NetApp Ransomware Protection

Ransomware Protection: Detection, Recovery, and Prevention

What is Ransomware Protection?

Ransomware is a type of malware that infects a computing device, encrypts the user’s sensitive data, and demands a ransom in exchange for releasing the data. Ransomware has become a multi-billion-dollar business for cybercriminals, and ransomware attacks are becoming widespread, more sophisticated, and more damaging. Therefore, organizations of all sizes are making ransomware protection a top priority of their cybersecurity program.

Ransomware protection is an organizational process that can help prevent ransomware incidents, and reduce the impact of a ransomware attack if one occurs. Ransomware protection and ransomware readiness allows organizations to proactively prepare for the ransomware threat, instead of being caught off guard. This can prevent business disruption, damage to reputation, compliance risk and legal liability resulting from a successful ransomware attack.

In this article:

Ransomware Types

There are two primary types of ransomwares:

  • Locker ransomware- blocks the user’s device, only allowing the user to interact with a ransom notice that explains what they should do to unlock their device. Generally, this type of ransomware does not destroy data, and so is less dangerous.
  • Crypto ransomware- aims to encrypt critical data, demanding a ransom in order to unlock it. This type of ransomware often adds a deadline by which the user’s data will be destroyed if the ransom is not paid. In many cases, even if the ransom is paid, ransomware does not unlock the data.

The Challenge of Ransomware Detection

Ransomware attacks are difficult to detect, and must be detected in real time to prevent damage. Cybercriminals use social engineering techniques or security vulnerabilities to deploy ransomware. Ransomware uses strong encryption algorithms to encrypt sensitive data. When a computer or other endpoint is infected, ransomware spreads throughout the network and runs so quickly that a manual response is impossible. In most cases, the target organization only discovers the infection after ransomware has encrypted data and is demanding payment.

In order to effectively detect ransomware, an organization must have automated tools capable of identifying the ransomware malware itself, and detecting unusual encryption activity as soon as it occurs anywhere on the network.

Ransomware Detection Techniques

Detection By Signature

Signature-based detection is a simple, commonly used method of detecting malware. This is the primary method used by traditional antivirus. A malware signature includes details like:

  • File hashes
  • Domain names and IP addresses a process communicates with
  • Recognizable traffic or attack patterns

Signature-based detection engines store a database of malware signatures, which is frequently updated. When scanning a file system, it compares each file to known attack signatures, and if there is a match, determines that the file is malware.

This type of detection is becoming less effective against many types of threats, ransomware included. Malware is becoming evasive, with each ransomware campaign using slightly different files and command and control servers, to throw off signature-based detection. Signature-based detection is also useless against zero-day ransomware, as well as fileless attacks that run exclusively in system memory.

Detection By Behavior

Behavioral detection is a more sophisticated approach to detecting ransomware. It aims to identify activities on a device that look like ransomware, even if they do not meet a known malware signature.

Behavioral detection of ransomware is quite easy, given that ransomware behaves very differently from ordinary processes running on a computer system. In particular, at the encryption stage, ransomware opens a large number of files, reads them, performs encryption, which is computationally intensive, and overwrites them with encrypted versions. By monitoring file behavior and encryption activity on a device, an anti-ransomware tool can identify a ransomware attack and block it.

Detection By Abnormal Traffic

Abnormal traffic detection can complement behavioral analysis by identifying unusual network traffic that can indicate ransomware.

Early ransomware strains did not make much use of the network. However, modern ransomware uses a double-extortion model, in which the ransomware first exfiltrates data from the target device, and only then encrypts it. Monitoring network traffic can reveal anomalous traffic that indicates ransomware is transmitting sensitive data outside the organization.

Even if traffic is concealed using benign protocols, for example DNS tunneling, the volume of data transferred can provide a clue that something unusual is taking place. This makes it possible to detect the activity and trace it back to ransomware deployed on the device.

Ransomware Recovery Best Practices

Here are a few best practices you can use to successfully recover from a ransomware attack.

Perform Frequent Backups of Critical Data

Most ransomware attacks are designed to prevent victims from accessing sensitive information until the ransom is paid. Backup can reduce this risk. If ransomware encrypts your data, having a backup can quickly restore access without needing to pay the ransom.

However, if ransomware reaches your backups and encrypts them as well, they will be ineffective. Store your backups in a location that is not accessible from the network—either detach them from the network, store them off site or copy them to an external device.

It is important to realize that when you restore from backup, you could still face the same vulnerabilities the attacker originally exploited. Ensure that you identify and fix the root cause of the incident to prevent the attack from recurring.

Decrypt Data

In some cases, you may be able to decrypt data encrypted by ransomware. Decryption keys are available for many common ransomware types. If possible, decrypt existing data to avoid data loss, without having to pay the ransom. Decryption must be performed in a secure environment—if ransomware cannot be disabled, data must be moved to an isolated location and decrypted there.

Prioritize Recovery

As you recover systems from a ransomware attack, plan the recovery according to business priorities. You should have a prioritized list of applications according to importance to specific lines of business. Ensure that basic infrastructure services like DNS, DHCP, and authentication are the first to be recovered, otherwise other systems you recover may not function properly.

