August 17, 2021
The “Power of Two” for Combating Ransomware
When it comes to ransomware, the news headlines are inescapable. There are daily reports of organizations being held hostage for exorbitant sums of money. According to a recent Gartner report “By 2025, at least 75% of IT organizations will face one or more attacks, as free-rein researchers document a dramatic increase in ransomware attacks during 2020, pointing to sevenfold or higher rates of growth.”
Additionally, the Verizon 2021 Data Breach Investigations Report shows servers are the #1 asset under attack. Given that servers (or virtual machines running Windows Server) are where a majority of business-critical applications run, organizations can effectively be paralyzed from ransomware attacks.
Managed service providers (MSPs) are challenged with finding a comprehensive approach to protecting their clients from ransomware attacks. From 24/7 real-time monitoring to mitigation and recovery, the burden rests with the MSP.
Datto is solely focused on providing MSPs with best-in-class solutions, which is why the combination of Datto RMM with real-time ransomware detection and mitigation and Datto BCDR recovery deliver the “Power of Two” for combating ransomware. This combination addresses four steps to successfully combat this ever-present cyber threat.
- Alert
- Isolate
- Mitigate
- Recover
While there is no foolproof way to prevent a ransomware attack, you can reduce the impact and quickly recover. That said, let’s discuss the four steps to address a ransomware attack and recover from it.
Step 1: Alert
Ransomware attacks can go undetected unless you have a sentinel on watch 24/7. By the time an end-user reports something suspicious such as files being inaccessible or a pop-up with a ransomware note, it is too late.
What do you look for? Generally, real-time ransomware monitoring and detection solutions monitor for the existence of crypto-ransomware by using behavioral analysis of files and will then send an alert when a device is infected. File analysis includes looking for everything from known file extensions like .crypt, an increase in the frequency of file renames and deletion activity, measuring entropy, and many other modification events. But it doesn’t stop there - to ensure a server isn’t being attacked and infected with ransomware, the launch of new processes within Windows should be monitored, such as events at startup.
Additionally, an increase in network traffic or unusual system-to-system connections can signify that a ransomware attack is active or about to begin. One way attackers exploit Windows systems is to target single-sign-on (SSO). When a password is created in Windows, it is hashed and stored in the Security Accounts Manager (SAM), Active Directory (AD), or elsewhere. When an administrator logs into Windows Server, their password credentials are left behind. Attackers capture the password hash and use it to pass through to other systems on the network. This technique is referred to as pass-the-hash (PtH).
Datto’s RMM provides 24/7 monitoring of all endpoints, including Windows Servers. It looks for anomalies and immediately sends an alert when it finds possible ransomware activity. Since Datto RMM is collectively monitoring all computers, it can quickly become aware of ransomware attacks.
Step 2: Isolate
As soon as a ransomware attack is detected, it’s essential to isolate the affected server to contain the attack before it spreads. PtH attacks quickly spread from one device to another on the network and often occur outside standard business hours, faster than on-call technicians and NOCs can respond.
Datto RMM ransomware detection will isolate devices infected with ransomware and ensure it cannot spread to other network devices while retaining remote control access to the impacted devices via the RMM console. This step is important for supporting DFIR activities (Digital Forensics and Incident Response), giving engineers and SOC teams more time to collect evidence and carry out the next steps for your mitigation & recovery efforts.
Cloud-based interface for Datto RMM to isolate an infected device
Step 3: Mitigate
In addition to isolating the affected device, killing the ransomware process is another important step to potentially save further data from being encrypted and isolate the spread.
Mitigation itself encompasses many steps other than isolating the device and attempting to kill the ransomware process. For example, setting the BIOS clock back before the ransomware expiration window is up can delay the expiration deadline. Determining when the ransomware infection started will also be important for determining how far to go back when restoring from backups. Lastly, there are resources like the No More Ransomware organization that provide decryption tools for some known ransomware.
Datto RMM ransomware will attempt to kill the ransomware process while automatically isolating the affected device from the network. Unlike solutions that isolate the device, making it inaccessible, technicians can still access the impacted device via the RMM console to investigate and mitigate the attack.
Cloud-based Datto RMM showing a ransomware alert
Step 4: Recover
Once the server or virtual machine has been isolated, the system must be recovered to the most recent recovery point, meaning the latest unaffected backup.
The amount of data infected by the attack will decide the level of recovery. Generally, one of five types of recoveries will be utilized.
- System image-level restore
- Local instant virtualization
- Bare Metal Restore
- File-level recovery
- Cloud-based recovery
Cloud-based Recovery launchpad for Datto SIRIS BCDR
Conclusion
To win the war on ransomware, MSPs need a toolkit that not only provides 24/7 monitoring but the ability to mitigate its further spread and recover the affected systems. Datto delivers the “Power of Two” with Datto RMM real-time ransomware monitoring and mitigation combined with Datto BCDR for reliable, fast recovery.
