There are many products on the market today that are focused on preventing a ransomware attack: firewalls to stop viruses from entering, scans that detect unusual activity and signatures of common malware, and more. These pre-attack products are critical in supporting a cyber resiliency strategy; however, what happens when these solutions fail and an attack is successful? How does an organization detect, diagnose and recover quickly?
This is where CyberSense fits into the tech stack. CyberSense is a software option available with Dell PowerProtect Cyber Recovery. CyberSense is a post-attack product that is focused on data resiliency and does not replace the ransomware prevention approaches of the pre-attack products. Rather, it is a last line of defense that helps determine what data has been corrupted, and what backups are good in order to facilitate a clean and rapid recovery when prevention fails. This is especially important as new, more sophisticated variants are deployed.
A new variant, BianLian, appeared on VirusTotal in August 2022. This new variant utilizes the Google Go programming language for portability across OS platforms, so the ransomware authors only need to write the ransomware once and can then run it on Windows, Linux, Solaris, etc. allowing them to get to market quickly across a range of targets. The BianLian variant encrypts inside a file and adds a new file extension. For encryption, the malware divides the file content into small chunks is a method to evade detection by Anti-Virus products. Read more here.
What BianLian shows us is that the community of bad actors are getting smarter, using advanced technology and outsmarting existing and traditional security tools. There are several approaches that are becoming less effective against these new variants.
Many data protection vendors have added signature-based scanning tools to their backups to find known malware. Signature-based scanning has some value with backup data during restoration, such as scanning for known malware with a known signature to avoid restore the malware after an attack. The question to ask here is if the malware was not detected using the current signature watchlist in production, then why do you think you will have any success in scanning your backups with these same signatures?
New variants, including BianLian, are being designed to evade signature-based approaches. A simple change in the encryption algorithm will change the signature of any variant. This is why signatures must be updated on a continual basis, a never-ending and less successful battle.
Metadata Analysis and Data Thresholds
The use of concepts such as metadata analysis and data thresholds have also become commonplace for backup software vendors, but they can be easily outsmarted by bad actors using more advanced approaches. Examples of metadata analysis includes scanning for extensions known to be used when data is corrupted. In the case of BianLian this will be a new extension that may not be known by the scanner and will be passed over. These scanners will need to be frequently updated to support the latest variants, which are continually changing to evade this simple approach.
In addition to metadata, the use of threshold analysis can be performed to determine if the number of files created or modified daily is outside the norm. If so, this will trigger an alert.
In addition, file entropy, looks to see if the modified files show increases in entropy which would represent possible encryption. BianLian is taking a more stealth approach to circumvent this approach. BianLian is performing intermittent encryption, not full file encryption, inside the file to avoid detection. This is purposely done to evade these lightweight analysis tools that are looking for obvious thresholds or changes in metadata properties or entire file encryption.
The CyberSense Approach
CyberSense takes a fundamentally different approach to detecting corruption due to ransomware that is not easily circumvented by bad actors who are deploying more advanced techniques. Without any updates, CyberSense detected the BianLian variant when it appeared on the VirusTotal website.
CyberSense looks for unusual patterns of behavior based on analysis of file and database content. This includes metadata properties which are a limited set of statistics that are available, something other vendors have implemented, however, CyberSense goes deeper and looks at hundreds of content statistics across the entire set of files and databases contained in each backup, which no other vendor is performing.
With the volumes of advanced metadata and content analytics, fed to machine learning that has been trained on all the common approaches that are utilized to corrupt data, a new and advanced variant such as BianLian is easily detected. Others need to update their software to detect new variants. CyberSense is designed to be smarter and more advanced so that with no updates to the analytics or machine learning is needed to detect a new variant like BianLian.
Relying on techniques that constantly need to be updated and modified to support new variants is a thing of the past. Content based analysis of files and databases combined with advanced machine learning is the only way forward to deliver confidence that data is protected from the most sophisticated cyberthreats.