Use Automation for Large Scale Recovery

Automated ransomware recovery tools, whether provided by vendors or developed in-house, can significantly speed up recovery time. Consider automation for large-scale recovery scenarios such as:

  • Recover network attached storage (NAS) systems with dozens or hundreds of shares
  • Restore complete virtual environments with hundreds or thousands of virtual machines (VMs)
  • Recover a database server with multiple databases, or a database cluster
  • Restore a set of files from multiple servers at or near the same point in time

Educate Employees

A common attack vector for ransomware is social engineering. Employees can easily succumb to a phishing attack and be tricked into clicking a malicious URL, clicking a malicious attachment or downloading and executing malware.  

Security awareness training can give employees practical advice on how to avoid social engineering, and can also explain the impact to the organization if an attack occurs. Training should not be one-off—provide regular, brief awareness sessions to ensure employees internalize the message, and to provide updated instructions.

Security awareness should focus on topics like use of strong passwords, protection of credentials and avoiding password sharing, always verifying email senders and web domains, learning the signs of phishing messages, and never clicking a link or downloading an attachment from a suspicious or unknown sender.

In addition, create a ransomware incident response plan that specifies how the organization can respond and recover to a ransomware attack, and ensure all employees understand their role in the plan.

Don't Depend Solely on Backups

Backups were once thought to be a complete solution to ransomware. This is no longer the case, because modern ransomware uses double extortion techniques, transferring the data to the attacker before encrypting it. This means that even if you successfully restore the encrypted data from backup, your organization is still at risk because the attacker could publish or make other illicit use of your data.

Backups are still an important defensive mechanism, but should be one of multiple defense layers. Use a defense-in-depth model to ensure that ransomware attackers face several obstacles as they approach your organization, and at least one of these can stop the attack.

How To Protect Backups from Ransomware

Although backups are not sufficient to protect against ransomware, they are a critical part of any defensive program. Follow these best practices to protect your backups against ransomware:

  • Ensure you have an offline backup—ransomware can encrypt anything that is connected to the infected system. If there is a network path from an infected device to a backup server, ransomware might be able to access and encrypt the backup server. This means it is critical to keep an offline backup of your files, in a location that is disconnected from the corporate network.
  • Use immutable storage—modern storage devices offer Write-Once-Read-Many (WORM) capabilities. This makes it possible to store data as immutable objects in a storage bucket, locking it to prevent any modification. This ensures backup files stay unchanged, and prevents files encrypted by ransomware from being backed up automatically, overwriting the original data.
  • Endpoint protection—modern endpoint protection solutions have built-in ransomware protection, including behavioral analysis that can identify ransomware-like processes and stop them in real time. They are also able to automatically isolate infected devices from the network to prevent ransomware from spreading. Deploying endpoint protection on all endpoints, especially on backup servers, can be highly effective against ransomware.

NetApp Ransomware Protection Solution

NetApp Ransomware Protection is a comprehensive set of data-centric capabilities that allows you to protect your data estate with a Zero Trust approach from the inside out. It enables you to map and classify your data, detect abnormal user activity, manage access, and avoid costly downtime using rapid backup and restore. IT teams can apply these advanced defense mechanisms to strengthen cyber resiliency and make sure the most critical data stays protected.


New call-to-action



Learn More About Ransomware Protection

There’s a lot more to learn about Ransomware Protection. To continue your research, take a look at the rest of our blogs on this topic:

Ransomware Detection: Techniques and Best Practices

Ransomware detection techniques help anti-ransomware solutions to identify ransomware infections. Learn about common ransomware detection techniques, what are the early warning signs of a ransomware program, and how to protect your organization.

Read more: Ransomware Detection: Techniques and Best Practices

NetApp Ransomware Protection: A Complete Set of Data-Focused Protective Capabilities

It’s essential to protect against ransomware, but not all solutions offer a well-rounded set of capabilities that are right for your needs. NetApp Ransomware Protection offers a complete solution that helps you with a number of tasks meant to secure your data, such as detecting abnormal user activity and managing access, classifying your data, and preventing downtime with rapid backup and restore. How does it work? Find out more in this blog.

Read more in NetApp Ransomware Protection: A Complete Set of Data-Focused Protective Capabilities

Cyberstorage: Data-Oriented Security Designed for Ransomware Protection

Cyberstorage is a data-centric approach to using the zero trust security model in storage systems. It provides more effective protection against ransomware attacks by giving IT teams more control over data. Read more about its benefits and applications in this blog.

Read more in Cyberstorage: Data-Oriented Security Designed for Ransomware Protection

5 Common Types of Ransomware Attack: Top Security Tips for IT Teams

Ransomware is usually financially motivated and comes in different forms, all of which have characteristics in common. Generally, they’ll all provide a threat to your IT system and also demand payment by displaying a message. Find out more about the most common types of ransomware attacks and get tips on how to prevent them in this blog.

Read more in 5 Common Types of Ransomware Attack: Top Security Tips for IT Teams

Organization Security: Who’s Responsible for Keeping IT Safe?

As organizations grow and threats become harder to predict, it’s becoming more difficult to determine where the responsibility for organization security standards lies. In truth, everyone is responsible for organization security. How can organizations delegate responsibility and ensure everyone is aligned with security goals? Find out in this blog post.

Read more in Organization Security: Who’s Responsible for Keeping IT Safe?

Data Security Capabilities Every IT Leader Needs To Know

An organization’s data security dictates how it protects its digital information throughout its entire lifecycle. There are various data security techniques an organization can put in place in order to accomplish this. In this blog, learn more about the different types of data security and how data is managed and monitored.

Read more in Data Security Capabilities Every IT Leader Needs To Know

Semion Mazor, Product Marketing Manager

Product Marketing Manager