How to Stop Cyber Extortion with Datto Ransomware Protection
Datto’s ransomware protection is a game-changer for BCDR because it uses a multi-layered approach to detect infections and restore compromised data.
What makes this protection unique from other BCDR solutions is that it’s built right into the backup system. Each new backup is automatically scanned for ransomware. If an infection has occurred, Datto offers innovative recovery options on the SIRIS and ALTO that allow you to rapidly restore the files back to normal faster than traditional methods.
In this post, we break down how Datto ransomware protection works and why it’s essential for today’s organizations.
What to Know about Ransomware
To understand why Datto ransomware protection is so vital, it’s important to have a basic understanding of how ransomware works and why it’s such a dangerous threat.
Ransomware is a form of malware that holds your data hostage. After infecting your machine, ransomware works quickly to encrypt files across your entire network. A message typically alerts users that the data has been locked, and it provides instructions for how to get it back—for a price (usually an untraceable cryptocurrency payment).
Ransomware destroys businesses. It has brought down even the world’s largest companies by disabling systems on a global scale. Recovery can take months and cost millions of dollars in downtime alone. Smaller businesses are sometimes shuttered permanently.
- Cybercriminals use ransomware to extort money from their victims, which include organizations of all sizes.
- Sometimes the attacks are random, sometimes they are targeted. Hackers are increasingly going after businesses—hospitals, schools, government agencies and small to large companies—with the hope of extorting larger payouts.
- Vulnerable companies are often willing to pay the ransom, believing it’s the only way to get their valuable data back. But paying the ransom doesn’t guarantee you’ll receive the decryption keys that were promised. Some hackers are perfectly content to lock up your data, take your money and throw away the key.
An estimated 93% of phishing emails now contain malicious links or attachments leading to a ransomware attack. Researchers at IBM also found that 40 percent of all spam emails are attempts to deliver ransomware. These emails are the questionable “invoices,” “payslips,” “receipts,” unknown PDFs and Word docs that you’ve probably seen in your inbox or spam folder.
Increasingly, ransomware is also infecting systems by other means beyond email. The infamous WannaCry and NotPetya ransomware attacks of 2017 revealed how newer ransomware variants can exploit Windows vulnerabilities to take control of computers, quietly spread the malware and attack companies worldwide—without a user ever touching a phishing email.
All of this underscores why it’s essential for today’s businesses to be able to aggressively prevent ransomware, quickly mitigate infections and rapidly restore lost data.
That’s where Datto ransomware protection comes into play …
Datto Ransomware Protection, Built into Backup
Datto’s backup solutions have been helping businesses recover from ransomware attacks and other disasters for years. As we explain further below, Datto’s near-instant recovery options enable businesses to quickly “undo” an infection by restoring a recent backup. But also, in 2016 the company introduced a new layer to its Datto ransomware protection that goes even further to stop an attack in its tracks.
Datto BCDR solutions feature ransomware detection built-in, so that infections are identified and resolved at the earliest signs of an attack.
Here’s how it works:
- Datto’s backup devices detect and identify a ransomware attack automatically. Each new backup is automatically scanned for signs of infection, such as mass file changes and other recognizable ransomware behavior.
- Administrators are notified immediately of a suspected infection. This enables them to see exactly when and where the attack has been detected, so they can quickly roll back to healthy data.
- Because of Datto’s high backup frequency capabilities (as often as every five minutes), this detection can happen even if users haven’t yet received the attacker’s ominous “YOUR FILES ARE ENCRYPTED” message on their screens.
How much of a difference does it make if the backup system can detect an infection?
By identifying an attack at the onset, Datto curbs the attack, shortens downtime and reduces the business impact. An unmitigated ransomware attack can quickly move across a network, infecting every connected PC or server that it can access. Detecting an infection at the first sign of an attack prevents that spread from occurring and limits the attack to the first infected devices. This allows the company to continue operating without flinching (and save a ton of money in the process).
How Does the Detection Work?
Datto has programmed its systems to look for irregular patterns that wouldn’t ordinarily be caused by a user or application. It does this by keeping an eye out for changes in specific file types.
