Tag Archives: Ransomware

GandCrab ransomware adds NSA tools for faster spreading

With version 4, GandCrab ransomware has undergone a major overhaul, adding an NSA exploit to help spread and targeting a larger set of systems.

The updated GandCrab ransomware was first discovered earlier this month, but researchers are just now learning the extent of the changes. The code structure of the GandCrab ransomware was completely rewritten. And, according to Kevin Beaumont, a security architect based in the U.K., the malware now uses the EternalBlue National Security Agency (NSA) exploit to target SMB vulnerabilities and spread faster.

“It no longer needs a C2 server (it can operate in airgapped environments, for example) and it now spreads via an SMB exploit – including on XP and Windows Server 2003 (along with modern operating systems),” Beaumont wrote in a blog post. “As far as I’m aware, this is the first ransomware true worm which spreads to XP and 2003 – you may remember much press coverage and speculation about WannaCry and XP, but the reality was the NSA SMB exploit (EternalBlue.exe) never worked against XP targets out of the box.”

Joie Salvio, senior threat researcher at Fortinet, based in Sunnyvale, Calif., found the GandCrab ransomware was being spread to targets via spam email and malicious WordPress sites and noted another major change to the code.

“The biggest change, however, is the switch from using RSA-2048 to the much faster Salsa20 stream cipher to encrypt data, which had also been used by the Petya ransomware in the past,” Salvio wrote in the analysis. “Furthermore, it has done away with connecting to its C2 server before it can encrypt its victims’ file, which means it is now able to encrypt users that are not connected to the Internet.”

However, the GandCrab ransomware appears to specifically target users in Russian-speaking regions. Fortinet found the malware checks the system for use of the Russian keyboard layout before it continues with the infection.

Despite the overhaul of the GandCrab ransomware and the expanded systems being targeted, Beaumont and Salvio both said basic cyber hygiene should be enough to protect users from attack. This includes installing the EternalBlue patch released by Microsoft, keeping antivirus up-to-date and disabling SMB version 1 altogether, which is advice that has been repeated by various outlets, including US-CERT, since the initial WannaCry attacks began.

Ransomware outbreak threat calls for backup and DR strategy

The ransomware outbreak threat may be subsiding somewhat, but IT managers continue to shore up their defenses. Backup and disaster recovery is a key area of emphasis.

For much of 2017, the WannaCry and NotPetya ransomware outbreaks dominated cybercrime headlines. A new report from antimalware vendor Malwarebytes said ransomware detections last year increased 90% among businesses. But by the end of 2017, the “development of new ransomware families grew stale,” as cybercriminals shifted their focus to other forms of malware, such as banker Trojans that steal financial information, according to the report, “Cybercrime Tactics and Techniques: 2017 State of Malware.”

That said, organizations are looking to bolster their ransomware outbreak protections. Front-end measures often include antivirus software, firewalls and content scanners that can intercept email attachments that appear questionable.

IT departments, however, are also looking to strengthen back-end protections that can help them recover from ransomware attacks that lock up data via encryption. Here, the emphasis is on disaster recovery strategies that let a business restore its data from a backup copy. But even here, there are risks: IT managers must ensure the backups it makes are actually usable and consider how long a data restore will take in the event of an emergency.

Another level of security

The city of Milpitas, Calif., already has a number of security measures in place to defend itself from a ransomware outbreak. On the front end, the municipal government employs email filtering, spam filtering and email attachment scanning. On the back end, the city uses BackupAssist, a Windows server backup and recovery software offering for SMBs. A remote disaster recovery site provides an additional line of defense.

The city earlier this month said it layered on another element to its backup and recovery defense. Mike Luu, information services director for the city of Milpitas, said the city activated CryptoSafeGuard, a BackupAssist feature the vendor recently added to its product.

CryptoSafeGuard, according to the company, prevents infected files from being backed up and also prevents backups from becoming encrypted. Some ransomware attacks have succeeded in encrypting both an organization’s production and backup data.

“It’s just another method of trying to protect against [Ransomware],” Luu said of CryptoSafeGuard.

Luu said switching on CryptoSafeGuard was a simple matter of ticking a box on BackupAssist’s user interface. “It came along for the ride at no additional cost,” he added.

BackupAssist offers CryptoSafeGuard as part of the vendor’s BackupCare subscription package. Troy Vertigan, digital sales and marketing manager at BackupAssist, said 30% of the vendor’s customers running the latest versions of BackupAssist have activated CryptoSafeGuard since it became available in September 2017.

