Sneak Peek into Commvault’s Ransomware Detection and Cyber-attack Risk Mitigation Strategy

Posted 05/16/2017 by Kalyani Kallakuri

Are you at the precipice of defeat when it comes to the thought of ransomware? Does the chaos that will likely ensue after a ransomware attack keep you away from your core business focus? At Commvault, we - on the heels of an extensive ransomware attack that affected more than 75,000 systems in 150-plus countries and counting - don't want our customers to be held for ransom. We decided to put our customers ahead of the technology curve with ransomware detection built into our data management platform.

If you're interested in learning how Commvault manages ransomware incidents as a component of an overall information management strategy, we'll educate you about our latest, leading edge detection techniques and risk mitigation business processes.  

Let’s begin with a new buzz word that’s been in vogue lately - RaaS or Ransomware-as-a-Service - a term that many security companies talk about. RaaS essentially means that bad guys set up a ransomware network and then rent it out to other bad guys who don’t have the technical abilities to do it themselves. The creators of the ransomware network then receive a commission for the money their customers extort from legitimate organizations and individuals. 

The statistics don’t lie. From 2014 to 2015, ransomware increased by 35 percent.1 The FBI says it’s tracking to make nearly $1 billion a year for the bad guys that are exploiting the practice.2 And that’s just in the U.S. 

And there’s even more complexity, when you start to think about how organizations will need to manage their data in the future combined with the aforementioned threats that ransomware introduces.  

What do we mean by that? Well, for starters, think about the new General Data Protection Regulation (GDPR) taking effect on May 25, 2018. GDPR increases the urgency of finding viable solutions to be compliant particularly when a ransomware situation arises. Why? Because GDPR includes the Breach Notification mandate, stipulating that any breach impacting user privacy and sensitive data will require immediate (within 72 hours) notification. Commvault believes that Accountability and Data Governance clauses can be satisfied by having a robust backup strategy with eDiscovery built into the solution. Additionally, the capability to initiate remote wipes and disk erasing is imperative in order to satisfy the new mandates for securing data threatened by ransomware, but required by GDPR. 

It is very clear that organizations are looking for a single solution with abilities to satisfy and go beyond the current systemic risk mitigation environment. The Commvault Data Protection suite, with its platform approach, is well-suited as a single solution to service data protection, eDiscovery, Sensitive Data Search and Compliance.

Commvault advocates a multi-pronged approach that includes four pillars:

  • An extensible platform for protection that aligns with corporate strategy on cyber-attacks risk mitigation
  • A method to prevent and detect infection
  • A solution to stop infection spread
  • A strategy for backup and recovery

The corporate strategy for information management should involve a group of business processes that identifies vulnerabilities in the organization’s IT infrastructure and architecture, assess critical data and knows where this data is stored. This strategy applies data access security controls, monitors effectiveness of measures in place and implements user education and training on responsible use and access of sensitive or business critical data.  

The risk of malicious, rogue software entering the organization’s network cannot be entirely eliminated, but to a large extent can be minimized with a comprehensive security solution that includes, but is not limited to, traditional anti-virus software, browser and firewall protection.

Commvault has made strides in early detection of ransomware. The software has the ability to detect early signs and trigger an alerting mechanism, such that organizations can take proactive action to protect their critical data. These include:

  • The detection mechanism is not limited to a single point of entry; rather it can cover multiple endpoints such as laptops, desktops, servers and so on
  • The software uses both behavioral and proprietary techniques to detect early signs of ransomware before the malware starts encrypting files
  • For additional success in early detection, alternate techniques can also be employed. For example, Commvault’s System Monitoring has the ability to detect abnormal machine or file activity, such as sudden increase in file reads and writes or deletes.
  • Administrators have a comprehensive and configurable dashboard view to monitor file activity across user groups
  • Configurable alerting systems can monitor for non-standard events
  • Abnormal events can further trigger workflows with the ability to stop the propagation of malware in the network

The evolving nature of ransomware is a cat and mouse game. In order to beat the odds of detection, the behavior of the ransomware is not to entirely encrypt all files in a single pass. Instead, it emulates random encryption behavior, infecting a few files at a time and then sleeps for a period before encrypting more files. Commvault, with its proprietary and heuristic algorithms, will be able to identify this pattern of behavior and minimize data loss or corruption.

In Summary, with new GDPR rules starting in one year and with the growing threat of ransomware, Commvault continues to innovate and get our customers ahead of the curve. 

1 - Symantec Internet Security Threat Report – Volume 21- April 2016

2 - Ransomware-as-a-Service: Yes It’s a Thing