As I referenced in a previous post, I have the opportunity to meet with many people in the course of a normal workday from many different companies, across many different industries. Over the last several months, one trend that I have been seeing during my conversations is the amount of pain that Ransomware is causing for people. It is a very common, extremely disruptive to businesses of all sizes, and can become quite costly to recover from.
Ransomware – CryptoLocker and CryptoWall
There are many different types of this type of ransomware, but two of the most common types are called CryptoLocker and Cryptowall. These viruses/malware when activated encrypt all of the data that they have access to on your computer, including your network files and directories. Once encrypted, the only way to get your data back, if you don’t have good recovery options, is to pay a ransom to obtain the proper key to decrypt the files. If you do not pay, usually within a period of time then your files are not recoverable and therefore lost. These types of ransomware are distributed through a variety of tactics including spam emails with malicious links or attachments, installation through other malware programs, or downloads from suspicious websites.
Impacting Productivity of IT Teams and Organizations
The impact of ransomware to IT organizations is significant. To identify and recover files that have been encrypted can require a significant investment of time and effort, as well as lost productivity of both IT staff and those affected by the virus. This often requires quarantining the infected laptop or desktop from the company network, coordinating with the infected user to determine which files have been encrypted, pulling backups from disk archives or tape, and confirming proper files have been restored. Often times, because of the required manpower and effort, it’s resolved to simply paying the ransom to restore the affected files, despite the natural reluctance to do so.
Attached network shares can be particularly problematic, as often, ransomware will not only encrypt files owned by the laptop user, but also attack any and all files to which the user has read/write access to, escalating the attack to all attached share drives, extending the impact from one individual user to the organization overall. Shared drives are often distributed across many of the organization’s servers which can further complicate an organization’s recovery from ransomware. By consolidating networked file services within the organization to a centralized data-aware storage platform the challenges and impacts on the organization from ransomware attacks can be mitigated.
DataGravity Discovery Series – Search, Identify, and Restore
The DataGravity Discovery Series offers unique capabilities that are particularly useful in recovering from ransomware attacks. These capabilities extend not only for files and directories that are stored on DataGravity network shares, but also within virtual machines that are stored on the DataGravity system as well. Capabilities include keyword and faceted search, activity tracking and filtering, and instant file- and directory- level restores.
KEYWoRD and FACETED Search
It is common for ransomware to create files within an affected system that outlines instructions for paying the ransom, what happened to your data, and sometimes listing all files that have been encrypted. These files typically have the word ‘decrypt’ in their name or within the body of the file itself. Common names for these files in the example of the CryptoWall malware are: DECRYPT_INSTRUCTION.TXT, DECRYPT_INSTRUCTION.URL, and DECRYPT_INSTRUCTION.HTML These files are placed in each folder that files were encrypted and also on the Windows desktop.
Using the DataGravity's Search allows a user who was affected, or their IT administrator with access to their network share the ability to quickly identify all of the places in which these files exist. Because the DataGravity Discovery Series Search can search both for keywords within a file name or within the contents of the file and appropriate search for finding this information is DECRYPT.
Search for all Files with the keyword ‘Decrypt’ either in the file name or within the content of the file
Once the files are found and the scope of the impact identified, then the preview capability of the Discovery Series can validate that this is in fact malware.
Preview the Ransom instructions placed on the share by malware
By looking at the properties and activity timeline of the INSTRUCTION file itself, DataGravity can identify the time, operation, and user who created the file. By identifying the user who created and owns these instructional breadcrumb files, we’ve identified the infected user. In addition, this activity timeline can be used to determine all of the places on the network share, or within the virtual machine, where files were updated by this particular user over a period of time, without the need to perform an intensive scan on all subdirectories and files.
Identify the Owner of the File and the Location that was infected, and the time of the infection
Activity timeline of the file, showing the user who was infected, the time of infection, and the directory of infected files.
Activity Tracking/Identification
Utilizing the information that we obtained with the Search functionality of DataGravity, we can identify all of the files and folders that were impacted by using the Activity Timeline on the share or Virtual Machine. By drilling into this time line, filtering on the date and user we know have an export of all of the files that need to be recovered. In many cases, as part of the encryption process the malware will first make a copy of it, encrypt the copy, and then delete the original This is the process that CryptoWall uses and therefore we can make use of either the ‘Deleted’ items view with DataGravity, or filter on the delete operation by user.
Filtering and Exporting all Directories & Files infected by ransomware by User, Operation, & Date.
File & Directory Level Restores
To restore encrypted files to a non-encrypted state, the Discovery Series benefits from a unique data protection and recovery capability called DiscoveryPoints. DiscoveryPoints are catalogued, space-optimized versions of all of your files and VMs, located on a fault-isolated set of disks contained within the array. This is important for a number of reasons: it prevents your DiscoveryPoints from being susceptible to encryption or infection (from ransomware or any other virus), it provides a simple, quick restore scenario for all of your directories and files, and restoration of files can be performed by the file owner, i.e., by the end user, or by their IT administrator.
Restore of all files without having to pay the ransom to decrypt them.
Summary:
As with any type of of virus or malware, the best solution is prevention. It is imperative that everyone within the organization abide by safe computing practices by only opening and reading information from trusted sources and web pages, and equally important, that IT organizations consistently deploy and run up-to-date versions of anti-virus software.
Unfortunately, despite these best practices, with the number of permutations of ransomware that have surfaced, and different attack tactics being used, infection is on the rise within organizations. By leveraging the search, activity identification, and recovery capabilities of the DataGravity Discovery Series data-aware storage platform, IT administrators and their business users have practical options other than paying ransom.