How Unitrends helps detect and recover from a ransomware attack

SUMMARY

High data change rates can be a leading indicator of ransomware or other malicious activity. Unitrends software monitors for this proactively using predictive analytics and reports this information to users for action.

ISSUE

Ransomware as a threat continues to grow.  A few of the more alarming facts:

How Ransomware Works:

Ransomware is computer malware that installs covertly on a victim's device (e.g., computer, smartphone, wearable device) and that either mounts the cryptoviral extortion attack from cryptovirology that holds the victim's data hostage, or mounts a cryptovirology leakware attack that threatens to publish the victim's data, until a ransom is paid. Simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse, and display a message requesting payment to unlock it. More advanced malware encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them.[1] The ransomware may also encrypt the computer's Master File Table (MFT)[2][3] or the entire hard drive.[4] Thus, ransomware is a denial-of-access attack that prevents computer users from accessing files[5] since it is intractable to decrypt the files without the decryption key. Ransomware attacks are typically carried out using a Trojan that has a payload disguised as a legitimate file.

 
From <https://en.wikipedia.org/wiki/Ransomware>

RESOLUTION

Unitrends response:

 
Unitrends has developed a unique  approach to counter the malware threat:

  • Predictive analytics based proactive detection:  Unitrends appliances protect on-premises physical and virtual workloads as well as provide local and cloud based continuity.  As backups are performed by Unitrends appliances, the predictive analytics engine analyzes the data stream and utilizes a probabilistic method to identify anomalies to match behaviors a system would present if infected with ransomware. A notification is sent to IT administrators alerting them to check for malware in the affected system(s). This proactive detection capability is applicable to both physical asset and virtual asset backups.  The predictive analytics engine uses various heuristics to detect aberrant behavior, change rate being one of those factors
 
The sensitivity of the predictive analytics engine can be changed if deemed that the engine is too aggressive in its detection to minimize false positives:

New HTML5 Interface

  • Click CONFIGURE from the Main Menu on the left.
  • In the Appliances tab section, Select the appliance
  • Click the  Edit button above.
  • Click on the Advanced tab.
  • At the bottom, click the General Configuration button.
  • Navigate to the ProactiveDetection and adjust the threshold_percentage_compared_to_avg_change (default=500):
User-added image
last_time_window_hours=24
threshold_percentage_compared_to_avg_change=500
 
The higher the number, the less sensitive the predictive analytics engine to detect outlier patterns.

The system compares the average amount of unique data on the system of the asset against the amount of unique data in the most recent backup of the asset.  The average amount of unique data is assessed after a number of backups are accumulated allowing a baseline to be identified.  An alert is generated when five times more than average unique data is detected (assuming default value of 500).  To lessen the sensitivity, increase this value to 600 to alert when six times the average unique data is detected.

 
If specific Vmware, Hyper-V virtual machines or physical machines must be excluded from the proactive detection, add a comma separated list of the cases-sensitive names of virtual machines to the respective fields in the [ProactiveDetection] section of the master.ini or via the UI steps listed above:
[ProactiveDetection]
  last_time_window_hours=24
  threshold_percentage_compared_to_avg_change=500
  exclusion_list_of_vmware_vm_names=
  exclusion_list_of_hyperv_vm_names=
  exclusion_list_of_xen_vm_names=
  exclusion_list_of_node_names=

         
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Contact us