Indications of Possible Ransomware Activity

Introduction

While various security measures are designed to ward off such intrusions, early detection is pivotal to minimizing its impact. Sophisticated backup systems are not just tools for data recovery, but they can also serve as early warning systems. Understanding these subtle hints can empower organizations to act swiftly, preventing further damage and safeguarding their digital assets.

Steady (non-bursts) increase in workload for a volume.

• Ransomware often works by systematically encrypting files on a victim's system. When this happens, you'll observe a continuous increase in workload because the ransomware is scanning through directories and encrypting files one by one. This is different from normal workload patterns where you might see occasional bursts of activity (e.g., when a backup is taken or when a large file is being copied).

• This steady increase is suspicious because most legitimate operations on a system, whether it's user-initiated or system-initiated, usually have some kind of pattern or are sporadic in nature. A constant and consistent increase in workload suggests an automated process (like ransomware) working its way through the system.

The workload is approximately 50% read, and 50% write.

• For ransomware to encrypt a file, it first needs to read the original file, encrypt its contents, and then write the encrypted data back, either as a replacement of the original file or as a new file. This roughly equal read/write pattern can be indicative of this encrypting behavior.

• Regular operations on a system don't usually have such a balanced read/write ratio. For instance, copying files primarily involves reading, while saving a new document is primarily writing.

The workload has 0% compression and 0% deduplication.

• Compression and deduplication are techniques used in storage to save space. Compression reduces the size of data by removing redundancies, while deduplication ensures that duplicate pieces of data are stored only once.

• Encrypted data, by its nature, looks random and lacks the patterns that are necessary for effective compression or deduplication. Thus, if you see a significant amount of data being written that neither compresses nor deduplicates well, it's a potential sign that the data is encrypted.

• When ransomware encrypts files, it's turning structured and patterned data (like a Word document or a JPEG image) into seemingly random data (the encrypted file). This would naturally have very low rates of compression and deduplication.

Sudden Change in Incremental Backups.

• If you suddenly notice that the size of your incremental backups is increasing significantly without a clear reason (like massive data changes, new software installations, or other legitimate large-scale data operations), it might be a sign that many files are being modified or encrypted by ransomware.

While these indicators can be suggestive of ransomware activity, it's important to note that they are not definitive proof on their own. Other activities or malfunctions can sometimes produce similar patterns. However, if you observe these indicators in combination and especially if they deviate from the baseline or expected behavior for the system in question, it's essential to investigate further and consider the possibility of an ongoing ransomware attack. 

Ransomware is a persistent threat, and the earlier it's detected, the better the chances of mitigating its effects. Backup systems can be invaluable in these situations, not just as a means of recovery but also as an early warning system.