Posey's Tips & Tricks

The Ransomware Warning System in Your Backup Server

Backups aren't just the last line of defense against ransomware. If you know the signs, your backups can also help you stop a ransomware attack that is currently in progress.

• By Brien Posey
• 03/29/2021

One of the biggest things keeping IT pros awake at night is the ever-present threat of ransomware.

It's often said that backups are the last line of defense against ransomware, but your backup system can also help alert you to a ransomware infection that is currently in progress -- if you know the subtle signs to look for.

Consider what happens when a ransomware infection occurs. Obviously, every ransomware variant is different, but let's examine the anatomy of a ransomware infection in general terms. When a ransomware infection is unleashed, the first thing the infection usually does is begin looking for data to encrypt. In doing so, the ransomware may attack an organization's file storage, databases, cloud storage or any number of data repositories (depending on what the ransomware is designed to do).

Next, the ransomware begins to encrypt the data it has identified. At this point, the organization might notice big spikes in disk activity and some corresponding network traffic spikes. Some users may discover that they are unable to access some of their data. However, the ransomware infection might still be undetected at this point.

Based on my own experiences, ransomware does not usually display a message demanding a ransom until after all of the target data has been encrypted. This is presumably because the ransomware author does not want the attack to be stopped before the ransomware has the opportunity to do as much damage as possible. Because of this, a ransomware attack can go on for a considerable amount of time before a ransom demand is ever made.

There are some telltale signs that a ransomware attack is in progress, with some of the best indicators coming from your backup. This is especially true if you are using a continuous data protection (CDP) backup solution.

Some backup products on the market are designed to actively scan for ransomware. If you are lucky enough to be using a backup solution that includes native ransomware protection, it should be able to alert you to the attack. But for the sake of this discussion, let's assume your organization is using a run-of-the-mill CDP solution without ransomware-prevention features. What would be the signs that a ransomware attack is occurring?

To keep things simple, let's pretend that ransomware attacks a network file server, and the file server's data is being protected by a CDP-based backup solution. For this example, let's also assume that the ransomware is not directly attacking the backups.

As I previously noted, ransomware will generally wait until the encryption process completes before displaying a ransom demand. In the case of a file server that contains a lot of files, this could take a while.

The backup software will treat the encryption process as file modifications. Remember, the backup software cannot differentiate between files that are being maliciously encrypted and any other type of benign write operation. The backup software only knows that files have been modified and therefore need to be backed up.

CDP backup solutions generally take an "incremental forever" approach to backups, meaning they only back up data that has been newly created or modified since the most recent backup cycle. Since recovery points are usually created every few minutes, backups tend to be small. When a ransomware infection occurs, however, large numbers of files are modified in a relatively short span of time. This means you may see a major spike in the volume of data being backed up. It's even possible that your backup solution can't keep up with all of the data modifications.

Therefore, the No. 1 sign of a ransomware attack (from a backup prospective) is a major and otherwise unexplainable spike in activity.

But this isn't the only sign that a ransomware attack may be in progress. Another is backup target storage being consumed far more rapidly than normal. There are two reasons why this happens. The first is that CDP backups generally protect data at the storage block level. Normally, when a file is modified (through normal processes, not ransomware), only a handful of storage blocks are actually changed. The backup software only has to back up the changed blocks. However, in the case of a ransomware infection, there is a good chance that all of a file's blocks are going to be modified, meaning a large number of blocks have to be backed up and stored.

The second reason ransomware causes backup target storage to be quickly consumed is that ransomware-related encryption tends to break deduplication. Files that previously contained a lot of similar storage blocks and could therefore be deduplicated might have almost nothing in common with one another after being altered by ransomware. If that happens, far more storage will be required in order to accommodate the data.

Incidentally, if you are using data deduplication on your file server, a ransomware attack may undermine deduplication there, as well, causing the amount of space required to accommodate the data to drastically increase.