zentilia - Fotolia
There is a common thread in the way backup vendors advise customers to respond to ransomware: "Simply roll back to the moment in time before the infection occurred; you will be back in operation in seconds." The gap is in knowing the exact moment in time when the infection occurred.
Ransomware is now trying to extend the gap between infection and detection to maximize revenue. Rather than showing its hand immediately, a typical infection aims to stay around for a while, slowly wreaking havoc. One tool to use for protection against ransomware is a canary file that rapidly informs users if an attack has infiltrated the network.
The evolution of attacks and protection against ransomware
Early ransomware encrypted everything as fast as possible, trying to do as much damage as possible before anyone could react. Applications stopped working almost immediately, but the rapid attack made it relatively easy to detect the point of infection, usually an unpatched desktop.
Smart businesses taught their employees to respond by powering down their PCs to reduce the spread of the infection. Backup vendors and their customers became adept at responding to these infections. Many virtualization-aware backups have the ability to revert to a recent backup point. These virtual machine rollback restores are extremely fast and roll back entire VMs rather than restoring individual files. Many organizations can eradicate ransomware infections within a few minutes of detection. Quick detection and rollback eliminated the need to pay the ransom. Naturally, ransomware authors took notice and started to change the way their ransomware worked.
Attacks have become stealthier, and protection against ransomware is now more complicated. An attack might start by encrypting only the backup files it can find and then move to compressed files. The aim is to encrypt as much as possible, for as long as possible, before the program is detected. If it takes a while for a user to notice that valuable files are encrypted, it makes the decision to roll back harder. For example, if we roll complete VMs back an hour, we effectively lose all productivity during the rolled-back period. If we have to roll VMs back a week, then we have a much bigger problem. It may be necessary to identify every infected file and restore only those files. The discovery and selective restore process can be very slow and is often manual.
It may come down to a choice between losing a week's worth of work by rolling back or waiting most of a week for the right files to be restored. In such a scenario, it may be more attractive to pay the ransom than to lose a week's worth of work. The longer the ransomware can remain undetected in your environment, the higher the chance that you will pay the ransom.
Canary file option: Quick infection detection
One way to combat this delaying pattern is to detect infection as fast as possible. Canary files help with protection against ransomware by rapidly identifying that an infection has occurred. Canary files are like a canary in a coal mine: a sacrificial test to indicate a hazard. Canary files and files on canary shares are files that look desirable for ransomware to infect, but are not valuable to the business. The files and shares exist solely to give a quick indication of a ransomware infection.
At a basic level, the files and shares are mixed with live files and shares. Then the antimalware software watches the canary files. A small number of canary files is much easier to track than watching every file on every share in the entire organization. Normal users and processes will never touch the canary files. Any change to a canary file means a high chance of malware. A change to the file update timestamp, file size, file name or file checksum means the file has been tampered with.
Because these files are never accessed by real users, any access, including reads, is a threat. Canary shares would even be triggered by a file scan action since users do not normally connect to them. As soon as there is suspicious access to the canary, the detection system can swing into active mode and start quarantining systems. With rapid detection, there is far less impact for rolling back entire VMs to restore.
A more sophisticated canary system would also make its own changes to the canary files. Just as ransomware developers were forced to become stealthier in their actions, they will now have to ramp up their awareness of canaries. A lot of files with the same file creation and last access date would be a red flag, so a canary system that looks more like real user access will be more effective. Some files should be updated periodically, and new files created and file access date stamps should be different across shares and files.
Having a set of canary files with very tightly controlled access patterns makes it much easier to detect anomalous behavior. And canary files are not limited to protection against ransomware, as they can be applied to other malware and intrusion detection.