When backups fail

Backup plans can fall through when ransomware hits. TenCate, a maker of composite materials and armor based in the Netherlands, found that out a few years ago during the CryptoLocker ransomware outbreak. Malware entered the company’s U.S. operations through a manufacturing facility and made its way to the file server, recalled Jayme Williams, senior systems engineer at TenCate. Data ended up encrypted from the shop floor to the front office.

When TenCate attempted a data restore from Linear Tape-Open standard tape backups, the backup software the company used wasn’t able to catalog the LTO tapes — a necessary step for recovering files. Williams said some data had been copied off to disk media, but that backup tier was also unreadable. He contacted a data recovery service, which was able to extract the data from the disks.

The company’s disk-based backups weren’t frequent, so some of the data had become stale. The recovered data, however, provided a framework for rebuilding what was lost. It took two weeks to make data accessible again; even then, it wasn’t an ideal data restore because of the age of the recovered data.

One of the key lessons learned from the CryptoLocker experience was that TenCate’s security was lacking for the ransomware infection to penetrate as far as it did, Williams noted. In response, company managers have signed off on tighter security.

The other lesson: Backup and disaster recovery are different things.

Backup is not resilience.
Jayme Williamssenior systems engineer at TenCate

“Backup is not resilience,” Williams said.

That realization put TenCate on the path toward new approaches. Initially, the company, which is a VMware shop, considered the virtualization vendor’s Site Recovery Manager. But the company’s IT services partner recommended a cloud-based backup and disaster recovery offering from Zerto. The vendor replicates data from an organization’s on-site data stores to the cloud.

One factor in favor of Zerto was simplicity. Zerto helped TenCate set up a proof of concept (POC) in about 30 minutes to demonstrate replication and failover. When Williams received permission to purchase the replication service, TenCate was able to take the POC into production without reinstallation.

When a second ransomware outbreak struck TenCate, the updated security and disaster recovery system thwarted the attack. The company’s virtual machines (VMs) were shielded within Zerto’s Virtual Protection Groups and journaling technique, which Williams described as “the TiVo of the VM.” The Zerto journal lets administrators rollback a VM to a point in time before the ransomware virus hit — a matter of seconds, according to Williams.

Time is a critical consideration in devising a ransomware mitigation strategy, noted Michael Suby, Stratecast vice president of research at Frost & Sullivan.

A too lengthy data restore process leaves organizations vulnerable to ransomware demands, he said. A besieged organization may capitulate and pay the fee if a drawn out recovery time would result in a greater loss of revenue or threaten lives, as in the case of an attack against a hospital.

“Companies can still be exploited if the time to revert to those backup files is excessive,” Suby explained. “It’s not just having backup files. We have to have them readily accessible.”

Cryptomining, ransomware are top malware in 2017

Cryptomining, using tools to hijack a user’s CPU to mine cryptocurrency; ransomware and mobile malware continued to plague enterprises in 2017, according to a top malware report issued by Check Point Software Technologies Ltd.

The report, which investigated the top security issues facing enterprises in the last half of the year, said 20% of organizations were infected by cryptomining malware that in some cases can diminish CPU processing by more than half.

Check Point, based in San Carlos, Calif., also said in its top malware report that attack vectors shifted during the last half of the year, with infections based on the Simple Mail Transfer Protocol eclipsing those on HTTP. The increase — from 55% during the first half of 2017 to 62% after July — reflected the number of skilled hackers targeting vulnerabilities in documents, particularly Microsoft Office.

Mobile attacks, meantime, became more nefarious. The Check Point top malware study found that enterprises are now becoming vulnerable to threats either launched by mobile devices or through mobile malware such as Switcher.

“The second half of 2017 has seen cryptominers take the world by storm to become a favorite monetizing attack vector,” said Maya Horowitz, Check Point’s threat intelligence group manager, in a statement. “While this is not an entirely new malware type, the increasing popularity and value of cryptocurrency has led to a significant increase in the distribution of crypto-mining malware. It’s clear that there is still a lot that organizations need to do to fully protect themselves against attacks.”

Check Point based its second-half top malware report on its ThreatCloud intelligence service, which holds more than 250 million addresses analyzed for bot discovery and 11 million malware signatures.

Broadcom releases SDK for ASICs

Broadcom Ltd. issued an open source software development kit, or SDK, to enable developers to customize their use of Tomahawk switch silicon in their operations.

The first version of the kit, dubbed SDKLT, is based on the BCM56960 Tomahawk switch, used within top-of-rack switches and fabric designs. The open source code is downloadable from GitHub, with the associated logical table APIs available through an Apache 2.0 license, Broadcom said.

The SDKLT uses a logical table approach to simplify how developers add features to the switch silicon. All device physical resources, such as media access control address tables, Layer 3 route tables and other functions, are presented within logical tables instead of proprietary function calls, Broadcom said.

