Blog Post

Protection
2 MIN READ

NetBackup support for detection of known Ransomware aware extension

swapnildombale's avatar
8 months ago

Typically, when a ransomware attacks a system, it encrypts the data which could be in the form of document files such as pdf, doc, excel or text files. Those attacks add extension to the encrypted file. For example, a WannaCry attack after attack renames all the encrypted files with extension as <file_name>.WannaCry 

Having ransomware specific extension to the impacted file enables us to identify if there is any attack or not, simply comparing the extension of the file with known ransomware extensions. For example, during backup, we can check if the extension of the file which is getting backed up, matches the extension with known ransomware extensions. 

Solution 

From NetBackup 10.3 onwards, a support is added to detect such known ransomware extension. 

How the known ransomware known extension list captured? 

  • NetBackup ships with pre-captured known ransomware extensions. Those extensions have been captured from different public repositories such as  

Ransomware encrypted file extensions list (file-extensions.org) 

How NetBackup detects known ransomware extensions? 

  • During backup, NetBackup captures the extensions of files which are getting backed up. It then compares extensions with known extensions list which gets shipped alone with NetBackup product. 
  • For a running job, if NetBackup detects known extension in any of the file, NetBackup generates a System Anomaly for Ransomware extension. Below is the example of that. 

 

 

 

How to manage the Ransomware extension anomalies? 

  • Certainly, the extensions mentioned under known ransomware extension are relevant to certain attacks. However, there are chances that some of the extensions might have been used by legitimate software or in future any of the software can start using those for its application specific use. 
  • Now, its hard to figure out which extensions are relevant to such normal use cases for such software and the relevancy would also change per system/ customer. 
  • Hence, NetBackup provides provision to mark such extensions as false so that in the next backup system will not generate the Anomaly again for the same extension on the given client and policy combination. 
  • Please note, marking such extensions as false would be a one-time activity for the combination of client-policy and hence forth customer will not see anomaly again. 

 

Updated 3 months ago
Version 6.0
No CommentsBe the first to comment