Ask the Community
Groups
How Unitrends helps detect and recover from a ransomware attack - Connect IT Community | Kaseya
<main> <article class="userContent"> <h2 data-id="summary"><strong>SUMMARY</strong></h2> <p>High data change rates can be a leading indicator of ransomware or other malicious activity. Unitrends software monitors for this proactively using predictive analytics and reports this information to users for action.</p> <h2 data-id="issue"><strong>ISSUE</strong></h2> <p> </p> <h1 data-id="ransomware-as-a-threat-continues-to-grow-a-few-of-the-more-alarming-facts">Ransomware as a threat continues to grow. A few of the more alarming facts:</h1> <ul><li> Almost 50% of businesses have been attacked with Ransomware. [Source: <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fwww.malwarebytes.com%2Fsurveys%2Fransomware%2F%3FaliId%3D13242065" rel="noopener nofollow">Osterman Research</a>] </li> <li> There has been a 600% increase in Ransomware variants since December 2015. [Source: <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fwww.proofpoint.com%2Fsites%2Fdefault%2Ffiles%2Fquarterly_threat_summary_apr-jun_2016.pdf" rel="noopener nofollow">Proofpoint</a>] </li> <li> More than 4000 Ransomware attacks have occurred every day since the beginning of 2016. That [Source: <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fwww.justice.gov%2Fcriminal-ccips%2Ffile%2F872771%2Fdownload" rel="noopener nofollow">Computer Crime and Intellectual Property Section (CCIPS)</a>] </li> <li> The number of phishing emails containing Ransomware grew to 97.25% during Q3-2016. This is up from 92% in Q1-2016. [Source: <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fphishme.com%2Fransomware-delivered-97-phishing-emails-end-q3-2016-supporting-booming-cybercrime-industry%2F" rel="noopener nofollow">PhishMe 2016 Q3 Malware Review</a>] </li> </ul><h1 data-id="how-ransomware-works"><u>How Ransomware Works:</u></h1> <p>Ransomware is computer <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FMalware" rel="noopener nofollow">malware</a> that installs covertly on a victim's device (e.g., computer, smartphone, wearable device) and that either mounts the cryptoviral extortion attack from <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FCryptovirology" rel="noopener nofollow">cryptovirology</a> that holds the victim's data hostage, or mounts a cryptovirology leakware attack that threatens to publish the victim's data, until a ransom is paid. Simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse, and <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FScareware" rel="noopener nofollow">display a message</a> requesting payment to unlock it. More advanced malware <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FEncryption" rel="noopener nofollow">encrypts</a> the victim's files, making them inaccessible, and demands a ransom payment to decrypt them.<a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FRansomware%23cite_note-1" rel="noopener nofollow">[1]</a> The ransomware may also encrypt the computer's <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FMaster_File_Table" rel="noopener nofollow">Master File Table</a> (MFT)<a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FRansomware%23cite_note-schofield-2" rel="noopener nofollow">[2]</a><a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FRansomware%23cite_note-3" rel="noopener nofollow">[3]</a> or the entire hard drive.<a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FRansomware%23cite_note-4" rel="noopener nofollow">[4]</a> Thus, ransomware is a denial-of-access attack that prevents computer users from accessing files<a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FRansomware%23cite_note-5" rel="noopener nofollow">[5]</a> since it is <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FComputational_complexity_theory%23Intractability" rel="noopener nofollow">intractable</a> to decrypt the files without the decryption <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FKey_%28cryptography%29" rel="noopener nofollow">key</a>. Ransomware attacks are typically carried out using a <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FTrojan_horse_%28computing%29" rel="noopener nofollow">Trojan</a> that has a payload disguised as a legitimate file.</p> <h1 data-id="from-https-en-wikipedia-org-wiki-ransomware"> <br>From <<a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FRansomware" rel="noopener nofollow">https://en.wikipedia.org/wiki/Ransomware</a>> </h1> <h2 data-id="resolution"><strong>RESOLUTION</strong></h2> <p> </p> <h1 data-id="unitrends-response"><u>Unitrends response:</u></h1> <h2 data-id="unitrends-has-developed-a-unique-approach-to-counter-the-malware-threat"> <br>Unitrends has developed a unique approach to counter the malware threat: </h2> <ul><li> <strong>Predictive analytics based proactive detection</strong>: Unitrends appliances protect on-premises physical and virtual workloads as well as provide local and cloud based continuity. As backups are performed by Unitrends appliances, the predictive analytics engine analyzes the data stream and utilizes a probabilistic method to identify anomalies to match behaviors a system would present if infected with ransomware. A notification is sent to IT administrators alerting them to check for malware in the affected system(s). This proactive detection capability is applicable to both physical asset and virtual asset backups. The predictive analytics engine uses various heuristics to detect aberrant behavior, change rate being one of those factors </li> </ul><div> </div> <div>The sensitivity of the predictive analytics engine can be changed if deemed that the engine is too aggressive in its detection to minimize false positives: </div> <h2 data-id="new-html5-interface"><strong>New HTML5 Interface</strong></h2> <ul><li>Click <strong>CONFIGURE</strong> from the Main Menu on the left.</li> <li>In the <strong>Appliances</strong> tab section, <em>Select the appliance</em> </li> <li>Click the <strong>Edit</strong> button above.</li> <li>Click on the <strong>Advanced</strong> tab.</li> <li>At the bottom, click the <strong>General Configuration</strong> button.</li> <li>Navigate to the <strong>ProactiveDetection </strong>and adjust the <strong>threshold_percentage_compared_to_avg_change </strong>(default=500)<strong>:</strong> </li> </ul><div><img src="https://us.v-cdn.net/6032361/uploads/migrated/CIU0XO555HBQ/eid-ka83r000000k9vc-feoid-00n40000003czoj-refid-0em3r000000ybdp." alt="User-added image" width="500" height="380" class="embedImage-img importedEmbed-img"></img></div> <pre class="code codeBlock" spellcheck="false" tabindex="0">last_time_window_hours=24 <strong>threshold_percentage_compared_to_avg_change=500</strong></pre> <p> <br>The higher the number, the less sensitive the predictive analytics engine to detect <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FAnomaly_detection" rel="noopener nofollow">outlier patterns</a>.<br><br>The system compares the average amount of unique data on the system of the asset against the amount of unique data in the most recent backup of the asset. The average amount of unique data is assessed after a number of backups are accumulated allowing a baseline to be identified. An alert is generated when five times more than average unique data is detected (assuming default value of 500). To lessen the sensitivity, increase this value to 600 to alert when six times the average unique data is detected.<br> <br>If specific Vmware, Hyper-V virtual machines or physical machines must be excluded from the proactive detection, add a comma separated list of the cases-sensitive names of virtual machines to the respective fields in the [ProactiveDetection] section of the master.ini or via the UI steps listed above:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">[ProactiveDetection] last_time_window_hours=24 threshold_percentage_compared_to_avg_change=500 <strong>exclusion_list_of_vmware_vm_names= exclusion_list_of_hyperv_vm_names= exclusion_list_of_xen_vm_names= exclusion_list_of_node_names= </strong></pre> <p> </p> <p> *When excluding protected assets by name, the name must be listed exactly as it is seen in the ransomware alert. If the protected asset name has spaces, those spaces should be included in the name. For example, if there are two VMware VMs named "File Server" and "SQL Server" to be excluded, follow this example exclusion: "<strong>exclusion_list_of_vmware_vm_names=File Server,SQL Server</strong>". <strong>Note: Do not add additional spaces before or after the comma within the exclusion list.</strong></p> </article> </main>