Ransomware Protection Removed

Table Of Contents

Ransomware Explained

Ransomware has grown to be one of the most dangerous problems on the web. It appears as a form of malicious software which encrypts files on a computer or does it remotely.

Ransomware is often spread through phishing emails that contain malicious attachments or through drive-by downloading. Drive-by downloading occurs when a user visits an infected website and then ransomware trojan is downloaded and installed without the user’s knowledge.

Encoders, a malware species that encrypt files, are spread through similar methods and has also been spread through social media, such as web-based instant messaging applications, for example. Additionally, newer methods of ransomware infection have been observed. For example, vulnerable Web servers have been exploited as an entry point to gain access to an organization’s network.

Nowadays, if you are attacked with file-encrypting ransomware, criminals will brazenly announce they're holding your corporate data hostage until you pay a ransom in order to get it back.

It sounds simple, but it's efficient: latest statistics state that cybercriminals pocketed over $1 billion from ransomware attacks during 2016 alone as well as a Europol report describes ransomware having "eclipsed" most other global cybercriminal threats in 2017.

Ransomware Evolution

The early ransomware species were relatively simple constructs and used basic cryptography approaches which mostly just changed the names of files, making it relatively easy to recover.

Nowadays, ransomware became a thick branch of computer crime, which significantly grew in reach and took off in the Internet age. With advanced cryptography approaches for corporate network attacks, cybercriminals covering the large audience of users with internet access.

Ransomware Protection Usage Experience

Ransomware protection functionality based on heuristic analysis was introduced earlier in CloudBerry Backup 5.9.

The detection method is based on certain knowledge (heuristics) about certain features (backup size entropy) that might be typical for the ransomware itself. Each attribute has a weight coefficient which determines the level of its severity and reliability. The weight coefficient can be positive if the corresponding attribute is indicative of a ransomware code or negative if the attribute is uncharacteristic of a threat.

Depending on the sum weight of a backup, the analyzer calculates the probability of infection. If the entropy threshold is exceeded, the heuristic analyzer concludes that analyzed objects are probably encrypted with ransomware.

As any system of hypothesis testing under uncertainty, the heuristics analyzer may omit encrypted objects or raise false positives instead.

Functionality Removed

The experience accumulated during the use of our customers has proven that the benefit of using heuristics on a large number of backup files does not meet our customers' needs. While backing up large volumes, the number of false positive raises was often above comfort values. In version 6.0.1, ransomware detection based on heuristics was removed and replaced with a more efficient tool.

Retention Policy off the Bench for Assistance

Instead of heuristics, CloudBerry Lab offers retention policy best practices for ransomware protection.

To set up the protection of your backups against ransomware, customize the retention policy for your backup. Follow the hints below to create the custom retention policy that suits your needs and requirements.

  1. Select the backup plan you want to modify for protection, then click Edit.
  2. Follow the Setup Wizard step until Retention policy step opens.
  3. Customize the following retention settings according to your preferences.
  4. Сlick Next once you finished settings.

Specify custom retention policy for backup plan option allows you to create a customized retention policy which helps you to keep your files safe from ransomware attacks. Select it to activate the retention policy settings.

Delete versions older than option allows you to customize the periods of your file versions deletion. Select the appropriate check box to make the detailed settings available.

Use the spin boxes to specify the period of keeping your file versions for the required period of time to secure them from ransomware attacks. Specify the counting mode by selecting the corresponding item (modification date or backup date) from the drop-down menu to the right.

Keep number of versions (for each file) option enables you to specify the number of file versions that are kept in your backup plan. This secures your files in case they are encoded by ransomware, as you can easily restore clean file version. It is recommended to keep at least 3 versions. You can specify the number of versions kept using the Number of versions spin box.

Delay purge for: option allows you to customize the period within which your file versions are not purged from backup. Select the corresponding check box, then specify the purge delay period (for example, 2 weeks).

Delete files that have been deleted locally option allows you to manage the deletion of files in your backup storage that are deleted locally. To secure your backup against ransomware attacks, it is recommended that you keep this check box clear.

Do not show warning for files to be deleted is an option that allows you to avoid receiving warnings about the deletion of files stored locally. In the context of ransomware protection settings, it is not recommended to keep this check box selected.