17 October 2018  —  Acronis

A Guide to Ransomware and How Acronis Active Protection Can Help

Acronis True Image
formerly Acronis Cyber Protect Home Office

In this article we discuss:

Acronis
Ransomware
  • Ransomware: what it is, and why it is so dangerous
  • How to protect against ransomware
  • How Acronis Active Protection can help
  • A breakdown of a ransomware attack and defense

Ransomware: What It Is, and Why It Is So Dangerous

Ransomware is one of the most pervasive and costly forms of malware afflicting businesses and consumers today. The term describes a broad family of hostile computer viruses that infiltrate computer servers, PCs, laptops, tablets, smartphones, and other computerized devices like ATMs and airline check-in kiosks. Rather than stealing valuable information from the device, ransomware aims to deny users access to the files and data stored on it. The simpler “blocker” form presents a screen that prevents users from accessing the computer’s desktop. The more sophisticated and destructive “encryption” form of ransomware goes much further: it encrypts (mathematically scrambles) the user’s files. Both types present a screen instructing the user to pay an online ransom to an untraceable recipient, for which the attacker promises to unlock the system.   Ransomware-wielding criminals rely on user fear and ignorance to extort payment, increasing the pressure on victims to pay quickly with tactics like a running countdown timer that specifies an approaching payment deadline of days or hours. If the user pays up, the attacker will provide the mathematical key that can be used to unscramble the files, or instructions on how to remove the blocker.   The volume and sophistication of ransomware attacks has risen steadily over the past few years, becoming one of the most pervasive and expensive online criminal threats in history. The US FBI estimated that ransomware gangsters extorted over $1B from victims in 2016, and that figure is expected to even triple or quintuple by the end of 2017. Many users first became aware of the threat after the notorious WannaCry ransomware outbreak of May, 2017, which afflicted hundreds of thousands of systems, spreading to 150 countries in a matter of a few hours.   As subsequent waves of attacks have demonstrated, the ransomware problem is only going to get worse. Organized criminal gangs have mimicked the business and technology models of the legitimate software-as-a-service industry, making it increasingly easy for low-skilled operators to get into the business of distributing and profiting from ransomware. The likelihood that you, your family, your business, or someone you know will become a victim of ransomware grows by the day. Users need to educate themselves on the ransomware threat, and learn how to take steps to defend themselves against it.

How Acronis Active Protection Stops Ransomware

One proven technology to protect against ransomware attacks is Acronis Active Protection, a built-in feature of two popular backup programs: Acronis Cyber Backup (for businesses) and Acronis True Image (for consumers). Acronis Active Protection constantly monitors the user’s system, looking for suspicious behaviors typical of ransomware, like an unfamiliar process suddenly trying to rename and encrypt a series of files. With the help of artificial intelligence and machine learning, Active Protection quickly identifies ransomware-like behaviors, halts the process that is attempting them, and notifies the user of the apparently malicious activity. Based on the user’s response (“That is a legitimate action – allow it” or “No, that activity is suspicious – block it”), Active Protection either lets the process resume execution, or halts the process and automatically repairs any files it has damaged by restoring them from a backup copy.

Pattern Recognition

Active Protection uses AI-based pattern recognition to identify suspicious behaviors common to ransomware attacks. Machine learning further evolves that understanding of attack behaviors over time, as criminals attempt new tactics to thwart user defenses. This provides an important additional layer of protection on top of traditional anti-virus products, which use known segments of code (“signatures”) in malware to identify threats. The weakness of anti-virus programs is that they are incapable of recognizing brand-new threats whose signatures aren’t yet widely known.   To describe this another way: anti-virus programs detect ransomware threats based on what they look like. Active Protection detects ransomware threats based on their behavior, which allows it to spot brand-new variants that haven’t yet been added to an anti-virus program’s signature database.   Active Protection also maintains a whitelist of programs that the user has identified as okay, preventing them from being unintentionally blocked when those programs are used to perform operations that could be mistaken for ransomware activity, like legitimate renaming or encryption of files. Ransomware attacks that have been detected and blocked are automatically added to a blacklist, so subsequent attacks by the same version of ransomware will be prevented from executing at all.

Quick Recovery of Lost Files

The quick detection and termination of a ransomware attack is important. The faster the threat is shut down, the less time it has to destroy files by encrypting them. Restoring any ransomware-encrypted files is a useful technique, but its effectiveness depends on how frequently you perform backups. You might be able to restore a ransomware-encrypted file, but only to the version you backed up a few days or a week ago.   Active Protection complements Acronis Cyber Backup and Acronis True Image by restoring damaged files from one of several locations: in memory, on a local disk, on an external drive, a drive on the user’s local network, a drive in a remote location, or in cloud data storage. In many cases, a damaged file can be instantly restored from a local cache on the user’s system.   This ability to not only detect and terminate attacks, but also to quickly recover any damaged files, is unique to Active Protection. Many products sold as anti-ransomware can stop attacks, but not help the user recover from any damage that occurred prior to attack detection. Others can assist in post-attack recovery, but only of smaller files.  Active Protection detects and terminates ransomware attacks, then quickly and automatically restores any damaged files regardless of their size.

Defense of Backup Files

Using backup files to recover from a ransomware attack is a useful and recommended defensive technique. Having learned of this tactic, many malware developers now create ransomware that looks for and attempts to encrypt the user’s backup files as well. Acronis defeats this tactic by applying Active Protection defenses to backup files as well as other files. Attacks on backup files stored offsite (for example, in Acronis Cloud Storage) are further protected two ways: by in-transit and at-rest encryption, and by restricting access to cloud backup files only to Acronis-authorized processes.

Integration of Anti-Ransomware and Backup Functions

The inclusion of Acronis Active Protection in Acronis Cyber Backup and Acronis True Image provides a distinct advantage over separately deployed anti-malware and backup products. No combination of standalone products can deliver the kind of highly-automated detection, termination and recovery from ransomware attacks that the Acronis does with tightly-integrated backup and anti-ransomware protection.

How to Protect Your Computer from Ransomware: A Demonstration of Acronis Active Protection

This demonstration shows the sequence of events in a typical ransomware attack, in which an unwary user clicks on a link or opens an attachment in what looks like a legitimate email from a familiar sender. In fact, it is a “phishing” email is from an online criminal, crafted to lull the user into trusting the email. Clicking the link or opening the attachment does not yield the expected spreadsheet or amusing GIF, but instead infects the user’s system with a ransomware virus. Some ransomware versions (like the notorious WannaCry virus) include worm technology that helps them automatically spread to every other system they can find on the user’s local Ethernet or Wi-Fi network.   In the above video clip, the user receives a legitimate-looking email that offers tantalizing information on forthcoming episodes of a popular TV show. The intrigued user downloads and opens the email attachment, which actually turns out to contain  WannaCry ransomware. The virus encrypts the user’s files, making them totally inaccessible, then displays a ransom note with a countdown timer, demanding a $300 payment in the untraceable online currency Bitcoin before the timer runs out. The user faces a choice: pay the faceless criminal quickly, or lose access to their files forever. (Law enforcement officials and security experts generally do not recommend paying the ransom: 20% of victims who pay up never receive the promised key.)   The demonstration goes on to show what happens when the same user opens the same infected attachment, but this time has Acronis Active Protection. Active Protection spots the file-renaming and encryption activity as malicious and stops the process immediately. It then automatically restores the files that were encrypted prior to its detection of the attack. The clip goes on to explain how Active Detection’s allow/block decisions able to evolve over time via machine learning, and are further refined with whitelists and blacklists.   An anti-virus program may be able to detect and block some ransomware attacks, but versions that are already well-known enough that the AV vendor has created a signature for them, and then only if the user has recently updated their system’s AV signature database. Malware criminals are constantly evolving their ransomware to elude signature-based detection. This makes anti-virus useful to defend against known ransomware attacks, but no help at all with brand-new ones.   A better solution is to restore the encrypted files from backup, but this means potentially losing any new files that have been created and any work that has been done since the last backup was completed, which can be hours’, days’, or weeks’ worth of files.   The Active Protection included in Acronis Cyber Backup and Acronis True Image is a better solution, combining the ability to detect and block ransomware attacks, including previously unknown versions, with the ability to instantly restore any files damaged prior to attack detection. Its ability to identify and stop ransomware based on its behavior, not its signature, is a huge defensive advantage vs. anti-virus systems. Its integrated ability to automatically recover damaged files from backup makes it a better solution to pure anti-malware solutions. No other product combines ransomware defenses with backup in a single, integrated, automated package.   The amount and value of the data stored on your systems will only increase over time. The criminal industry that develops and distributes ransomware is hugely profitable already, and will only increase the volume and sophistication of its attacks over time. There are many basic steps to improve your chances of avoiding a ransomware attack:

  1. Use an anti-virus program and frequently refresh its signature database.
  2. Keep your operating system and applications up-to-date as well, so that when vendors discover vulnerabilities in their products, you get the software patches that close them. For example, WannaCry carved its worldwide path of destruction in part by exploiting a known weakness in Windows that many users hadn’t bothered to fix with a timely Windows Update.
  3. Be wary of phishing emails, and encourage your family, friends and colleagues to be cautious about clicking on links or opening attachments in emails from sources they don’t absolutely trust.

If you really want to gain the upper hand on ransomware bad guys, you need Acronis Cyber Backup or Acronis True Image with Active Protection, the only integrated solution for detecting, terminating, and automatically recovering from ransomware attacks.

About Acronis

A Swiss company founded in Singapore in 2003, Acronis has 15 offices worldwide and employees in 50+ countries. Acronis Cyber Protect Cloud is available in 26 languages in 150 countries and is used by over 20,000 service providers to protect over 750,000 businesses.