
CryptoSpike
Ransomware protection and access-transparency

Ransomware poses a serious threat!
In this article you will learn how to protect yourself against ransomware attacks with CryptoSpike.
5 Steps to help defend against Insider Threats
CryptoSpike not only helps protect against external cyber attacks and Ransomware, but is also a strong defence against insider threats. Read our easy 5 step guide to stopping Insider Threats here
Challenges
It’s estimated that a company is infected with ransomware every 40 seconds.
The malware the best known examples of which include WannaCry and Petya encrypts files. Affected companies are asked for a ransom. If ransomware is not detected very quickly data can be lost.
Worst of all: Just one click by an employee is enough to infect the network.
It’s not only files on the local computer that are harmed but also those on authorised network drives. So any customer that uses NetApp as NAS (Network Attached Storage) either CIFS or NFS should have implemented protection against ransomware.
The flood of ransomware goes on. And some only notice when it’s too late.
Just a single click on a malicious link or e-mail attachment can install malware in the background which can run unnoticed for months. There is then a risk that over time the backup media will only be holding encrypted files and the originals can no longer be restored.
Facts and figures from the Cybersecurity Insiders 2017 Ransomware Report
Companies and public institutions now regard ransomware attacks as the greatest cyber security risk.
75% of affected organisations experience 1-5 ransomware attacks per year.
25% experience more than 6 attacks.
For the business, this means: 41% downtime, 39% productivity loss, 30% data loss.

Interesting and useful links about Ransomware:
Europol - The Internet Organised Crime Threat Assessment (IOCTA) 2016
ISS World hack leaves thousands of employees offline
The solution: CryptoSpike combats digital blackmail in real time
- CryptoSpike has been specifically designed for NetApp ONTAP storage systems.
- In real time, every transaction in the NetApp storage is monitored for abnormalities relating to file endings or user behaviour.
Benefits at a glance
- Easy to install via .ova image
- Manage settings intuitively with CryptoSpike Manager
- Every transaction in the NetApp storage is monitored in real time and affected users are immediately blocked
- File endings, file names and user behaviours are all checked for anomalies
- Bespoke monitoring strategies, in the future down to share level, customised to meet the needs of different departments
- Immediate information on where the attack occurred and support for restoring the damaged files
- Fast attack detection prevents continued encryption and, thus, lost data
- The attack is nipped in the bud and blackmail attempts are curbed


"NetApp’s vision of a data-centric Zero Trust architecture is unique to defend against insider threats to an organization’s data. Prolion Cryptospike is a great example of a NetApp ecosystem partner capability to enhance NetApp’s ability to provide an active defense. To learn more, read TR-4829 NetApp and Zero Trust, Enabling a Data-Centric Zero Trust Model."
"Prolion Cryptospike combines the use of FPolicy and user behavioral analytics to defend against malware. Cryptospike is a powerful defense against ransomware that identifies a ransomware attack, quarantines infected users, and recommends an ONTAP Snapshot recovery point. It then restores only the infected files by using ONTAP APIs to prevent data loss from the infected files. It also prevents data loss by not restoring non-infected files written during the attack duration."
Dan Tulledge - Senior Technical Marketing Engineer (Security) at NetApp

How it works
You can easily install CryptoSpike and FPolicy Server as a software image (.ova).
Three aligned strategies are deployed to detect attacks:
White list includes all the file endings that are permitted in your company; they are automatically output from the storage when CryptoSpike is being installed.
Black list currently holds around 1800 known ransomware file endings or file names which are updated every day.
Learner is the second safety level and the vital component. It’s rare for current ransomware to change file names and endings so encryption cannot be detected externally. The Learner therefore analyses patterns of user behaviour in your company, e.g. for read/write/open/close file operations. To do this the last 50,000 e.g transactions in the network are recorded and saved in the White Patterns list. There is also the Black Patterns list with behaviour patterns from current ransomware attacks.
Alarms: Real time blocks and fast restores
- If an anomaly is detected in a transaction in real time the system raises the alarm and blocks the employee concerned. The employee then only has read access.
- CryptoSpike delivers the key information first: Which files are affected and where? You get details of the path and number of encrypted files.
- Any user who is wrongly blocked can be unblocked with a click and the patterns can be modified if necessary.
- If a ransomware attack occurs you can quickly analyse where malware is running. When the employee is unblocked after the cleanup, CryptoSpike supports the recovery process with an export list of the affected files so that Snapshot can be used to quickly restore them.