Following the recent ransomware attacks that leveraged the WannaCrypt0r malware and NSA-developed EternalBlue vulnerability exploit, there was plenty of advice that backup, backup, backup was the best mitigation. Data backups are, of course, an important part of any business continuity strategy. However, what happens when your backups are also encrypted by ransomware? There are variants out there, in the wild, that will target shared network drives, that will use cloud backup desktop sync clients to encrypt that data as well. There are variants that will not declare themselves and post the ransom demands until they have been successfully encrypting backups in the background for a few weeks and thus making it even harder to recover from the attack without coughing up. All of these things suggest that maybe a new backup strategy is required.
A relevant press release arrived from Acronis today regarding the business-oriented Acronis Backup software; the latest version of which (12.5) now includes 'Acronis Active Protection' amongst other things. This is something that I've been using here for a while now, but as a feature of the Acronis True Image 'new generation' product. The new generation premium version that includes it (along with 1Tb of online storage for one PC and unlimited mobile devices) doesn't come cheap at $99 per year, costly in comparison to the likes of CrashPlan and positively exorbitant if measured against the free Macrium Reflect backup software. Nor is it exactly lightweight, requiring half a gig of space to install. During the installation process you have to sign the EULA which, in effect, says that Acronis isn't responsible for any data loss. Something that I feel doesn't exactly fill you with confidence, although 'because lawyers' does apply I guess.
So what is this Active Protection that it brings to the backup party? As far as I can tell, it works by applying a heuristics engine to monitor your files. That's all files, all of the time; find it in your system tray from where it can be configured. What it's looking for are any unauthorized attempts to encrypt any data, excluding those that you have told it to ignore. If it spots anything then a user prompt pops up that displays the name of the encrypting process and the files that have been hit. The user can then either 'block' or 'trust' that process. Any files that had already been encrypted by the malware can then be restored if you select block.
I've tested this whole detection and restore process, and it does actually seem to work as intended. I'm not alone in putting it to the test, and here in the UK an independent testing lab called MRG Effitas has published a report comparing how well various backup solutions protect endpoints from ransomware compromise.
To be honest though, I'm not the greatest fan of the Acronis software UI, and this is especially the case when it comes to the restore functionality rather than the backup. I find it to be somewhat tedious when only wishing to restore a particular file or folder. That said, it's pretty easy to use when restoring the whole hard drive data shebang. The report goes as far as to state that "the ability to protect the machine from being encrypted entirely and the prospect of restoring the PC and user files after the infection was the most important testing metric in this comparative assessment." The Acronis option with Advanced Protection was the only one, out of the eight market leading products tested, that offered protection against the 10 ransomware strains thrown at them.
Obviously, not getting infected in the first place is the best mitigation against being held to ransom. And that means implementing a solid patch management plan, having resilient endpoint protection and educating users against unsafe practices. Yet, as it's looking at individual file encryption processes across the entire device rather than trying to spot the attacking malware itself, Active Protection should hopefully stand up well to new ransomware variants as they are released into the wild. Only time will tell. I've learned long ago not to underestimate the innovative ingenuity of coders in the criminal space. One things for sure though, we've all got to realise that just because you've backed something up that doesn't mean it will automatically save the day should ransomware strike. To paraphrase the Daleks: mitigate, mitigate, mitigate...
