Research showing the exponential rate at which a single ransomware program can infect and encrypt hundreds and even thousands of files in just a matter of minutes has highlighted the need for immediate system attack detection and response according to ransomware and data protection, provider, ProLion.
Research by data monitoring and analytics software developer Splunk found that ten major ransomware strains were able to encrypt 100,000 files in time periods ranging from within four minutes to three and a half hours. The median ransomware variant encrypted nearly 100,000 files totalling 53.93GB in forty-two minutes and fifty-two seconds.
“When responding to ransomware, time is of the essence,” said Steve Arlin, VP of Sales for the UK, Americas and APAC at ProLion, the provider of active ransomware and data protection solutions.
“We often see this with our customers – for example, in Q1 of this year, a client of ours in Germany suffered a ransomware attack in the early hours of a Sunday morning. Our CryptoSpike solution took less than ten seconds to detect and stop the attack: the attackers only had time to encrypt less than 100 files before CryptoSpike successfully removed their access. It only took our client’s storage administrator a few mouse clicks to fully restore all the files damaged in the attempted attack.”
The source of the ransomware attack was an infected user profile, which CryptoSpike automatically traced and immediately quarantined. The targeted company was already following recommended best practice of using only locally stored user accounts for its staff versus network-based domain user accounts. As a result, the attackers were unable to restore access to the files they initially reached and encrypted in their attack.
Steve continued, “The timing of the incident in the early hours of a Sunday morning demonstrates how cybercriminals can launch an attack from anywhere in the world, at any time – day or night, during the week or at weekends. Every organisation that takes the threat of ransomware seriously must therefore have intelligent, automated, always-on ransomware counter measures in place.”
The attackers used an unknown new file suffix for the encrypted files, which CryptoSpike immediately added to its global blocklist of new and existing filename extensions as a measure to help prevent future attacks that follow the same pattern from taking place.
“Once an attacker gains entry, ransomware can spread at an astonishing rate: a single ransomware program can infect and encrypt hundreds and even thousands of files in a matter of minutes,” Steve explained. “When the attack ends, each infected file needs to be carefully restored using the most recent back-up, which is a costly, resource- and time-consuming process.”
“The expense and significant disruption along with the reputational damage caused by a ransomware attack makes it more essential than ever for organisations to continually monitor for the tell-tale signs in order to identify as early as possible the start of an infection and then shut it down,” he concluded.
CryptoSpike is ProLion’s best-in-class security and data governance solution for the data centre that eliminates system downtime and data loss risks within ONTAP environments. Today it provides data insights for 450+ customers across retail, finance, telecoms, healthcare and manufacturing.
Read the latest edition of PCR’s monthly magazine here: