Ransomware can be expensive—in 2021, the average cost of a ransomware attack was $4.62million, and that doesn’t include the ransom itself. Beyond financial costs, the cost of time, data, and brand reputation can also be astronomical. According to the IST Ransomware Task Force, the average downtime can be 21 days, with full recovery taking on average 287 days from the initial ransomware incident response. And cyber criminals are getting more sophisticated every year.

The fact is, cyber crime is growing. There was a 42% increase over the entirety of 2020 in the total value of ransomware-related Suspicious Activity Reports (SARs) from financial institutions in just the first half of 2021. The question of a cyber attack may be more of a matter of “when” than “if.” The truth is, you may already have ransomware in your network and just not know it yet. So, how exactly do you catch ransomware before it’s too late? 

How to Identify Ransomware

While much of the conversation about recovery from these types of cyberattacks is focused on manual approaches to ransomware forensics, your organization likely cannot wait for the delays of manual investigations. A safe and expedient recovery requires the help of automated scanners, machine learning, and searching to identify and investigate the cyber attack. Let’s review how a data observability engine for data security can help detect suspicious activity that may be a signal that you’ve been targeted by a cybercriminal.

  • Scan your backups for known malware patterns. The list is long and getting longer, but one method to detect ransomware is by looking out for file extensions that have been associated with previous attacks.

  • Monitor your systems for any unusual activity, like an uptick in file renaming. Anything that departs from what is standard user activity should be investigated.

  • Look for early warning signs, like unexpected network scanners, unauthorized access to the Active Directory, or the appearance of software removal programs.

An intelligent and augmented approach to ransomware response starts with ensuring the data remains resilient to compromise in the first place. Many ransomware attackers target backups that are based on open technologies and protocols. In contrast, Rubrik ensures that your data is immutable so it can’t be modified, encrypted, or deleted. Additional security measures include multi-factor user authentication, zero-trust cluster design, and retention lock support.



Prevention. Detection. Recovery. All three of these are important when it comes to protecting your business against the threat of a cyber attack. Although stringent prevention methods are integral to your overall cybersecurity, the best chance at the best recovery comes with assuming that you will be attacked and having a comprehensive plan for ransomware response and remediation.

Reach out to Rubrik today to discuss your cybersecurity needs! 


How do you know if you have ransomware?

The obvious answer, of course, is that all your data has been encrypted and you’re staring at a computer screen with a ransom note. Wouldn’t it be nice to find the malware before that? The good news is that ransomware leaves traces in your network, and those traces can be found.  

How do you check for ransomware?

Consistent scanning of the activity across your network can help detect ransomware. While some companies choose to have their IT department take care of the constant search for suspicious activity by manually running reports and checking activity logs, many companies opt for a more comprehensive, outsourced solution from a company that specializes in the prevention, detection, and recovery from malware, like Rubrik.  

Can antivirus software detect ransomware?

Sort of. The key to answering that question lies in the fundamental premise of antivirus software—it can search for and detect known threats. So, if the ransomware being unleashed on your system is one of the ones that’s been around long enough to be recognized, then yes, your antivirus software will absolutely detect it. However, if it’s not one of the common viruses out there, then your antivirus software may not recognize it.

Think of it like an FBI’s most wanted list—if you’ve got the pictures of the criminals on the wall next to you and one walks in, you’re likely to recognize them and do something about it. But, if the criminal who walks in isn’t on that list, how could you possibly know? Rubrik solutions, in contrast, monitor your network for signs of ransomware as well, looking for anomalies and suspicious activity. 

Take Action. The Time is Now.

As mentioned earlier, ransomware can be more of a matter of “when” than “if,” and it is paramount that businesses have the solutions and plans in place to detect, contain, and recover from an attack when it happens. Luckily, Rubrik has your one-stop shop for all things data security: FORWARD

At our annual user conference, hear from some of the world’s top cybersecurity experts on how to become more cyber resilient. Check out all things FORWARD here and learn how your business can become unstoppable.