Top Conversations in Ransomware

Posted 30 July 2017 3:46 PM by Gregg Ogden



Usually after a big incident. such as the 'WannaCry' ransomware attack, there’s a huge spike in awareness and a thirst for information about detection, prevention and recovery. But then the interest quickly subsides. Well, this time, we got hit with yet another global ransomware attack in the form of an old malware strain – Petya.

This latest event will certainly keep concern high within the industry, which is driving even more interest in data protection. In fact, for us at Commvault, not only did we have tremendous response to our “How to Protect against Ransomware” webinar, but we continue to get questions from clients and those within the industry. Commvault has the ransomware answer.

In our webinar, I spoke with two data protection experts from Commvault about the real risk of ransomware. We went on to discuss common techniques for stopping and mitigating the damage caused by ransomware, and what Commvault can do make sure this doesn’t happen to you.

In response to all the questions, I’ve put together a few of the most often asked questions and answers, so please enjoy!

Are there detection mechanisms within the Commvault software to alert admins of an attempted attack?

Yes, there are multiple mechanisms built into the Commvault software solution.

  1. Honeypot trap: Our software monitors files that we’ve specifically placed in the system to alert you if it has changed. These files should never change, as they are there only to act as a honeypot for a ransomware or malware detection.
  2. System monitoring: We also monitor file system activity and issue alerts using our system monitoring
  3. In addition, we can precisely track the percentage change in data during backup; this is the most efficient way to alert the administrator when something (like malware) has changed a large amount of data.

How can we protect backup from ransomware? Also, can cloud backup be compromised by ransomware? How secure is cloud backup provided by a different vendor?

The Commvault Data Platform was specifically designed to ensure that only Commvault services have the security rights to write to or modify our disk targets. A ransomware attack would have to be focused on breaching Commvault specifically and then have to find a way to modify and encrypt any data under our control. These secure options are turned on automatically for new customers, or as an option to be enabled if you’ve upgraded. Our cloud integration (storing of the cloud encryption and customer keys) with our software also protects data stored in the cloud from ransomware attacks, which makes the use of cloud storage a secure offsite option. Because many vendors do not leverage the same levels of security that we provide, both in how data is written/read and accessible, this can leave their backup data vulnerable to attacks both on-premises and in the cloud.

What version of Commvault do we need to enable ransomware protection?

Version 11, Service Pack 6 and above. Ransomware detection techniques is a default feature from SP 8 and on. No need to turn it on if you have upgraded to v11 and SP8! If you are currently using a version below this level, you’ll want to turn on the option to prevent external applications from accessing Commvault Disk Target. See our documentation on how to set this up.

Do you have to encrypt your data on disk to be protected against ransomware, or is selecting the option "to prevent external applications from accessing Commvault Disk Target" enough?

The "Prevent external applications from accessing Commvault Disk Target” option is designed to protect you from ransomware and malware attacks. Encryption of the data will ensure it sits at rest in a secure state. Encryption will also help with some forms of malware, but the general best practice is to ensure your disk targets are protected from external attacks. 

Does the "Enabling Ransomware Protection on MediaAgents" option protect the mountpaths (dedupe store) from any writes or changes from processes other than Commvault's?

Yes, we do prevent signed binaries that are not Commvault’s from accessing our disk target. There are details here.

Can Commvault backups become encrypted and held ransom?

No, as long as you have turned on the option to prevent external applications from accessing Commvault Disk Target. Cloud and tape targets are safe and should not need any additional protection.

How can we secure the backup data in cloud? Seems that Commvault ransomware protection can only help to protect disk library?

Authentication is required to access cloud targets, and these are stored securely in the Commvault database. These authentication measures ensure that your data is safe, as it would take a physical device attack for the servers running the cloud to impact your data.

Does the protection that secures disks also work on VMs?

Yes it does! Once we protect the backup images they are all secured by our data platform.

If ransomware attacks the CommServe (the central management system) and destroys access to the software, is there still a way to recover?

Yes. You can still fall back on our DR (data recovery) strategy to recover the CommServe database and then restore backups.

What’s the impact on performance from turning on ransomware protection?

No impact. We only trap file open calls in the driver and it’s only a pass-through driver. This does not affect backup performance.

So there you have it, the top questions from our webinar. If you are interested in a more prescriptive approach for how your organization should be prepared if a massive ransomware attack gets through your defenses, check out our upcoming webinar on Aug. 2.

If you have a specific question regarding Commvault, ransomware or data protection in general, please feel free to email me at gogden@commvault.com. I have access to some of the best minds in the business who are more than happy to help me answer your questions!

Tags: