Facebook Twitter Instagram
    AutoBackup 365
    • Home
    • AutoBackup 365
    • Cloud
    • Servers
    • Services
    • Technology
    • Contact
    Facebook Twitter Instagram
    AutoBackup 365
    Home»Servers»The Ransomware Warning System in Your Backup Server
    Servers

    The Ransomware Warning System in Your Backup Server

    AutoBackup365.comBy AutoBackup365.comJanuary 10, 2022Updated:November 5, 2022No Comments5 Mins Read
    Facebook Twitter Pinterest LinkedIn Tumblr Email
    Share
    Facebook Twitter LinkedIn Pinterest Email

    Posey’s Tips & Tricks
    Backups aren’t just the last line of defense against ransomware. If you know the signs, your backups can also help you stop a ransomware attack that is currently in progress.
    One of the biggest things keeping IT pros awake at night is the ever-present threat of ransomware.
    It’s often said that backups are the last line of defense against ransomware, but your backup system can also help alert you to a ransomware infection that is currently in progress — if you know the subtle signs to look for.
    Consider what happens when a ransomware infection occurs. Obviously, every ransomware variant is different, but let’s examine the anatomy of a ransomware infection in general terms. When a ransomware infection is unleashed, the first thing the infection usually does is begin looking for data to encrypt. In doing so, the ransomware may attack an organization’s file storage, databases, cloud storage or any number of data repositories (depending on what the ransomware is designed to do).
    Next, the ransomware begins to encrypt the data it has identified. At this point, the organization might notice big spikes in disk activity and some corresponding network traffic spikes. Some users may discover that they are unable to access some of their data. However, the ransomware infection might still be undetected at this point.
    Based on my own experiences, ransomware does not usually display a message demanding a ransom until after all of the target data has been encrypted. This is presumably because the ransomware author does not want the attack to be stopped before the ransomware has the opportunity to do as much damage as possible. Because of this, a ransomware attack can go on for a considerable amount of time before a ransom demand is ever made.
    There are some telltale signs that a ransomware attack is in progress, with some of the best indicators coming from your backup. This is especially true if you are using a continuous data protection (CDP) backup solution.
    Some backup products on the market are designed to actively scan for ransomware. If you are lucky enough to be using a backup solution that includes native ransomware protection, it should be able to alert you to the attack. But for the sake of this discussion, let’s assume your organization is using a run-of-the-mill CDP solution without ransomware-prevention features. What would be the signs that a ransomware attack is occurring?
    To keep things simple, let’s pretend that ransomware attacks a network file server, and the file server’s data is being protected by a CDP-based backup solution. For this example, let’s also assume that the ransomware is not directly attacking the backups.
    As I previously noted, ransomware will generally wait until the encryption process completes before displaying a ransom demand. In the case of a file server that contains a lot of files, this could take a while.
    The backup software will treat the encryption process as file modifications. Remember, the backup software cannot differentiate between files that are being maliciously encrypted and any other type of benign write operation. The backup software only knows that files have been modified and therefore need to be backed up.
    CDP backup solutions generally take an “incremental forever” approach to backups, meaning they only back up data that has been newly created or modified since the most recent backup cycle. Since recovery points are usually created every few minutes, backups tend to be small. When a ransomware infection occurs, however, large numbers of files are modified in a relatively short span of time. This means you may see a major spike in the volume of data being backed up. It’s even possible that your backup solution can’t keep up with all of the data modifications.
    Therefore, the No. 1 sign of a ransomware attack (from a backup prospective) is a major and otherwise unexplainable spike in activity.
    But this isn’t the only sign that a ransomware attack may be in progress. Another is backup target storage being consumed far more rapidly than normal. There are two reasons why this happens. The first is that CDP backups generally protect data at the storage block level. Normally, when a file is modified (through normal processes, not ransomware), only a handful of storage blocks are actually changed. The backup software only has to back up the changed blocks. However, in the case of a ransomware infection, there is a good chance that all of a file’s blocks are going to be modified, meaning a large number of blocks have to be backed up and stored.
    The second reason ransomware causes backup target storage to be quickly consumed is that ransomware-related encryption tends to break deduplication. Files that previously contained a lot of similar storage blocks and could therefore be deduplicated might have almost nothing in common with one another after being altered by ransomware. If that happens, far more storage will be required in order to accommodate the data.
    Incidentally, if you are using data deduplication on your file server, a ransomware attack may undermine deduplication there, as well, causing the amount of space required to accommodate the data to drastically increase.
    About the Author
    Brien Posey is a 20-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country’s largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric

    Offers Server Services Support
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    AutoBackup365.com
    • Website

    Related Posts

    Ja Morant Injury

    January 1, 2023

    Is Pikachu Inu The Next Hot Meme Coin?

    January 1, 2023

    How to List All Items on the Kroger Online Shopping Site

    December 28, 2022

    Leave A Reply Cancel Reply

    Facebook Twitter Instagram Pinterest
    © 2023 ThemeSphere. Designed by ThemeSphere.

    Type above and press Enter to search. Press Esc to cancel.

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
    CookieDurationDescription
    cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
    cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
    cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
    cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
    cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
    viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
    Functional
    Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
    Performance
    Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
    Analytics
    Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
    Advertisement
    Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
    Others
    Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
    SAVE & ACCEPT