“The SDKLT brings a fresh, state-of-the-art software development approach to the broader community of network software developers where they can now fully and directly control and monitor the rich switch feature set optimized for SDN and cloud use cases,” said Ram Velaga, Broadcom’s senior vice president and general manager of switching products, in a statement.

Broadcom’s move follows a similar initiative by Barefoot Networks, which in 2016 released Tofino, a family of switches that can be customized through P4, an open source consortium with more than 60 members.

F5 launches training for app development

F5 Networks has introduced a new training program aimed at speeding up the time it now takes for enterprises to ramp up new applications and services.

The initiative, called Super-NetOps, is focused on enabling engineers and developers to deliver applications through a service model rather than a traditional, ticket-driven approach, Seattle-based F5 said.

By standardizing critical application services and basing how they’re developed through automated toolchains, F5 said applications can go live within minutes.

“Super-NetOps will help network operations professionals build on their decades of experience deploying, managing, maintaining, and securing applications and equip them to deliver the automation and agility needed by DevOps teams,” said Kara Sprague, F5’s senior vice president and general manager, in a statement.

The online course, which is free, will debut with two modules covering DevOps methodologies and the concepts of automation, orchestration and infrastructure as code. Future modules will include training about agile methodologies, application language frameworks and how to deploy third-party automation toolchains.

Data protection news 2017: Security issues make headlines

Backup and data security became intertwined in 2017.

WannaCry ransomware and Amazon Simple Storage Service (S3) bucket leaks highlighted data protection news, forcing users and vendors to find new ways to protect data. Other data protection news showed shifts in technology and corporate strategy, such as two old-school backup vendors rolling out converged appliances, a billion-dollar-plus private equity transaction and a maturing vendor’s decision to split its CEO job in two.

WannaCry shines a light on ransomware, data recovery

The WannaCry attack that hit more than 100,000 organizations in 150 countries in May brought ransomware into the public conscience, and it also highlighted the need for proper data protection. As a result, backup vendors now routinely include features designed to help combat ransomware attacks.

That hasn’t stopped the attacks, though. Experts noted that ransomware attacks have become stealthier, and protection against ransomware is now more complicated. That means recovering data from such attacks is getting trickier.

News about WannaCry continued right until the end of the year, as well, when the White House in December officially blamed the North Korean government for the attacks.

See: WannaCry proves the importance of backups

U.S. blames North Korea for WannaCry

Cybersecurity experts expose leaky Amazon S3 buckets

Reports surfaced that corporations, small companies and government agencies have left terabytes of corporate and top-secret data exposed on the internet via misconfigured Amazon S3 storage buckets. Experts claim data was left vulnerable to hacking because access control lists were configured for public access, so any user with an Amazon account could get to the data simply by guessing the name of the bucket.

The list of firms affected by the data protection news included telecommunications giant Verizon, Dow Jones, consulting firm Accenture, World Wrestling Entertainment and U.S. government contractor Booz Allen Hamilton. Many in the IT industry blame end users for failing to click on the proper restricted access level on the buckets, but the publicity still prompted Amazon to build in new features to mitigate the cloud storage security problem.

Amazon added new S3 default encryption that mandates all objects in the bucket must be stored in an encrypted form. The vendor also added permission checks that display a prominent indicator next to each Amazon S3 bucket that is publicly accessible.

Still, reports of more sensitive data left exposed in unsecured storage buckets continued. In November, cybersecurity firm UpGuard reported it was able to access data in storage buckets belonging to the United States Army Intelligence and Security Command and the U.S. Central Command and Pacific Command.

See: Poorly configured Amazon S3 buckets exposed data

Don’t blame Amazon for S3 issues

Dell EMC, Commvault converge backup

Relative backup newcomers Cohesity and Rubrik had a great impact on data protection news in 2017, as stalwarts Dell EMC and Commvault moved down the converged backup path the upstarts have taken.

The Dell EMC Integrated Data Protection Appliance (IDPA) launched at Dell EMC World in May. The purpose-built, preintegrated system converges storage, software, search and analytics in one appliance, providing data protection across applications and platforms with a native, cloud-tiering capability for long-term retention. IDPA includes Data Domain data deduplication technology.

Commvault answered with its HyperScale appliance that puts the vendor’s HyperScale software on a scale-out storage system. The branded Commvault appliance marks a new direction for the vendor, which previously only sold software. Commvault has also partnered with Cisco, which rebrands HyperScale as ScaleProtect on the Cisco Unified Computing System. 