Here are some example actions that, if performed rapidly and simultaneously, would raise a red flag to the Datto device:
- File content is being rapidly overwritten by random data
- File types commonly targeted by ransomware are being overwritten
- The original “modified” time stamps are being preserved, even though the file content is being overwritten
Upon detecting this behavior, the Datto device alerts the administrator of a likely ransomware infection.
Is it possible that these actions could be caused by a benign user or application? Sure, false positives can happen, but it’s better to be safe than sorry. Also, Datto says it’s fine-tuning its algorithm to further reduce the chances of a false alarm. Additionally, if needed, Datto gives you the option to disable detection for any protected agent (though you should only do this as a last resort).
Additional Layers of Datto Ransomware Protection
What happens if an infection has already encrypted a wide swath of files and folders? Datto has a solution for this too.
First, remember that all data backups are inherently a form of ransomware protection. By backing up your data, you have an effective failsafe that you can leverage if an attack occurs. No ransom payment needed. Simply restore a recovery point from before the attack occurred, which will restore files back to normal and remove the infection.
But keep in mind that not all backups are made equal. Datto is unique in that backups can be performed as often as every 5 minutes if needed, significantly limiting the risk of major data loss. Additionally, Datto’s Inverse Chain Technology creates backups that are far more resilient and dependable than traditional incremental backups. Incremental rebuilds are slow, time-consuming and prone to failure. In contrast, each new Datto backup is stored in a fully constructed state with no dependency on a chain, which eliminates the risky rebuild process entirely.
Not only that, Datto SIRIS and ALTO offer a unique restore method called Rapid Rollback that is specifically designed to accelerate recovery after events like ransomware …
Rapid Rollback: A Faster Ransomware Recovery
Datto’s Rapid Rollback is a data restore option that allows you to quickly recover data that has been compromised in a ransomware attack. The process is similar to a bare metal restore, except that it allows you to restore only the compromised data without reformatting or re-partitioning the target hardware.
Rapid Rollback works by identifying major unwanted changes between two recovery points, such as files that have been encrypted by ransomware. With a few clicks, you can restore those files back to their clean state, without needing to restore the entire machine. This dramatically speeds up the recovery time, which is critical for overcoming a ransomware attack.
Beyond ransomware, Rapid Rollback can also be used in other situations involving widespread file changes, such as those caused by failed O/S updates or software installations.
Ransomware-Resistant Backups & Cloud
Not surprisingly, attackers are developing new strains of ransomware that are specifically designed to go after a company’s backups. By destroying the backups, they give victims no other choice but to pay the ransom.
But this is another area where Datto’s ransomware protection is a step ahead.
In addition to the built-in ransomware detection and fast recovery options mentioned above, Datto’s backups are inherently ransomware resistant in a few ways:
- ZFS snapshots: Datto creates backups with ZFS-based snapshot files that cannot be corrupted by ransomware. In addition to making backup storage more efficient, ZFS is inherently immune to file-level encryption because the snapshots take place at the block level.
- Immutable cloud: Datto uses its own immutable cloud, which is built with multiple security layers to protect data. All data is encrypted at rest in the cloud and (optionally) on the local backup device. A post-backup ransomware scan is completed (in addition to automatic testing via Advanced Backup Verification) before the backup is replicated to Datto’s cloud via AES 256 encryption.
All it took was one click. During an otherwise normal afternoon in 2016, an employee at a New Jersey beverage distributor opened an email, and the company’s recently-installed Datto ransomware protection solution got its first major test.
The email was a phishing scam. Cleverly disguised as a legitimate message, the email contained links to a website embedded with malicious code. When the employee clicked on it, he inadvertently exposed the company’s computer systems to a nasty strain of ransomware.
The impact was felt immediately. The ransomware encrypted all of the company’s shared resources, including important financial files. It also locked them out of the back-office application that runs their operation. The business was dead in the water.
As the exclusive U.S. bottler for a popular soda sold in 32 states, the distributor faced a huge problem. They couldn’t access their inventory, accounts payable information or order records. Their entire operation, from the back office to the warehouse, was at a standstill.
Thankfully, the company was already using a Datto SIRIS to back up its data. And since SIRIS takes snapshots of the distributor’s data every 15 minutes, all they had to do was choose a recovery point from before the infection occurred. The distributor worked with its IT provider to identify the exact time of the attack, then rolled back to the clean data. The recovery took only a matter of minutes. Within an hour, the distributor was back up and running again, like nothing had happened. This is just one example of how Datto ransomware protection—built right into its data backup devices—is literally saving companies from one of the worst forms of malware today.
