Matt Elvers, June 2023

Expert Advice: What’s the Missing Phase in your Anti-Ransomware Strategy   

Let’s talk ransomware strategies.

South Park has an episode where gnomes were stealing underwear. When confronted by humans as to why they were doing this, the answer was always the same. Phase I – Collect underwear, Phase III – Profit.  The running joke was, “What’s Phase II?” No one knew, they just kept going along with Phase I and hoping to get to Phase III.  

I see this same issue with ransomware strategies. Phase I – Detect the Ransomware, Phase III – Recover from Ransomware. This is not a great solution. Why? Because the most critical phase, Phase II, is being ignored. What is Phase II you ask? Well, unlike the underwear-stealing gnomes, we have an answer for that. Phase II is stopping the attack. That’s right, simple. Phase II – Stop the Ransomware. 

How can you move from Phase I to Phase III without completing Phase II? This is the biggest issue I see with most anti-ransomware solutions. Most can detect ransomware, but if these solutions do not STOP ransomware, how do we get to the recovery phase? A true anti-ransomware solution would not only alert you of an attack but would stop the attack. If the attack is not stopped, why would you start the recovery? If the recovery is complete, but the attack is still not mitigated, how do you give access back to the end users? This is all downtime and possible lost data because the attack was not STOPPED.   

I have seen many ransomware recovery solutions, but these are not preventing attacks. An anti-ransomware solution safeguards your critical data, so you don’t have to worry about costly downtime and recovery. 

When I think of Phase II, I think of ProLion’s CryptoSpike, which actively monitors your CIFS/NFS file shares/exports. When CryptoSpike sees a known ransomware extension (CryptoSpike analyzes more than 5,000 and that number is growing every day) it acts by taking away the attackers’ access to data. In the case of zero-day attacks or ransomware that doesn’t use an extension, CryptoSpike is watching every I/O, looking for a pattern of ransomware behavior. When CryptoSpike detects this unusual behavior, the solution once again takes away the attackers’ access to the data stopping the attack in its tracks. Plus, not only is the access taken away, but you are alerted to who and where this attack was launched. With Phases I and II complete, let’s move on to Phase III. 

Since you have stopped the attack quickly, there is no need to restore the entire environment. If you have a high-value product like CryptoSpike, you will be shown the exact files that were attacked and will be allowed to recover just those damaged files. This makes Phase III – Recover from Ransomware, a super short phase. I would rather recover a hundred or so files than the entire environment. This also makes validating the environment a minuscule task rather than a monumental one. 

There you have it, when evaluating your current or future anti-ransomware solution, make sure you have all the phases covered. Let’s review… 

Phase I – Detect the Ransomware 

Phase II – Stop the Ransomware 

Phase III – Recover from Ransomware 

Don’t let the “gnomes” ignore Phase II – Stop the Ransomware.  Don’t use or purchase a solution that is missing a phase. If you have all the phases covered, ransomware attacks become a minor annoyance rather than a career-ending event.   

For more information about CryptoSpike, email [email protected].

About the Author

Matt Elvers is the Technical Team Lead at ProLion, offering technical support and team management for the U.S. market. He has extensive experience in cybersecurity and storage architecture and has touched almost every aspect of the data center. From storage engineer to director of IT, Matt has worked at major companies including Lockheed Martin, Arrow Electronics, and Leidos. He is certified by Dell EMC, NetApp, and CompTIA Security+.  

About ProLion

ProLion offers powerful data protection solutions that safeguard critical storage and backup data, on-premises or in the cloud. From ransomware protection that detects threats in real time to data transparency, our industry-leading solutions ensure your storage system remains secure, compliant, manageable, and accessible around the clock.