How To Protect Servers From Ransomware Attacks
Ransomware attacks are becoming more wide spread and more sophisticated. Hackers are trying to inject ransomware software into as many servers as possible and when a server is infected, the ransomware software encrypts all files located on the system disk or data disks connected to the infected server.
Due to the fast-pacing nature of ransomware attacks, protection from such attacks is not simple and recovering a server after such an attack is even more complicated and time-consuming. Once a server is infected, the ransom software encrypts files very fast leaving almost no time to react to the ransomware attack. It makes little sense to try to detect the ransomware software during an ongoing ransomware attack because when the ransomware software will be detected the attack will be probably finished and all the files stored on the server already encrypted.
A more effective way to protect servers from ransomware attacks is to detect a ransomware attack when the ransomware software just started to encrypt files, send an E-Mail notification to the administrator of the server and then shutdown the server as fast as possible, which will definitely prevent the ransomware software from encrypting all files stored on the server.
Usually, ransomware software encrypts all files stored on the server and then changes the extensions of already encrypted files. During a normal operation mode, changes in file extensions are relatively seldom and when a server suddenly starts to change hundreds of file extensions per minute, it may be a very clear sign of a started ransomware attack.
In order to be able to detect such an attack, a protection software component should perform real-time monitoring of all changes made in the system disk and/or one or more data disks connected to the server and automatically detect when the rate of changed file extensions is becoming abnormally high.
Flexense develops a real-time disk change monitoring solution, named DiskPulse Server, which is capable of monitoring disks and detecting ransomware attacks. DiskPulse Server allows one to detect the very beginning of a ransomware attack, send an E-Mail notification to the administrator of the infected server and then automatically shutdown the server as fast as possible in order to prevent the ransomware software from encrypting all files stored on the server.
DiskPulse Server is a very effective disk change monitoring solution, which runs in the background as a service and consumes almost no CPU and memory resources. DiskPulse Server intercepts NTFS file system change notifications and then sends notifications and/or executes custom actions when user-specified file system changes are detected.
DiskPulse Server is capable of monitoring an unlimited number of disks simultaneously and allows the user to configure a customizable disk change monitoring command for each monitored disk or directory. In order to create a new disk change monitoring command, start the DiskPulse Server client GUI application and press the 'Add' button located on the main toolbar.
First of all, select the 'Directories' tab and add one or more disks or directories to be monitored. Then, select the monitor tab and enable the 'Show Changed File Extensions Only' option. When this option is enabled, DiskPulse Server will monitor only changed file extensions and skip all other types of disk changes.
Now, select the 'Advanced' tab, enable disk change monitoring actions and set the number of changes to trigger the actions to 100. After that, press the 'Monitoring Options' button located beside the changes trigger entry, select the 'If Change Rate Is More Than' option and set the change rate to 100 changes per minute.
In order to add disk change monitoring actions, press the 'Add Action' button, select the 'Send HTML Notification' action type and specify an e-mail address to send E-Mail notifications to. After that, press the 'Add Action' again, select the 'System Shutdown' action type and press the 'Ok' button. Finally, open the main options dialog, select the 'E-Mail' tab and specify an E-Mail server to use to send E-Mail notifications.
When a ransomware attack will be detected, DiskPulse Server will send an E-Mail notification to the specified e-mail address and then the infected server will be automatically shutdown definitely preventing the ransomware software from encrypting all files stored on the infected server.