Ways to Prevent Ransomware
We’ve established the ways in which Datto can help to detect infections and recover from an attack. But combating ransomware also requires effective prevention strategies.
Three crucial measures to preventing an attack from disrupting your operations are: Education, Anti-Malware Software and Network Access Controls.
Here’s what each should look like at your organization:
- Education: Since most ransomware attacks still arise out of malicious emails, it’s important to train employees on safe Internet usage. First, they should understand the seriousness of the risks as well as you do: one seemingly harmless click could cripple the entire business. But also, users should be taught what to look for: how to spot a phishing email, when to trust an unknown sender, which websites and links to avoid and so on. By educating your workforce on the dangers of malware, you can significantly reduce the chances of a successful attack.
- Anti-Malware: Anti-malware and anti-virus software remain a crucial line of defense against ransomware. Many ransomware variants use known forms of malware to infect computer systems. As long as you’re using a good anti-malware solution that is being updated regularly, then you’ll be able to fend off a lot of potential attacks. Keep in mind, however, that not all forms of ransomware are detected by anti-malware.
- Network Access Controls: The spread of a ransomware infection is often limited by the user’s folder access. In other words, if a user only has access to a few essential folders, rather than entire directories, then the ransomware can only go so far. This is why it’s a good idea to use access controls and network share permissions to limit each user to only the folders they absolutely need. By doing this across the organization, you can greatly reduce the scale of an attack when a machine has been infected.
Even the most aggressive preventative measures won’t guarantee you’ll be able to avoid an attack. This is why it’s critical to have a dependable system for business continuity and disaster recovery (BCDR).
Ransomware isn’t Going Away
Back in 2017, pharmaceutical giant Merck was one of the many companies hit by the NotPetya ransomware attack. The impact was bigger than many knew at the time. Months after the attack, the company revealed it still hadn’t fully recovered. The attack disrupted its manufacturing operations worldwide, as well as its research and sales operations. The company eventually filed a $1.4 billion lawsuit against its insurance company, which wasn’t settled until 2022. From the lawsuit, the full scale of damages became clear: the ransomware caused “$135 million in lost revenue, $175 in remediation costs to bring systems back online, and $870 million to remediate disruption and encrypted files and improve security and acquire new equipment.”
Cybersecurity company Malwarebytes has also warned that ransomware hits nearly a third of all small-to-medium businesses in a year’s time. And among those, one in five has to stop operations completely.
Don’t expect these numbers to improve anytime soon. Ransomware continues to evolve, and recent attacks show that the malware is getting more sophisticated and more destructive. Businesses of all sizes need to be more proactive about implementing sound business continuity strategies and technologies that will protect them from an attack.
According to Datto, 96% of ransomware victims lose access to their data for more than a day. That’s simply not acceptable. For companies whose data is essential to their operations, this level of downtime can devastate the business.
Datto’s suite of data-protection technologies ensures that you can always get your files back after a ransomware attack. With the ability to detect infections, rapidly restore data and instantly virtualize your protected machines, you can forget about the risk of downtime from ransomware.
Frequently Asked Questions (FAQ)
1) What is Datto Ransomware Protection?
Datto Ransomware Protection refers to several features on Datto’s backup solutions that help businesses safeguard their data from ransomware. These features include automatic ransomware detection during the backup process, Rapid Rollback data recovery, ransomware-resistant ZFS snapshots and immutable cloud storage.
2) How does Datto protect against ransomware?
Datto protects against ransomware by automatically scanning each new backup for signs of a ransomware infection. If an infection has occurred, administrators can use Datto’s Rapid Rollback to quickly identify and restore only the affected data, without needing to reimage the entire machine.
3) What is the best protection method for a ransomware attack?
Routine data backups are the most important form of protection against ransomware. While there are several methods of preventing ransomware, including anti-malware software and strong email spam filters, data backups are the only way to ensure you can restore your data if an attack occurs.
For more information on how your company can stay protected from ransomware and other disasters, contact our business continuity experts at Invenio IT. Call us at (646) 395-1170, email success@invenioIT.com or request a free Datto demo today.