How Ransomware Detection Works

May 24, 2017

How Ransomware Detection Works

By Henry Washburn

The global WannaCry ransomware infection has brought to light the different attack vectors that are out in the world today. Unlike many types of ransomware, the WannaCry variant was not distributed via phishing emails. Instead, the malware exploited an SMB security hole in versions of Windows older than Windows 10.

The Department of Homeland Security has stated that the number one way to protect against ransomware is to have a recovery solution in place. We took that a step further and thought, “Datto backs up over 65,000 businesses, over 4.2 million backups a day… how can we help partners in the fight against ransomware with that kind of historical data?” The answer was Ransomware Detection.

Datto has the unique ability to review snapshots of data over time so we took it upon ourselves to create a process to test each and every backup for potential ransomware infections, to notify IT service providers when there is a potential threat on the network and which restore points are not infected.

To figure out what to look for, we had to infect ourselves with ransomware...a lot! We also had to make sure that we had healthy backups of the servers first, obviously. Then, we started comparing the differences between the healthy backups and encrypted backups and came up with three general tests to detect ransomware.

After two months in a HIGHLY segregated network in our offices with a number of variants, we found that most versions of ransomware work remarkably similar.

The Tests:

  1. File Upheaval: Datto will test the backup to see if there was a large number of file name changes.  When ransomware encrypts data it would change a file from a .doc to .doc.WCRY or other odd file extensions. We’ve seen that there were files in a location and with the latest backup those files are gone. While not being gone we cannot find them anymore because they are illicitly encrypted.

  2. How similar is the data: This test uses file entropy where we seek to find out how dense, and therefore random, a concatenation of files are. While user encrypted files are fairly similar to a ransomware-encrypted file, sampling over a larger portion of the system the likelihood of returning a truly random sample is low.

  3. Date comparison: We also attempt to find any files that have a different Master File Table date compared to their last modify time and then run another entropy test on the concatenated version of those files. Again if there is a high enough randomization then there is a high likelihood that the production machine has ransomware.

We have found that 0.285 percent of machines protected by Datto have triggered an infection alert, that equates to about 2,100 businesses over the course of six months. That’s just a subset of the entire threat of ransomware, and it is difficult to say how large the infection rate is worldwide.

We have not found a single partner trigger the Ransomware Detection alert due to WannaCry. This is a testament to the fact that our partners proactively monitor and manage their customers’ environments to be certain that production machines are up to date.

You can find out more information on the tests that Datto uses to detect ransomware on backups by watching the recorded webinar: We Infected Ourselves with Ransomware.

It is important to educate users on how to prevent malicious attacks and also threat protection in depth on your business network, ransomware can and will affect businesses, so you need a plan to restore. Find out what data is clean from encryption and then restore back to production, quickly. There will be more information on how to restore, stay tuned. Remember, if you or someone you know gets ransomware, contact your local FBI field office.

Relevant Articles

Subscribe to the Blog