Detection

Commvault^® software includes built-in coded mechanisms that can be enabled to monitor clients and detect potential ransomware attacks. Once an attack is detected, an event is triggered in the Event Viewer, and an alert notification can optionally be configured to notify administrators to react as quickly as possible.

A workflow could be created to be used by the alert to take the infected system offline, to stop the spread.

The mechanisms offered to monitor the client are as follows:

• Using 'honey pot' files
• File activity anomaly detection

'Honey Pot' Monitoring

This colorful name explains exactly how this method works. When enabled, Commvault^® software creates .xls files that will act as decoys. These files are monitored and when a malware encrypts and modifies it, it triggers the event in the CommCell^® and can trigger an alert to notify users. The frequency in minutes for the ransomware check is defined by the administrator.

This monitoring method is enabled via an additional setting that is pushed to client systems. The setting can be applied to a client, or a client computer group in the CommCell Console. The check frequency value is set in minutes.

File Activity Anomaly Detection

The second method that can be used to monitor for ransomware attacks is using file handling pattern. Once enabled, the client server is monitored for seven days, during which information is collected on file access, creation, modification, and rename. After the seven days' worth of information is collected, Commvault^® software monitors for atypical file operations. For instance, an exceptionally large number of files being renamed will trigger the alert. The ransomware check is executed every five minutes.

Optionally, a report named File Activity Anomaly Report can be viewed from the Reports section of the Commvault Command Center^TM.