See: Dell EMC integrates backup technologies

Commvault hypes HyperScale

Barracuda becomes a private affair

In a deal that best represents data protection acquisitions in 2017, equity giant Thoma Bravo spent $1.6 billion to acquire publicly held Barracuda Networks and take it private. Barracuda is best known for its security products, but has steadily expanded its backup and disaster recovery platforms in recent years.

The Bravo-Barracuda data protection news highlighted a 2017 trend in the field’s acquisitions. Datto and Spanning also went the private-equity route during the year. Vista Equity Partners acquired Datto and merged it with Autotask, and Dell EMC sold off cloud-to-cloud backup pioneer Spanning to Insight Venture Partners.

See: Bravo takes Barracuda Networks private

Veeam tag-teams CEO role

Veeam Software has grown up so much it now takes two chief executives to run the company. Veeam split its CEO job in 2017, naming Peter McKay and founder Andrei Baronov co-CEOs. Baronov started Veeam in 2006 along with Ratmir Timashev, who served as CEO until 2016 and remains on its board. McKay came to Veeam in 2016 as COO and president.

The division of power calls for McKay to head Veeam’s “go-to-market,” finance and human resources functions, while Baronov handles research and development, market strategy and product management. William Largent, who held the CEO job for 11 months, is now chairman of Veeam’s finance and compensation committees.

See: Veeam shifts management, product strategy

CyberSight RansomStopper

Your antivirus or security suite really ought to protect you against ransomware, along with all other kinds of malware. There might be an occasional slipup with a never-before-seen attack, but those unknowns rapidly become known. Unfortunately, ex post facto removal of ransomware still leaves your files encrypted. That’s why you may want to add a ransomware protection utility to your arsenal. The free CyberSight RansomStopper stopped real-world ransomware in testing, but can have a problem with ransomware that only runs at boot time.

Similar Products

RansomStopper is quite similar to Cybereason RansomFree, Trend Micro RansomBuster, and Malwarebytes Anti-Ransomware Beta. All four are free, and all detect ransomware based on its behavior. Since they rely on behavior, it doesn’t matter whether the ransomware is an old, known quantity or a just-created zero-day attack. Like RansomFree, RansomStopper uses bait files as part of its detection methodology. However, RansomStopper hides its bait files from the user.

Getting Started

Installation went quickly in my testing. After the download, I completed the process by entering my first and last name and email address. Once I responded to the confirmation email, the product was up and running.

The product’s simple main window reports that “You are protected from ransomware.” Buttons across the bottom let you view security alerts, processes RansomStop has blocked, and processes you’ve chosen to allow. Another button lets you check for updates, if you didn’t select automatic updates during installation. Simple!

CyberSight also offers a business edition. Added features include email alerts, centralized administration, and detailed reports. The business edition costs $29.99 for a single license, though the price drops to as low as $10 per seat with volume licensing.

Ransomware Protection

When RansomStopper detects a ransomware attack, it terminates the offending process and pops up a warning in the notification area. Clicking the warning lets you see what file caused the problem. There’s an option to remove programs from the blocked processes list—along with a warning that doing so is a bad idea.

Waiting to detect ransomware behavior can sometimes mean that the ransomware encrypts a few files before termination. When I tested Malwarebytes, it did lose a few files this way. Check Point ZoneAlarm Anti-Ransomware actively recovers any encrypted files. In my testing, it did so for every ransomware sample. ZoneAlarm’s only error was one instance of reporting failure when it had actually succeeded.

For a quick sanity check, I launched a simple fake ransomware program that I wrote myself. All it does is look for text files in and below the Documents folder and encrypt them. It uses a simple, reversible cipher, so a second run restores the files. RansomStopper caught it and prevented its chicanery. So far so good.

Caution, Live Ransomware

The only sure way to test behavior-based ransomware protection is by using live ransomware. I do this very cautiously, isolating my virtual machine test system from any shared folders and from the internet.

This test can be harrowing if the anti-ransomware product fails its detection, but my RansomStopper test went smoothly. Like ZoneAlarm and Malwarebytes, RansomStopper caught all the samples, and I didn’t find any files encrypted before behavioral detection kicked in. Cybereason RansomFree did pretty well, but it missed one.

I also test using KnowBe4’s RanSim, a utility that simulates 10 types of ransomware attack. Success in this test is useful information, but failure can simply mean that the behavior-based detection correctly determined that the simulations are not real ransomware. Like RansomFree, RansomStopper ignored the simulations.

Boot-Time Danger

Keeping under the radar is a big deal for ransomware. When possible, it does its dirty deeds silently, only coming forward with its ransom demand after encrypting your files. Having administrator privileges makes ransomware’s job easier, but getting to that point typically requires permission from the user. There are workarounds to get those privileges silently. These include arranging to piggyback on the Winlogon process at boot time, or set a scheduled task for boot time. Typically, the ransomware just arranges to launch at boot and then forces a reboot, without performing any encryption tasks.

