#1 Does this protection use backups or hidden files?
Naive ransomware protection uses backup or hidden files as core to their protection. The one relies on the attacker not deleting backups, to “roll back” the encryption. Guess what – the attackers automatically look for and delete or encrypt the backups. Hidden files are designed to “trap” the attacker. Guess what – the attackers just avoid the obvious traps, to encrypt your system. Ransomware Rewind does not use backups or caches, and leverages deep operating system behavioral detection, analysis, and novel response techniques to protect systems.
#2 What is the resource consumption of this protection?
Ever felt like your business operations had to compete with your security tools for memory or computing power? You aren’t alone. Machines that are already heavily worked for important business operations, without memory to spare, are also the machines targeted for extortion. Heavily loaded servers, usually due for a hardware and software upgrade, are usually heavily involved in ransomware attacks. Ransomware Rewind consumes minimal resources, and is readily deployed to over-taxed servers running many business applications. Typically, our software consumes less than 10 MB of RAM, and less than 1% of CPU.
#3 Does this protection automatically protect USB sticks or new servers?
No company has full visibility to every possible file source for ransomware attackers to encrypt or steal, especially not in real-time. Your protection needs to automatically find and protect resources which appear in your network, whether that is a local USB drive, a server share on your network, or a cloud resource. Have your vendor walk you through what would happen when ransomware infects a few employee laptops, then starts remotely encrypting a server that does not have the same protection on it. Ransomware Rewind continuously scans for new systems to automatically protect, and does so in a manner which is agnostic to the location and operating system of the remote device.
#4 Does this protection reliably defend against new ransomware which doesn’t have signatures yet?
One of the biggest challenges with ransomware is that you, the potential victim, cannot wait for detection programs to “catch up” to last month’s attacks. The attackers know they can stay one step ahead of traditional signature based detection, so always tweak their tools to evade detection. Asking if the detection is signature based, or behavior based, is a great place to start. From there, you can decide whether this is the right tool for your security program. It may be, just not for ransomware! Ransomware Rewind, for exactly the signature-evasion-detection challenge, is fully behavior driven.
#5 Does this protection prevent file loss, or does it start to work after I’ve lost a certain number of files?
This is a big of a rhetorical question, but would you rather have no file loss or downtime, or would you like your ransomware protection to start off after you’ve lost up to 20% of your files? The answer, of course, is no downtime, no lost revenue, and no file loss. This question directly relates to behavioral-based detection of ransomware activities. Ransomware Rewind performs behavior-based detection and response, but does so before files are encrypted. The shocking norm for behavior-based ransomware protection is for the products to watch you start losing enough files to raise the alarm. Make sure you ask if the ransomware analytics start before or after encryption starts. It should be an easy question to answer.
#6 What protections are in place, whether with this tool or others, to prevent corruption of files under attack while stopping the attack?
The manner in which ransomware is killed is really important. Ransomware normally will open as many files at once for encryption as it can handle, then start encrypting. A file that is halfway through being encrypted, but the encryption program suddenly stops, is a corrupt file. That file is now almost certainly unrecoverable, even after paying a ransom. That means that your ransomware protection is likely corrupting files after it starts protecting your files, if it detects the ransomware behavior. Ransomware Rewind takes special care to not corrupt files that are partially encrypted. In a typical scenario, our tool is actually fast enough now to not have any files encrypted at all, but safeguards are in place to ensure that files are not corrupted if encryption has begun. Make sure to ask your vendors what mechanisms are in place to prevent corrupt files. The answer should be easy. If it involves the word “backup” or “cache,” that means the vendor is relying on the attacker not deleting nor encrypting the backup. Keep digging deeper to get a better understanding of what they have.
#7 Is this protection fully automated without false positives, or does it require me to respond to the alerts during the 300 files-per-second-per-infection encryption?
Every second, for every infection, up to 300 files are being encrypted in a ransomware attack. It is normal to have dozens of infections fire at once, meaning thousands, tens of thousands, or even more files are being encrypted per second. Responding manually is not going to work well if you all are in the same building; imagine how much more impossible it would be when computers span multiple locations. Automated response MUST be key to any solution brought forward, to react quickly enough to matter. Remember that, a split second lack of automation in response, can equal weeks of lost revenue, or never getting the file back. Ransomware Rewind is designed, from the ground up, to provide decisive, authoritative, automated response at the speed of the attack. Ask your vendor about their false positives, and about what level of automation they include.