Comprehensive data protection for all workloads
Post Reply
Blue407
Enthusiast
Posts: 99
Liked: 13 times
Joined: Apr 12, 2016 2:14 pm
Full Name: Paul Thomas
Contact:

Ransomeware detection idea

Post by Blue407 »

Morning All

I've been giving some thought to Ransomware of late, I feel in large enterprises, its only a matter of time before you get an infected PC and probably some network data.

Thinking about network shares, from what I inderstand, Ransomware will encrypt every single file it can access.
With regular backups every 2 hours, you would suddenly see a massive jump in the amout of data changed, could we set an alert for this?

I know it wouldn't stop infection, but it may help to know about it faster?
b.vanhaastrecht
Service Provider
Posts: 833
Liked: 154 times
Joined: Aug 26, 2013 7:46 am
Full Name: Bastiaan van Haastrecht
Location: The Netherlands
Contact:

Re: Ransomeware detection idea

Post by b.vanhaastrecht » 2 people like this post

I think an better place would be to monitor your file servers for "files open". As this amount would increase very rapidly when an encryptor hits an share. You could even write an session blockage if an set threshold is reached.

Also, file screening can help you in the prevention of randsomware: http://olivermarshall.net/using-file-sc ... ptolocker/
======================================================
Veeam ProPartner, Service Provider and a proud Veeam Legend
veremin
Product Manager
Posts: 20271
Liked: 2252 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: Ransomeware detection idea

Post by veremin »

For now there is an alarm in Veeam ONE called "Possible ransomware activity" that gets triggered whenever there is abnormal increase in both CPU usage and datastore write rate. Might be a good place to start with. Thanks.
Delo123
Veteran
Posts: 361
Liked: 109 times
Joined: Dec 28, 2012 5:20 pm
Full Name: Guido Meijers
Contact:

Re: Ransomeware detection idea

Post by Delo123 »

the ransomware detected in veem ONE seems to be triggered (only?) by heavy write activity. We get alarms when saving bigger Excel files, doing Database backups, replay logs etc... After a while our guys tend to "ignore" these, for us we went with file screening on the fileservers and whitelisting all applications on the terminal servers together with av from Cylance. So far so good
Post Reply

Who is online

Users browsing this forum: Baidu [Spider], Semrush [Bot] and 175 guests