I mention this because I discovered that ransomware can encrypt files at boot time before RansomStopper kicks in. My own fake encryption program managed that feat. It encrypted all text files in and below the Documents folder, including RansomStopper’s bait text file. (Yes, that file is in a folder that RansomStopper actively hides, but I have my methods…)

I reverted the virtual machine and tried again, this time setting a real-world ransomware sample to launch at startup. It encrypted my files and displayed its ransom note before RansomStopper loaded. From my CyberSight contact I learned that they’re “testing several solutions” for this problem, and that an update in the next few weeks should take care of it. I’ll update this review when a solution becomes available.

RansomFree runs as a service, so it’s active before any regular process. When I performed the same test, setting a real-world ransomware sample to launch at startup, RansomFree caught it. Malwarebytes also passed this test. RansomBuster detected the boot-time attack and recovered the affected files.

To further explore this problem, I obtained a sample of the Petya ransomware that caused trouble earlier this year. This particular strain crashes the system and then simulates boot-time repair by CHKDSK. What it’s actually doing is encrypting your hard drive. Malwarebytes, RansomFree, and RansomBuster all failed to prevent this attack. RansomStopper caught it before it could cause the system crash—impressive! To be fair to the others, this one is not a typical file encryptor ransomware. Rather, it locks the entire system by encrypting the hard drive.

Querying my contacts, I did learn that boot-time ransomware attacks, including Petya, are becoming less common. Even so, I’m adding this test to my repertoire.

Other Techniques

Behavior-based detection, when implemented properly, is an excellent way to fight ransomware. However, it’s not the only way. Trend Micro RansomBuster and Bitdefender Antivirus Plus are among those that foil ransomware by controlling file access. They prevent untrusted programs from making any change to files in protected folders. If an untrusted program tries to modify your files, you get a notification. Typically, you get the option to add the unknown program to the trusted list. That can be handy if the blocked program was your new text or photo editor. Panda Internet Security goes even farther, preventing untrusted programs from even reading data from protected files.

Ransomware crooks need to take care that they’ll be able to decrypt files when the victim pays up. Encrypting files more than once could interfere with recovery, so most include a marker of some kind to prevent a second attack. Bitdefender Anti-Ransomware leverages that technique to fool specific ransomware families into thinking they’ve already attacked you. Note, though, that this technique can’t do a thing about brand-new ransomware types.

When Webroot SecureAnywhere AntiVirus encounters an unknown process, it starts journaling all activity by that process, and sending data to the cloud for analysis. If the process proves to be malware, Webroot rolls back everything it did, even rolling back ransomware activity. ZoneAlarm and RansomBuster have their own methods for recovering files. When the anti-ransomware component of Acronis True Image kills off a ransomware attack, it can restore encrypted files from its own secure backup if necessary.

Give It a Try

CyberSight RansomStopper detected and blocked all my real-world ransomware samples without losing any files. It also detected my simple hand-coded ransomware simulator. And it blocked an attack by Petya, where several competing products failed.

RansomStopper did exhibit a vulnerability to ransomware that only runs at boot time, but my sources say this type of attack is becoming less common, and CyberSight is working on a solution. Other free products had their own problems. RansomFree missed one real-world sample, and Malwarebytes let another sample encrypt a few files before its detection kicked in. RansomBuster fared worse, missing half the samples completely (though its Folder Shield component protected most files).

Check Point ZoneAlarm Anti-Ransomware remains our Editors’ Choice for dedicate ransomware protection. It’s not free, but at $2.99 per month it’s also not terribly expensive. If that still seems too steep, give the three free utilities a try, and see which one you like best.

CloudBerry backups feature protection from ransomware

CloudBerry backups are hopping aboard the ransomware protection train, with the ability to detect encyrption changes along the way.

The latest update to CloudBerry’s flagship product, CloudBerry Backup, protects a customer’s file-level backups when it discovers ransomware. The product prevents existing CloudBerry backups from being overwritten until an administrator confirms if there is an issue.

Statistics show that ransomware attacks are still prevalent. Requested payment amounts to release encrypted files are also trending up.

“Customers are looking for any type of protection they can get,” said David Gugick, vice president of product management at CloudBerry Lab, which is based in New York City. “You don’t want ransomware to find your backup files.”

Some ransomware, though, is smart enough to encrypt backups. CloudBerry’s off-site cloud backup helps customers follow the 3-2-1 rule of backup, Gugick said. Organizations should have three copies of data on two different media, with one copy off site.

