Challenges

It’s estimated that a company is infected with ransomware every 40 seconds.

The malware, the best known examples of which include WannaCry and Petya, encrypts files. Affected companies are asked for a ransom. If ransomware is not detected very quickly, data can be lost.

Worst of all: Just one click by an employee is enough to infect the network.

It’s not only files on the local computer that are harmed, but also those on authorised network drives. So any customer that uses NetApp as NAS (Network Attached Storage), either CIFS or NFS, should have implemented protection against ransomware.

The flood of ransomware goes on. And some only notice when it’s too late.

Just a single click on a malicious link or e-mail attachment can install malware in the background which can run unnoticed for months. There is then a risk that, over time, the backup media will only be holding encrypted files, and the originals can no longer be restored.

Facts and figures from the Cybersecurity Insiders 2017 Ransomware Report

Companies and public institutions now regard ransomware attacks as the greatest cyber security risk.

75% of affected organisations experience 1-5 ransomware attacks per year.
25% experience more than 6 attacks.

For the business, this means: 41% downtime, 39% productivity loss, 30% data loss.

Interesting and useful links about Ransomware:
Europol - The Internet Organised Crime Threat Assessment (IOCTA) 2016

The solution: CryptoSpike combats digital blackmail in real time

CryptoSpike has been specifically designed for NetApp ONTAP storage systems.

In real time, every transaction in the NetApp storage is monitored for abnormalities relating to file endings or user behaviour.

Benefits at a glance

Easy to install via .ova image
Manage settings intuitively with CryptoSpike Manager
Every transaction in the NetApp storage is monitored in real time and affected users are immediately blocked
File endings, file names and user behaviours are all checked for anomalies
Bespoke monitoring strategies, in the future down to share level, customised to meet the needs of different departments
Immediate information on where the attack occurred and support for restoring the damaged files
Fast attack detection prevents continued encryption and, thus, lost data
The attack is nipped in the bud and blackmail attempts are curbed

How it works

You can easily install CryptoSpike and FPolicy Server as a software image (.ova).

Three aligned strategies are deployed to detect attacks:

White list includes all the file endings that are permitted in your company; they are automatically output from the storage when CryptoSpike is being installed.

Black list currently holds around 1800 known ransomware file endings or file names which are updated every day.

Learner is the second safety level and the vital component. It’s rare for current ransomware to change file names and endings, so encryption cannot be detected externally. The Learner therefore analyses patterns of user behaviour in your company, e.g. for read/write/open/close file operations. To do this, the last 50,000, e.g., transactions in the network are recorded and saved in the White Patterns list. There is also the Black Patterns list with behaviour patterns from current ransomware attacks.

Alarms: Real time blocks and fast restores

If an anomaly is detected in a transaction in real time, the system raises the alarm and blocks the employee concerned. The employee then only has read access.
CryptoSpike delivers the key information first: Which files are affected and where? You get details of the path and number of encrypted files.
Any user who is wrongly blocked can be unblocked with a click, and the patterns can be modified if necessary.
If a ransomware attack occurs, you can quickly analyse where malware is running. When the employee is unblocked after the cleanup, CryptoSpike supports the recovery process with an export list of the affected files, so that Snapshot can be used to quickly restore them.