August 17, 2021

The “Power of Two” for Combating Ransomware

By John Maxwell
Ransomware

When it comes to ransomware, the news headlines are inescapable. There are daily reports of organizations being held hostage for exorbitant sums of money. According to a recent Gartner report “By 2025, at least 75% of IT organizations will face one or more attacks, as free-rein researchers document a dramatic increase in ransomware attacks during 2020, pointing to sevenfold or higher rates of growth.”

Additionally, the Verizon 2021 Data Breach Investigations Report shows servers are the #1 asset under attack. Given that servers (or virtual machines running Windows Server) are where a majority of business-critical applications run, organizations can effectively be paralyzed from ransomware attacks.

Managed service providers (MSPs) are challenged with finding a comprehensive approach to protecting their clients from ransomware attacks. From 24/7 real-time monitoring to mitigation and recovery, the burden rests with the MSP.

Datto is solely focused on providing MSPs with best-in-class solutions, which is why the combination of Datto RMM with real-time ransomware detection and mitigation and Datto BCDR recovery deliver the “Power of Two” for combating ransomware. This combination addresses four steps to successfully combat this ever-present cyber threat.

  1. Alert
  2. Isolate
  3. Mitigate
  4. Recover

While there is no foolproof way to prevent a ransomware attack, you can reduce the impact and quickly recover. That said, let’s discuss the four steps to address a ransomware attack and recover from it.

Step 1: Alert

Ransomware attacks can go undetected unless you have a sentinel on watch 24/7. By the time an end-user reports something suspicious such as files being inaccessible or a pop-up with a ransomware note, it is too late.

What do you look for? Generally, real-time ransomware monitoring and detection solutions monitor for the existence of crypto-ransomware by using behavioral analysis of files and will then send an alert when a device is infected. File analysis includes looking for everything from known file extensions like .crypt, an increase in the frequency of file renames and deletion activity, measuring entropy, and many other modification events. But it doesn’t stop there – to ensure a server isn’t being attacked and infected with ransomware, the launch of new processes within Windows should be monitored, such as events at startup.

Additionally, an increase in network traffic or unusual system-to-system connections can signify that a ransomware attack is active or about to begin. One way attackers exploit Windows systems is to target single-sign-on (SSO). When a password is created in Windows, it is hashed and stored in the Security Accounts Manager (SAM), Active Directory (AD), or elsewhere. When an administrator logs into Windows Server, their password credentials are left behind. Attackers capture the password hash and use it to pass through to other systems on the network. This technique is referred to as pass-the-hash (PtH).

Datto’s RMM provides 24/7 monitoring of all endpoints, including Windows Servers. It looks for anomalies and immediately sends an alert when it finds possible ransomware activity. Since Datto RMM is collectively monitoring all computers, it can quickly become aware of ransomware attacks.

Step 2: Isolate

As soon as a ransomware attack is detected, it’s essential to isolate the affected server to contain the attack before it spreads. PtH attacks quickly spread from one device to another on the network and often occur outside standard business hours, faster than on-call technicians and NOCs can respond.

Datto RMM ransomware detection will isolate devices infected with ransomware and ensure it cannot spread to other network devices while retaining remote control access to the impacted devices via the RMM console. This step is important for supporting DFIR activities (Digital Forensics and Incident Response), giving engineers and SOC teams more time to collect evidence and carry out the next steps for your mitigation & recovery efforts.

Cloud-based interface for Datto RMM to isolate an infected device

Suggested Next Reads