In addition, some ransomware is smart enough to exist on a user’s system without making its presence known right away.

When a customer enables ransomware protection in CloudBerry Backup 5.8, the vendor performs the initial backup and analyzes the bit structure of each file to determine if any files are encrypted. During subsequent backups, CloudBerry compares the original byte structure to the current byte structure, which enables the identification of newly encrypted files.

Customers are looking for any type of protection they can get.
David Gugickvice president of product management, CloudBerry

The customer’s backup plan continues, but CloudBerry prevents existing backups from deletion regardless of retention policies, according to the vendor. Customers can go back to a point in time before the attack and restore from protected CloudBerry backups.

Gugick cautioned that a ransomware protection strategy should be comprehensive and also include user education and security patches.

“Customers should not rely exclusively on backup and disaster recovery,” Gugick said. “This is just a piece of the protection puzzle.”

Waking up from the ransomware ‘nightmare’

Lori Hardtke, president of ByteWize Inc., which provides IT support for small businesses, said one of her clients got hit with a ransomware attack on a server earlier this year, before this new protection feature launched.

“It was the worst nightmare I ever went through,” Hardtke said.

However, the organization restored from CloudBerry backups and didn’t lose any data.

Hardtke recently downloaded the latest CloudBerry Backup software and engaged the ransomware feature, essentially by just checking a box. She welcomed the capability as “another layer of protection.”

Hardtke uses CloudBerry for file-level backups of Windows environments, primarily desktops. Her business, based in Scottsdale, Ariz., has roughly 50 clients across the United States. CloudBerry backs up 5.5 TB of data, mainly QuickBooks and standard documents, such as Word files and PDFs.

ByteWize uses Google Cloud Platform as the back end for its storage. CloudBerry does not provide storage; it only  handles backup and disaster recovery, which keeps costs low compared to its competition, Gugick said. The majority of customers use Amazon Web Services, but CloudBerry supports more than 30 cloud storage vendors, also including Google, Microsoft Azure, Backblaze B2, Oracle and Wasabi.

ByteWize switched to CloudBerry in September 2015 after about five years with Jungle Disk backup. Hardtke said she was looking for more innovation and less cost, and she found both with CloudBerry backups. She said she appreciates the steady flow of upgrades with significant enhancements.  

One enhancement Hardtke likes is the ability to do image-based backups. She said it would be helpful to retrieve files out of an image, like she can with Veeam Software, which she also uses to protect data.

CloudBerry's ransomware detection
CloudBerry Backup informs the user when it detects possible ransomware.

What else is new?

The ransomware protection is currently only designed for file-level backup, but Gugick said CloudBerry is planning support for images in a future release.

Other new features in CloudBerry Backup 5.8, which became generally available two weeks ago, include protection for Microsoft Hyper-V 2016 and support for VMware changed block tracking.

CloudBerry has two main backup offerings that support Windows, macOS and Linux. CloudBerry Backup for small businesses and consumers starts at $29.99 for the desktop edition and $119.99 for the server edition, and it features perpetual licenses. CloudBerry Managed Backup for managed service providers and larger businesses offers subscription licensing and starts at $5 per month, per server or desktop for file-level backup and $6 per month, per server or desktop for image-based backup.

CloudBerry backups protect more than 210 PB of data, Gugick said. The vendor claims about 43,000 CloudBerry Backup customers and 4,500 active CloudBerry Managed Backup customers.

Data protection trends: Ransomware, M&A deals dominate news

From the constant threat of ransomware attacks to looking ahead to the European Union’s General Data Protection Regulation, backup vendors had a lot to tackle in 2017. And there was even a lot of movement among vendors themselves, with several big names making acquisitions to gain footholds in important markets.

Here we run down the year’s top data protection trends and news.

Ransomware protection gains strength

The ransomware epidemic is not slowing down. While ransomware has been out there for some time now, it made international headlines in May when the WannaCry strain simultaneously hit 300,000 machines in 150 countries. Other strains have made big news and caused problems for organizations of all sizes this year. Statistics vary, but many organizations say ransomware attacks are on the rise.

While WannaCry didn’t end up pulling in as much ransom as the attackers likely anticipated, that attack and others had organizations scrambling and making data protection a top focus. Often, backup and recovery is the only way out after ransomware hits. And that focus was evident with backup vendors as well, as data protection trends in this area included adding ransomware-specific features.

