these defense measures and are constantly iterating their products to evade them. For instance, masquerading and dormancy techniques enable new ransomware variants to evade signature detection and sandboxing. In this ongoing arms race, the criminals always have first-mover advantage.

Few data protection measures can move beyond ransomware detection to include ransomware termination. Many of these approaches are expensive, resource-intensive, and complex to deploy and manage. And nothing coming out of the IT security industry aids in recovery from the damage of a ransomware attack.
A disciplined backup regimen with diverse storage media and locations (using the 3-2-1 rule of backup) remains the best, last line of defense against ransomware. But data protection via backup will still not protect any files damaged since the last backup. If you last backed up yesterday, any files damaged by a subsequent ransomware attack will be lost forever: ransomware generally uses strong encryption that is impervious to brute-force decryption methods. Paying the ransom is a bad bet: some one in five users who pay up never receive the promised remedy. A critical advantage of Acronis Backup 12.5 with Active Protection – in addition to ransomware detection and attack termination – is its ability to recover any and all files that were damaged in a ransomware attack, with none of the limitations that some backup solutions suffer like available cache size.

Acronis Ransomware Protection Solution
Acronis Active Protection is an advanced anti-ransomware detection, termination and mitigation technology that actively protects all of the data on your computers and servers—documents, data of all types, and your Acronis Backup files. Introduced in our consumer data protection product Acronis True Image in January 2017, it is now part of Acronis Backup 12.5 Standard and Advanced Editions and will be added to Acronis Backup Cloud imminently.

Acronis Active Protection uses heuristic analysis to identify patterns of actions on data files on a computer, creating an ever-evolving understanding of which behaviors are safe / ordinary and which are suspicious / potentially malicious. This not only enables it to detect and terminate established ransomware families, but also variants whose techniques aren’t yet widely known, or that prey on unknown vulnerabilities (zero-day exploits) and thus can evade the signature-matching approach of traditional anti-virus products.

This intelligent, self-learning approach not only lets Acronis Active Protection defend against unknown threats – a commonplace in an environment where cybercriminals are constantly developing new techniques to evade security defenses – but also to reduce false positives: the misidentification of legitimate processes engaging in file renaming and encryption (which also are common symptoms of a ransomware attack). Active Protection complements this active identification of good vs. malicious processes by maintaining an application whitelist to remove known legitimate processes from suspicion.

By maintaining a cascade of file backups – local cache, local storage, and cloud storage – Acronis Backup with Active Protection is able to nearly-instantaneously restore any files damaged in a ransomware attack prior to its detection and termination. This is a unique capability: no competing anti-ransomware product can detect an attack, stop it, and clean up any damage in its aftermath. Only Acronis Active Protection detects and stops ransomware attacks, then restores any damaged files, regardless of their size. Its heuristic, self-learning approach further enables it to defeat several insidious ransomware techniques:

  • Attacks on local and Cloud Backups
  • The currently-theoretical but widely-expected advent of attacks that do not encrypt files, but instead make small, hard-to-detect changes in files that could be harmful to the user (e.g., changes in legal or financial documents) and thus provide the basis of extortion.

The Lessons of May 2017 WannaCry Ransomware Attack 
What did we learn from the massive May 2017 ransomware incident?  The world finally began to recognize how many millions of computers are at risk from malware attacks, and how quickly a business can be brought to a grinding halt by ransomware. Businesses and consumers with the foresight to schedule and maintain a disciplined backup strategy were able to recover with relatively little damage. The rest were left counting the high costs of a sophisticated new malware attack, and wondering when the next one would hit.

They won’t have to wait long. New variations of the WannaCry ransomware virus are already wreaking havoc in the wild. Cybercriminals are making billions in profits in the ransomware business, and reinvesting those ill-gotten gains in R&D to uncover novel ways to infect computers, defeat security measures, and extort cash from their victims. In this new reality, backup remains the only reliable way to recover from a ransomware attack. But ordinary backup by itself is not enough. Smart users will seek data protection technology that goes beyond detection and recovery, looking for solutions that detect and extinguish ransomware, defend backup copies against malware damage, and instantly restore files damaged in an attack. That solution exists today: Acronis Backup 12.5 with Active Protection.