Return to Blog
August 17, 2021

The “Power of Two” for Combating Ransomware

By John Maxwell

When it comes to ransomware, the news headlines are inescapable. There are daily reports of organizations being held hostage for exorbitant sums of money. According to a recent Gartner report “By 2025, at least 75% of IT organizations will face one or more attacks, as free-rein researchers document a dramatic increase in ransomware attacks during 2020, pointing to sevenfold or higher rates of growth.”

Additionally, the Verizon 2021 Data Breach Investigations Report shows servers are the #1 asset under attack. Given that servers (or virtual machines running Windows Server) are where a majority of business-critical applications run, organizations can effectively be paralyzed from ransomware attacks.

Managed service providers (MSPs) are challenged with finding a comprehensive approach to protecting their clients from ransomware attacks. From 24/7 real-time monitoring to mitigation and recovery, the burden rests with the MSP.

Datto is solely focused on providing MSPs with best-in-class solutions, which is why the combination of Datto RMM with real-time ransomware detection and mitigation and Datto BCDR recovery deliver the “Power of Two” for combating ransomware. This combination addresses four steps to successfully combat this ever-present cyber threat.

  1. Alert
  2. Isolate
  3. Mitigate
  4. Recover

While there is no foolproof way to prevent a ransomware attack, you can reduce the impact and quickly recover. That said, let’s discuss the four steps to address a ransomware attack and recover from it.

Step 1: Alert

Ransomware attacks can go undetected unless you have a sentinel on watch 24/7. By the time an end-user reports something suspicious such as files being inaccessible or a pop-up with a ransomware note, it is too late.

What do you look for? Generally, real-time ransomware monitoring and detection solutions monitor for the existence of crypto-ransomware by using behavioral analysis of files and will then send an alert when a device is infected. File analysis includes looking for everything from known file extensions like .crypt, an increase in the frequency of file renames and deletion activity, measuring entropy, and many other modification events. But it doesn’t stop there – to ensure a server isn’t being attacked and infected with ransomware, the launch of new processes within Windows should be monitored, such as events at startup.

Additionally, an increase in network traffic or unusual system-to-system connections can signify that a ransomware attack is active or about to begin. One way attackers exploit Windows systems is to target single-sign-on (SSO). When a password is created in Windows, it is hashed and stored in the Security Accounts Manager (SAM), Active Directory (AD), or elsewhere. When an administrator logs into Windows Server, their password credentials are left behind. Attackers capture the password hash and use it to pass through to other systems on the network. This technique is referred to as pass-the-hash (PtH).

Datto’s RMM provides 24/7 monitoring of all endpoints, including Windows Servers. It looks for anomalies and immediately sends an alert when it finds possible ransomware activity. Since Datto RMM is collectively monitoring all computers, it can quickly become aware of ransomware attacks.

Step 2: Isolate

As soon as a ransomware attack is detected, it’s essential to isolate the affected server to contain the attack before it spreads. PtH attacks quickly spread from one device to another on the network and often occur outside standard business hours, faster than on-call technicians and NOCs can respond.

Datto RMM ransomware detection will isolate devices infected with ransomware and ensure it cannot spread to other network devices while retaining remote control access to the impacted devices via the RMM console. This step is important for supporting DFIR activities (Digital Forensics and Incident Response), giving engineers and SOC teams more time to collect evidence and carry out the next steps for your mitigation & recovery efforts.

Cloud-based interface for Datto RMM to isolate an infected device

Related

Autotask & Kaseya Quote Manager Q4 Product Innovation Update

General Manager, Kevin Sequeira, and Director of Product Marketing, Travis Brittain reviewed Q4`23 roadmap speaking about groundbreaking features and deeper integrations to streamline your IT team's daily operations. In addition, they explore the new Kaseya Quote Manager – the next evolution of Datto Commerce.

The MSP’s Guide to Business Continuity and Disaster Recovery on Azure

Cloud adoption is on the rise among small and medium-sized businesses (SMBs). Microsoft Azure is consistently attracting new SMB customers, which means managed service providers (MSPs) must be ready to protect Azure data and applications.

Suggested Next Reads

CyberSecurityToolkit

What Is Security Awareness Training?

As cyberthreats continue to evolve and increase in sophistication, the significance of security awareness training cannot be overstated. It has […]

April 03, 2024 | Chris McKie