In this article we discuss:
- Ransomware: what it is, and why it is so dangerous
- How to protect against ransomware
- How Acronis Active Protection can help
- A breakdown of a ransomware attack and defense
Ransomware: What It Is, and Why It Is So Dangerous
Ransomware
is one of the most pervasive and costly forms of malware afflicting businesses and
consumers today. The term describes a broad family of hostile computer viruses that
infiltrate computer servers, PCs, laptops, tablets, smartphones, and other computerized
devices like ATMs and airline check-in kiosks. Rather than stealing valuable information
from the device, ransomware aims to deny users access to the files and data stored on it.
The simpler “blocker” form presents a screen that prevents users from accessing the
computer’s desktop. The more sophisticated and destructive “encryption” form of ransomware
goes much further: it encrypts (mathematically scrambles) the user’s files. Both types
present a screen instructing the user to pay an online ransom to an untraceable recipient,
for which the attacker promises to unlock the system.
Ransomware-wielding criminals rely on user fear and ignorance to extort payment,
increasing the pressure on victims to pay quickly with tactics like a running countdown
timer that specifies an approaching payment deadline of days or hours. If the user pays
up, the attacker will provide the mathematical key that can be used to unscramble the
files, or instructions on how to remove the blocker.
The volume and sophistication of ransomware attacks has risen steadily over the past few
years, becoming one of the most pervasive and expensive online criminal threats in
history. The US FBI estimated that ransomware gangsters extorted over $1B from victims in
2016, and that figure is expected to even triple or quintuple by the end of 2017. Many
users first became aware of the threat after the notorious WannaCry ransomware outbreak of
May, 2017, which afflicted hundreds of thousands of systems, spreading to 150 countries in
a matter of a few hours.
As subsequent waves of attacks have demonstrated, the ransomware problem is only going to
get worse. Organized criminal gangs have mimicked the business and technology models of
the legitimate software-as-a-service industry, making it increasingly easy for low-skilled
operators to get into the business of distributing and profiting from ransomware. The
likelihood that you, your family, your business, or someone you know will become a victim
of ransomware grows by the day. Users need to educate themselves on the ransomware threat,
and learn how to take steps to defend themselves against it.
How Acronis Active Protection Stops Ransomware
One proven technology to protect against ransomware attacks is Acronis Active Protection, a built-in feature of two popular backup programs: Acronis Backup (for businesses) and Acronis True Image (for consumers). Acronis Active Protection constantly monitors the user’s system, looking for suspicious behaviors typical of ransomware, like an unfamiliar process suddenly trying to rename and encrypt a series of files. With the help of artificial intelligence and machine learning, Active Protection quickly identifies ransomware-like behaviors, halts the process that is attempting them, and notifies the user of the apparently malicious activity. Based on the user’s response (“That is a legitimate action – allow it” or “No, that activity is suspicious – block it”), Active Protection either lets the process resume execution, or halts the process and automatically repairs any files it has damaged by restoring them from a backup copy.
Pattern Recognition
Active Protection uses AI-based pattern recognition to identify suspicious behaviors
common to ransomware attacks. Machine learning further evolves that understanding of
attack behaviors over time, as criminals attempt new tactics to thwart user defenses. This
provides an important additional layer of protection on top of traditional anti-virus
products, which use known segments of code (“signatures”) in malware to identify threats.
The weakness of anti-virus programs is that they are incapable of recognizing brand-new
threats whose signatures aren’t yet widely known.
To describe this another way: anti-virus programs detect ransomware threats based on what
they look like. Active Protection detects ransomware threats based on their behavior,
which allows it to spot brand-new variants that haven’t yet been added to an anti-virus
program’s signature database.
Active Protection also maintains a whitelist of programs that the user has identified as
okay, preventing them from being unintentionally blocked when those programs are used to
perform operations that could be mistaken for ransomware activity, like legitimate
renaming or encryption of files. Ransomware attacks that have been detected and blocked
are automatically added to a blacklist, so subsequent attacks by the same version of
ransomware will be prevented from executing at all.
Quick Recovery of Lost Files
The quick detection and termination of a ransomware attack is important. The faster the
threat is shut down, the less time it has to destroy files by encrypting them. Restoring
any ransomware-encrypted files is a useful technique, but its effectiveness depends on how
frequently you perform backups. You might be able to restore a ransomware-encrypted file,
but only to the version you backed up a few days or a week ago.
Active Protection complements Acronis Backup and Acronis True Image by restoring damaged
files from one of several locations: in memory, on a local disk, on an external drive, a
drive on the user’s local network, a drive in a remote location, or in cloud data storage. In many
cases, a damaged file can be instantly restored from a local cache on the user’s
system.
