Combating small ransomware attacks  

Ransomware attacks are so destructive that it’s easy to assume that all of them are large-scale in nature. However, this isn’t always the case, and ransomware gangs can do incredible amounts of damage with relatively small amounts of data. For example, an analysis carried out by Zerto of 116 globally diverse ransomware attacks spanning 43 different ransomware variants uncovered a median dataset size of just 183.5 GB.

When considered alongside a study carried out by Splunk, which says the average ransomware can encrypt a gigabyte of data in 47.7 seconds, the typical encryption detonation process for 183.5 GB of data would take nearly two and a half hours: That’s not very long at all.

But why is this important? The major problem this kind of scenario creates is that a typical nightly backup process is just too slow, and waiting for it to run would mean the ransomware would easily have time to encrypt the entire dataset between 12 and 24 hours before backup could be used to help. Any organization finding itself in this situation would be compromised before it even had the chance to react, underlining one of the main reasons why ransomware has become such a successful cybercrime strategy.

The headline numbers continue to paint an alarming picture, with one report estimating that ransomware payments hit a record high of $1.1 billion in 2023 in a “major escalation in the frequency, scope and volume of attacks.” This activity has been driven by a variety of factors, including attacks that use zero-day vulnerabilities and the proliferation of the Ransomware-as-a-Service ‘business model’.

Real-time threat detection

So, where does that leave organizations that find themselves in the ransomware crosshairs? It’s very important to understand that they are far from helpless, particularly because resilience and recovery tools have been improving across the board to help put potential victims of ransomware on the front foot. While there are many solutions out there that can significantly improve detection and mitigation performance, it’s also clear that many attacks are still succeeding despite the best efforts of software vendors and security teams.

This means that recovery solutions remain a critical component of any ransomware-focused security and data protection strategy. The challenge here, however, is that organizations can struggle to identify which datasets to restore, which of their recovery points are likely to have remained unencrypted and which have not.

Unfortunately, the potential recovery issues don't end there. For example, legacy approaches to identifying clean recovery points aren’t agile enough to cope with the sheer pace of change in the threat ecosystem. This is because many work by scanning backup data, which is already hours old and, in the context of modern ransomware attacks, is already out of date (notwithstanding the amount of extra time the scanning process takes). In other situations, organizations are tied to specific bolt-on or third-party tools provided by their security vendor, which can result in similar problems.

Ideally, ransomware detection should occur at the same time data is written in order to close the blind spot that many current recovery strategies suffer from. By doing so, organizations can implement real-time encryption detection that continuously monitors their environment for any indicators of a developing attack.

Instead of reacting to a ransomware incident that is already causing significant disruption, security teams can act on alerts that appear almost instantaneously as anomalous activity occurs. This changes the entire basis on which mitigation and recovery strategies can operate, not least because the process of defeating an attack can start much sooner compared to a reliance on backups.

This process can be further enhanced by the use of real-time threat analysis and behavioral analysis techniques that help automate the detection of ransomware at the earliest stages of detonation. The net result is that organizations are able to focus on immediate incident investigation and response so they can focus on a Recovery Point Objective that is a matter of seconds before the attack was initiated. As such, a real-time approach also minimizes data loss and helps ensure that the operational disruption that is synonymous with ransomware can be avoided.

These capabilities are particularly important when dealing with the relatively small amounts of data that are encrypted in many of today’s ransomware attacks. This can play a major role in giving organizations and their security teams the confidence to operate without serious interruption in today’s challenging digital environment.

Image credit: AndreyPopov/depositphotos.com

Kevin Cole is director, product and technical marketing, data protection at Zerto, a Hewlett Packard Enterprise company