Detecting ransomware in real-time

Christopher Rogers at Zerto, a Hewlett Packard Enterprise company, explains the importance of rethinking data security with business resilience in mind

 

Ransomware attacks happen fast, with the average data set being impacted and encrypted within an hour. However, despite the speed at which cyber-criminals work, Mandiant Inc., a Google Cloud firm, found it takes organisations an average of seven days to detect ransomware – at which point the damage has already been done.

 

This detection disconnect means that organisations are constantly one step behind hackers. And this subsequently puts them on the back foot when it comes to rebuilding their critical applications from backups (assuming that these backups themselves were not compromised during the attack).

 

To limit this downtime and expedite a rapid recovery, enterprises will need solutions that can detect encryption as it happens. In doing so, they can recover in seconds with the best-in-class recovery time objectives (RTO) and recovery point objectives (RPO) possible. 

 

The scale of the problem

Capable of crippling an organisation’s operations for hours, days or longer, ransomware attacks are proliferating at an industrial scale and evolving quickly thanks to the rise of ransomware-as-a-service (RaaS) platforms.

 

According to Statista, in 2023 over 72 percent of businesses were affected by ransomware. Of greater concern is the potential downtime following a ransomware incident: the average time to get back up and running was 22 days and, for some organisations, full recovery takes months to achieve.

 

In the current climate, these recovery timeframes simply aren’t acceptable for organisations that need to maintain operational integrity in line with mandated regulatory requirements. Adding to this, the rapidly changing nature of the threat landscape means that no operating system or hypervisor is safe. Last year, Cheerscrypt and Black Basta targeted virtual machines - with the latter specifically targeting Linux hosts.

 

Closing the detection gap

Traditionally, organisations have utilised advanced detection tools on a secondary copy of data taken directly from their production environment. However, this approach introduces considerable detection delays and makes it challenging to identify the exact point at which an attack attempted to modify critical system files. 

 

These backup copies may only be taken once or twice a day after which it can take hours to scan the volumes of data involved. Meanwhile, during these backup and scanning windows, the malicious code will already be spreading. Once detected, IT teams will undergo the resource-intensive task of pinpointing an acceptable RPO/RTO from which to sanitise and restore the environment. All of which adds up to an extended recovery window that can run into days or weeks.

 

As a consequence, organisations need to be able to pinpoint and allay would-be ransomware at the earliest stages of encryption. Which means undertaking encryption detection in real-time.

 

Moving detection to where data is generated

Rather than deploying detection capabilities on periodic backups that are taken hours apart, organisations that undertake real-time and continuous detection at the point at which data is written will be able to immediately identify alert incident response teams. This means that mitigation and recovery can begin much sooner.

 

Today’s agentless real-time ransomware detection solutions are able to automatically identify encryption activities that pass a specific behavioural threshold, providing organisations with the fastest possible ransomware warning. In addition to detecting unusual encryption behaviours in real time as writes stream in, these solutions can also provide granular reports on every activity, down to the number of blocks encrypted. 

 

This enables teams to use tagged recovery checkpoints to identify and verify when an attack likely began so that affected data can be immediately restored to its clean state from seconds prior to the attack.

 

The benefits of this form of early warning system are significant. The ability to detect encryption sooner means organisations will be able to reduce the blast radius of a ransomware attack and minimise data loss. Meanwhile, the granular reporting these real-time monitoring and detection solutions generate enables organisations to get their data back into production – in minutes, not days.

 

Why it pays to focus on rapid detection and recovery

According to the IDC State of Ransomware and Disaster Recovery Preparedness report, 61% of disaster recovery responses last year were triggered by ransomware. This makes ransomware the number one disaster threat causing downtime and data loss that is impacting organisations today.

 

With resilience and continuous availability now a top priority for business leaders everywhere, organisations that rely solely on periodic backup solutions are putting their operations – and reputations – at risk.

 

With real-time encryption detection in play, however, organisations will be able to identify and confront potential ransomware attacks in their early stages, significantly reducing their recovery windows as a result. Armed with these capabilities, they can avoid becoming victims of delayed ransomware detection and elevate their operational resilience.

 

---

 

Christopher Rogers is Senior Technology Evangelist at Zerto, a Hewlett Packard Enterprise company

 

Main image courtesy of iStockPhoto.com