  • Acronis built a new version of its Active Protection technology — integrated into Acronis True Image backup software — that uses machine learning to help prevent ransomware viruses from corrupting data. It attempts to detect suspicious application behavior before file corruption. Active Protection is available in Acronis Backup software.
  • BackupAssist launched CryptoSafeGuard, part of its data protection software for SMBs, which works with existing antimalware software. It scans and detects suspicious activity in source files that can be related to ransomware, then sends alerts and blocks backup jobs from running.
  • Druva built ransomware monitoring and detection tools into its InSync endpoint data protection software. The software flags unusual activity occurring to data and helps identify the last good snapshot to recover the entire data set or individual files.
  • Unitrends Recovery Series physical appliances and Unitrends Backup virtual appliances use predictive analytics to determine the probability that ransomware exists in an environment. The vendor alerts customers when it detects the virus, so they can immediately restore from the last legitimate recovery point.

Mergers and acquisitions aplenty

The data protection 2017 market saw a large amount of merger and acquisition activity, particularly in the second half of the year. Cloud backup provider Carbonite was especially busy.

Here are several major moves from the past year:

  • Security and data protection vendor Barracuda is going private, following its purchase in November by equity firm Thoma Bravo for $1.6 billion.
  • Vista Equity Partners in October acquired data protection vendor Datto and will merge it with IT management provider Autotask, in a play to bring several technologies under one roof for SMBs, including backup and disaster recovery, professional services automation and networking continuity. Earlier in the year, Datto bought cloud-based networking provider Open Mesh.
  • Carbonite purchased Datacastle’s endpoint backup in August, which gives the growing cloud backup vendor better scalability and a bigger play in the SMB market. That same month, Code42 announced it is shutting down its consumer cloud backup product in 2018 to focus on other sectors and referring consumers to Carbonite. Earlier in the year, Carbonite bought Double-Take Software to improve its high-availability technology.
  • Peak 10 closed on a $1.675 billion acquisition of ViaWest in August, which will lead to a data protection suite of services between the cloud services providers that includes storage, backup and replication.
  • Axcient, which provides cloud-based disaster recovery and data protection, and EFolder, which offers cloud business continuity, cloud file sync and cloud-to-cloud backup, announced in July that they are merging.
  • Data protection vendor Arcserve in July acquired Zetta and its cloud backup and disaster recovery, following its purchase earlier in the year of FastArchiver for on-premises or public cloud emails.

The convergence and hyper-convergence of data protection

As vendors like Cohesity and Rubrik continue to lead the converged secondary storage market, backup going hyper-converged is one of the top data protection trends of 2017.

As vendors like Cohesity and Rubrik continue to lead the converged secondary storage market, backup going hyper-converged is one of the top data protection trends of 2017. Several vendors this year launched backup for hyper-converged products, with at least one data protection product focused solely on the Nutanix Acropolis Hypervisor (AHV).

The Unitrends Recovery Series backup appliances and Unitrends Backup virtual appliances feature integration for AHV. The vendor also protects all hypervisors that run on Nutanix and supports VMware, Hyper-V and Citrix XenServer hypervisors. Veeam, Commvault and Rubrik are among the other data protection vendors that recently launched or will launch backup for AHV.

Comtrade Software in June launched its HYCU dedicated to AHV backup. The vendor later in the year updated its product with increased support for Nutanix storage and backup management features.

Commvault went to a place it didn’t originally plan on going: the hardware market. The vendor launched its first scale-out integrated hardware appliance for data protection as it attempts to compete with Rubrik and Cohesity, as well as traditional backup vendors. The HyperScale platform is part of Commvault’s product strategy to build out its data services with software-defined storage and convergence. Converged secondary storage — one of the data protection trends that continues to grow — handles such nonprimary tasks as backup, archiving, test and development, and disaster recovery.

Ready or not, here comes GDPR

Companies are scrambling to ensure compliance with the European Union’s General Data Protection Regulation, which goes into effect in May and covers data produced by EU citizens and data stored within the union. It consists of 99 articles, including a rule that gives individuals the right to force organizations to delete all personal data.

But the rule requiring companies to notify customers of a data breach within 72 hours struck a chord this year via the Equifax breach. The company discovered it in July and reported it publicly in September. Companies not in compliance with GDPR face millions of dollars in fines.

Surveys routinely show that companies are not adequately prepared for GDPR. Some vendors, though, are trying to help aid compliance. For example, Veritas’ Integrated Classification Engine uses machine learning to identify sensitive and personal data.

Data protection trends take on storage growth

Tape storage got a capacity bump with the release of LTO-8. The latest version, launched two years after LTO-7 hit the market, features 32 TB of compressed capacity per tape, sustained data transfer rates of up to 1,180 MBps for compressed data, uncompressed capacity of 12.8 TB and an uncompressed transfer rate of 472 MBps. Tape is seen as a safe, offline backup in the face of cyberattacks such as ransomware. Plus, the massive capacity can help with long-term retention of huge data sets that continue to grow.

