Ransomware is getting increasingly more sophisticated, and attacks are getting harder and harder to avoid–even when strong security measures are in place. In fact, over 70% of organizations were infected by ransomware after it successfully bypassed their detection and prevention measures.* Ransomware rapidly mutates into new variants, making it extremely difficult to detect with traditional signature-based approaches. That’s why we built Radar, a Rubrik Polaris app that increases resilience in the face of cyber attacks. Rubrik’s approach includes multiple layers of defense, such as anomaly detection, data analysis, and instant recovery.  

Dealing with Ransomware

No one likes having their possessions held for ransom and being blackmailed into paying cash for something that is already theirs. Typically, a data center is infiltrated undetected via an endpoint device from a phishing attack that will begin to rapidly encrypt files based on various criteria. At this point, the victim can either pay the ransom or lose their data. There are three main reasons corporations choose not to pay ransoms:

  1. It encourages ransomware hackers to carry out more attacks.
  2. It shows that the organization is willing to pay, making them a higher priority target.
  3. Paying doesn’t always result in getting the decryption key.

Dealing with a ransomware attack can take days–from threat detection to impact analysis to recovery. During that time, the business can experience major data loss and financial impact.  

Rubrik Polaris Radar

Radar works in concert with a layered approach to security by providing an additional dimension of data intelligence. The system alerts on unusual behavior and uses machine learning algorithms to continuously improve its approach over time and stay ahead of new threats. In the event of a ransomware attack getting through your security perimeter, Radar is there for early detection and quick recovery.


Anomaly Detection

Radar uses machine learning to understand behavior patterns of data over time. When there is unusual behavior, such as a security attack, it immediately alerts the user, enabling them to act quickly to minimize overall downtime. By running machine learning algorithms against historical data, Radar establishes a normal baseline for each specific machine and monitors file content change rates to flag any outliers and generate an alert to the Rubrik Polaris UI. For every snapshot, Radar analyzes several file properties, including file change rate, inconsistent content and file type, and entropy change of a file. This custom-trained machine learning model is developed uniquely for each customer over time, with no impact to the production environment since all analysis is performed in the cloud using Rubrik’s Polaris data repository (or unified system of record).

Anomaly Analysis

Once an anomaly is detected, an analysis of which files or applications are negatively impacted are identified through the Rubrik Polaris UI Radar workspace. It begins by comparing the post-attack snapshot (where the anomaly was detected) with the snapshot immediately prior to see what was added, deleted, or modified. The UI also displays the last-known good backup so recovery can begin right away.

Traditionally, identifying the applications and files that are infected is a painful and time-consuming manual process. Radar takes the burden off of the user by analyzing the scope of the damage and what needs to be recovered, and displaying where those files are located in real-time. This approach helps users visualize the full scope of the attack and enables quick recovery at the file-level, minimizing the data loss from a mass restore. Radar allows the user to browse and navigate the entire folder hierarchy and tags each folder with the number of files added, deleted, or modified. With this visibility, there is no need for the user to perform full system restores if not desired.


Faster Recovery

Rubrik’s instant search and file restore coupled with Radar’s analysis of which files were negatively impacted brings you back up in minutes or hours instead of days. In addition, data is captured in an immutable format, which means you never have to worry about ransomware accessing and encrypting your backups.

As we at Rubrik like to say, “the most effective strategy for defending against ransomware is a defense in depth.” That’s why we built Radar–to help enterprises combat security threats through a holistic, multi-layered protection strategy.

Interested in learning more? Check out the Rubrik Polaris Radar Technical Overview.


* Source: Barkly Inc. “Must-Know Ransomware Statistics 2017.” Jonathan Crowe, June 2017.