Cloud data protection and management provider Druva has developed an approach called Curated Recovery to help defend against the rapidly growing ransomware problem.
Deployed as in addition to the company's standard Accelerated Ransomware Recovery module, Druva Curated Recovery mitigates the impact of a ransomware attack by building uncorrupted, unencrypted, and malware-free system recovery points to ensure successful recovery -- even before one is needed, Druva VP of Products Prem Ananthakrishnan told ZDNet.
Curated Recovery, announced Sept. 21, identifies anomalies as they show themselves in an IT system; when an intrusion is deployed, Druva quarantines the malware and, using intelligent automation, reinstates all system files in a state prior to when the ransomware was detected. By pre-establishing a large set of recovery points, Curated Recovery identifies the latest clean version of each file through its recent changes, replacing a resource-intensive process that can take weeks with a simplified recovery workflow. Thus, IT teams can find the most recent clean version of all their data and return operations to normal in a much shorter time frame, Ananthakrishnan said.
Ransomware, a malicious software agent that blocks access to a computer system until a sum of money is paid, is one of the most common hacking methods used by hackers and malicious actors. The average ransomware payment, which only a few years ago was about $15,000, has surpassed $240,000, according to a recent survey from IDC. Its profit potential has incentivized bad actors to expand the scope of their attacks, including the introduction of new variants designed specifically to encrypt or delete backup data.
"What's happening is that these new variants of ransomware are staying on the systems (much longer), and they're encrypting the data so slowly," Ananthakrishnan said. "It's taking months (for them) actually to encrypt the data. So the net result of that is that the cleanest version -- or the most recent version of each file -- is unencrypted, and those files may be sitting across multiple restore or recovery points of the data.
"Unfortunately, files now are not available in one single recovery point (such as a snapshot). Users now have to go into all these different datasets and keep testing each of them to see if they can get the latest version of the file. If you've got 100,000 files, think of how long that would take."
Druva's Accelerated Ransomware Recovery platform has a zero-trust architecture that ensures only customers have access to their data, while features such as excess deletion prevention stop ransomware from permanently deleting backups, the company said.
Druva's Accelerated Ransomware Recovery is designed to reduce data loss via intelligent automation and orchestration; it also integrates with security information and event management (SIEM) and security orchestration, automation, and response (SOAR) tools. Key components include:
Access insights: Understand location and identity for all access attempts to gain situational awareness.
Anomaly detection: Gain data-level insights on file changes, creation, recovery, and deletion. Users can create alerts for anomalous activity and use anomaly information to identify the timeframe of an attack.
Quarantine: Quickly quarantine infected systems and snapshots.
Recovery scans: Scan snapshots for known malware and customer-provided indicators of compromise before restoring to avoid reinfection.
Curated recovery: Automatically recover the most recent clean version of every file within a specified time frame, reducing recovery time.
Druva Cloud Platform is built on AWS and offered as-a-service that provides globally accessible, scalable, and autonomous enterprise data resiliency. Druva started out in 2008 specializing in protecting data on mobile devices; it has continued to evolve into the cloud data protection and management space. Since those early days, Druva has become known as an early pioneer of edge-computing data protection.