This ability to not only detect and terminate attacks, but also to quickly recover any
damaged files, is unique to Active Protection. Many products sold as anti-ransomware can
stop attacks, but not help the user recover from any damage that occurred prior to attack
detection. Others can assist in post-attack recovery, but only of smaller files. Active
Protection detects and terminates ransomware attacks, then quickly and automatically
restores any damaged files regardless of their size.
Defense of Backup Files
Using backup files to recover from a ransomware attack is a useful and recommended defensive technique. Having learned of this tactic, many malware developers now create ransomware that looks for and attempts to encrypt the user’s backup files as well. Acronis defeats this tactic by applying Active Protection defenses to backup files as well as other files. Attacks on backup files stored offsite (for example, in Acronis Cloud Storage) are further protected two ways: by in-transit and at-rest encryption, and by restricting access to cloud backup files only to Acronis-authorized processes.
Integration of Anti-Ransomware and Backup Functions
The inclusion of Acronis Active Protection in Acronis Backup and Acronis True Image provides a distinct advantage over separately deployed anti-malware and backup products. No combination of standalone products can deliver the kind of highly-automated detection, termination and recovery from ransomware attacks that the Acronis does with tightly-integrated backup and anti-ransomware protection.
How to Protect Your Computer from Ransomware: A Demonstration of Acronis Active Protection
This demonstration shows the sequence of events in a typical ransomware attack, in which
an unwary user clicks on a link or opens an attachment in what looks like a legitimate
email from a familiar sender. In fact, it is a “phishing” email is from an online
criminal, crafted to lull the user into trusting the email. Clicking the link or opening
the attachment does not yield the expected spreadsheet or amusing GIF, but instead infects
the user’s system with a ransomware virus. Some ransomware versions (like the notorious
WannaCry virus) include worm technology that helps them automatically spread to every
other system they can find on the user’s local Ethernet or Wi-Fi network.
In the above video clip, the user receives a legitimate-looking email that offers
tantalizing information on forthcoming episodes of a popular TV show. The intrigued user
downloads and opens the email attachment, which actually turns out to contain WannaCry
ransomware. The virus encrypts the user’s files, making them totally inaccessible, then
displays a ransom note with a countdown timer, demanding a $300 payment in the untraceable
online currency Bitcoin before the timer runs out. The user faces a choice: pay the
faceless criminal quickly, or lose access to their files forever. (Law enforcement
officials and security experts generally do not recommend paying the ransom: 20% of
victims who pay up never receive the promised key.)
The demonstration goes on to show what happens when the same user opens the same infected
attachment, but this time has Acronis Active Protection. Active Protection spots the
file-renaming and encryption activity as malicious and stops the process immediately. It
then automatically restores the files that were encrypted prior to its detection of the
attack. The clip goes on to explain how Active Detection’s allow/block decisions able to
evolve over time via machine learning, and are further refined with whitelists and
blacklists.
An anti-virus program may be able to detect and block some ransomware attacks, but
versions that are already well-known enough that the AV vendor has created a signature for
them, and then only if the user has recently updated their system’s AV signature database.
Malware criminals are constantly evolving their ransomware to elude signature-based
detection. This makes anti-virus useful to defend against known ransomware attacks, but no
help at all with brand-new ones.
A better solution is to restore the encrypted files from backup, but this means
potentially losing any new files that have been created and any work that has been done
since the last backup was completed, which can be hours’, days’, or weeks’ worth of
files.
The Active Protection included in Acronis Backup and Acronis True Image is a better
solution, combining the ability to detect and block ransomware attacks, including
previously unknown versions, with the ability to instantly restore any files damaged prior
to attack detection. Its ability to identify and stop ransomware based on its behavior,
not its signature, is a huge defensive advantage vs. anti-virus systems. Its integrated
ability to automatically recover damaged files from backup makes it a better solution to
pure anti-malware solutions. No other product combines ransomware defenses with backup in
a single, integrated, automated package.
The amount and value of the data stored on your systems will only increase over time. The
criminal industry that develops and distributes ransomware is hugely profitable already,
and will only increase the volume and sophistication of its attacks over time. There are
many basic steps to improve your chances of avoiding a ransomware attack:
- Use an anti-virus program and frequently refresh its signature database.
- Keep your operating system and applications up-to-date as well, so that when vendors discover vulnerabilities in their products, you get the software patches that close them. For example, WannaCry carved its worldwide path of destruction in part by exploiting a known weakness in Windows that many users hadn’t bothered to fix with a timely Windows Update.
- Be wary of phishing emails, and encourage your family, friends and colleagues to be cautious about clicking on links or opening attachments in emails from sources they don’t absolutely trust.
If you really want to gain the upper hand on ransomware bad guys, you need Acronis Backup or Acronis True Image with Active Protection, the only integrated solution for detecting, terminating, and automatically recovering from ransomware attacks.