“No business measures data storage in terabytes anymore,” analyst Jon Toigo wrote in a November SearchDataBackup article. “… So LTO-8, with its 32 TB capacity, seems to be just what the doctor ordered for companies most likely to make big use of tape technology: cloudies and data-intensive verticals, such as healthcare, surveillance, research labs, and oil and gas. These firms are putting tape back to use in an old, secondary storage role.”

What’s old has become new again.

Scarab ransomware joins with Necurs botnet for faster spread

Researchers saw a surge of activity as the Scarab ransomware spread quickly to millions of victims via an email campaign run by botnet, but updates since that initial wave have been lacking.

Ben Gibney and Roland Dela Paz, security researcher and senior security researcher for Forcepoint Security Labs LLC, based in Dublin, reported a surge in volume of Scarab ransomware emails being blocked by security systems on Nov. 23rd. According to the researchers, more than 12.5 million emails were captured between 07:00 and 12:00 UTC, and the current campaign of Scarab ransomware used emails that looked like scanned documents, similar to “Locky ransomware campaigns distributed via Necurs.”

The Scarab ransomware was first seen in the wild in June, but the recent resurgence has been credited to the malware being spread via the Necurs botnet. Necurs was first discovered by cybersecurity vendors in 2012, and the botnet has grown steadily since that time. The Necurs botnet was previously used to spread the Dridex banking malware and Locky ransomware, though the botnet’s activity decreased sharply following a series of raids and arrests of suspect hackers in Russia last year.

“By employing the services of larger botnets such as Necurs, smaller ransomware players such as the actors behind Scarab are able to run a massive campaign with a global reach,” Gibney and Dela Paz wrote in a blog post. “It remains a question whether this is a temporary campaign, as was the case with Jaff, or if we will see Scarab increase in prominence through Necurs-driven campaigns.”

It is still unclear if the campaign was temporary or not as Forcepoint has not released any updates to its initial figures since the post on the 23rd and the company has not responded to requests for more data as of the time of this article.

Andy Norton, director of threat intelligence at Lastline, said the Necurs botnet can be a dangerous delivery system, but as yet it has only been seen propagating ransomware.

“Necurs is so popular to push malware and ransomware because it contains lots of concealment technology like the use of packers to evade static analysis, and lots of evasion technology to avoid being discovered by behavioral malware analysis platforms,” Norton told SearchSecurity. “It is able to survive inside an enterprise security environment, making it successful as a platform for delivering other subsequent malicious payloads.”

Bad Rabbit ransomware data recovery may be possible

Two different security research firms uncovered important information about the Bad Rabbit ransomware attacks, including the motives and a possible way to recover data without paying.

A threat research team from FireEye found a connection between the Bad Rabbit ransomware and “Backswing,” which FireEye described as a “malicious JavaScript profiling framework.” According to the researchers, Backswing has been seen in use in the wild since September 2016 and recently some sites harboring the framework were redirecting to Bad Rabbit distribution URLs.

“Malicious profilers allow attackers to obtain more information about potential victims before deploying payloads (in this case, the Bad Rabbit ‘flash update’ dropper),” FireEye researchers wrote. “The distribution of sites compromised with Backswing suggest a motivation other than financial gain. FireEye observed this framework on compromised Turkish sites and Montenegrin sites over the past year. We observed a spike of Backswing instances on Ukrainian sites, with a significant increase in May 2017. While some sites hosting Backswing do not have a clear strategic link, the pattern of deployment raises the possibility of a strategic sponsor with specific regional interests.”

Researchers added that using Backswing to gather information on targets and the growing number of malicious websites containing the framework could point to “a considerable footprint the actors could leverage in future attacks.”

Bad Rabbit ransomware recovery

Meanwhile, researchers from Kaspersky Lab discovered flaws in the Bad Rabbit ransomware that could give victims a chance to recover encrypted data without paying the ransom.

The Kaspersky team wrote in a blog post that early reports that the Bad Rabbit ransomware leaked the encryption key were false, but the team did find a flaw in the code where the malware doesn’t wipe the generated password from memory, leaving a slim chance to extract it before the process terminates.

However, the team also detailed an easier way to potentially recover files.

“We have discovered that Bad Rabbit does not delete shadow copies after encrypting the victim’s files,” Kaspersky researchers wrote. “It means that if the shadow copies had been enabled prior to infection and if the full disk encryption did not occur for some reason, then the victim can restore the original versions of the encrypted files by the means of the standard Windows mechanism or 3rd-party utilities.”