A couple of weeks ago, I was one of the delegates at Storage Field Day 25 in San Francisco, CA. We started the event with a session from CyberSense. I assumed this would be a nice easy, kickback session to start the event with. Boy was I wrong; their session really showed me how horrible ransomware attackers can be to victim companies.
Don’t get me wrong; I understand how ransomware works and what we need to do to prevent it, but the insidious methods that ransomware can take, especially when performing a targeted attack against a company that their solution scans for, just take everything to the next level. In a nutshell, the CyberSense product mounts a snapshot taken by your storage array and then scans through that snapshot, looking for either ransomware that is waiting to execute or files that have already been encrypted with ransomware.
The people that write ransomware are pretty horrible (we all know this), but they have found various ways to avoid detection. This includes things like, instead of encrypting all the files as fast as possible, they use an approach where they slowly encrypt all the files so that by the time you notice the problem, a large portion of the files of encrypted, and this will hopefully allow the ransomware to run without being detected by any of your traditional scanning tools. Another approach ransomware attackers have found is to encrypt the files without changing the file size. This way, the files are rendered useless, all while avoiding any detection, which is looking for all the files (or a portion of the files at the company) all getting bigger at once.
Another technique that ransomware attackers will use against SQL Server databases is instead of just encrypting the entire database file (which, given the size of the database files, could take quite a while), they will instead detect that they are database files, and the ransomware will encrypt just the data within the data page, leaving the header of the data page intact that the SQL Server can read the page as normal. Granted, SQL won’t be able to read the value of the page, but depending on which pages were encrypted, it may not take many of them to be encrypted and render the database useless to the company unless the ransom is paid.
The CyberSense product presented to us can detect all of these attack vectors and many others as well. Seeing all the things that it can find and the fact that they often find infected files when doing evals at companies that the company didn’t know were infected made for a VERY frightening presentation.