Arcserve Asks the Experts: Ransomware Series

JUNE 7TH, 2017

Interview with Kelvin Murray, Threat Researcher, Webroot

Christophe: Welcome Kelvin. I am pleased that you could join me today. Arcserve, as you are aware, is a leader in the data protection industry and we hear consistently from our customers about the increase in malware activity, specifically ransomware. As a security expert, I am interested to hear from Webroot and understand your take on this new security trend.

Kelvin: You are correct. We are hearing the same from our customer that cybercrime is growing immensely. Statistics tell us that cybercrime has surpassed traditional crime in the UK. Ransomware is the number one threat.

Christophe: Ransomware started with Windows endpoints for security reasons, and simply because Windows is the most popular endpoint. But now it has spread to Linux and Mac OS.

Kelvin: Yes, that can happen too.

Christophe: What are you seeing in terms of the role of backup and best practices and what recommendations can you make? I am curious from your angle as a security expert.

Kelvin: Your backups cannot go back one day; they must run at regular intervals. Depending on how time sensitive your data is, you want to do as many backups as you can. I understand that backups can become expensive but modern backup solutions [like Arcserve] can reduce and compress the data to help reduce storage costs.

Christophe: Are there other techniques to complement backup?

Kelvin: There are some groups that are working together to de-crypt encrypted files. If you are stuck, it is worth your time to go online and check this out ( But keep in mind the chances of recovery are very small. Some of the most professional ransomware attacks are using AES encryption that would take 1 X 10^ 24 years to crack by brute force with a standard machine. That’s longer than the universe is expected to last.

Christophe: That makes perfect sense and that is a great statistic. The other question I have for you is what do you make of the features that claim they can detect an attack and stop it? We hear some vendors saying they have some predictive analytics that tells you something is happening. Well, at that point it is obvious that something bad has happened. So, what is the point?

Kelvin: Initially when ransomware came out, the security industry had a lot of success in preventing it. One example involved the malicious use of your Windows System Restore. Webroot has a feature that if it sees a process using the System Restore in a suspicious way it can stop the process and give a warning. But the truth is that these behavioral detection methods are not the end all for stopping attacks. You will get some infections which can be stopped by a rule, but malware authors are very good at getting around these rules.

Christophe: What about files that are stored and malware begins to encrypt them. If you detect this activity does this help or is it too late?

Kelvin: I am sure that there have been instances where the malware was stopped, and in Webroot we have behavioral detection to stop such infections. What will happen is you have malware that encrypts a file in a certain way with a certain fingerprint. A technique can be developed to stop the infection, but the truth is that it hasn’t stopped the whole landscape of infections. If it could, infections would not be around.

Christophe: OK, that is just what I thought. It is just a lot of marketing around using predictive analytics and it doesn’t do much good.

Kelvin: We have seen some amazing marketing claims. Any company that claims it can stop 100% of malware isn’t being honest. We have seen lies, false claims and manipulation of test results.

Christophe: Statistics show that attacks are going to continue and you are going to hit more on both Windows and Linux. The fact is something will get through and the only way to ensure that you can restore all your data is having a good backup.

Kelvin: That is true. Even if there was no ransomware, hard drives are still fallible. So, it has always been important to make regular backups of your data even before there was malware and ransomware.

There is a cost to backup as well. If you are a business that needs to get its data back quickly, you can spend a lot of time to roll back changes, but time is money. At Webroot, we always tell our customers to have good regular backups because statistics prove that everyone at some time will get infected and they will need to recover their data.

Christophe: Ok, that is very consistent from what I have heard from other security experts. This brings up the conversation of where Arcserve fits in this solution. We have many backup and recovery offerings to help protect data. Our solutions copy data, store it offline and put it to the cloud. It is a great way to maintain an offline backup because if there is an infection occurring on-premise, it does not mean that encryption is being replicated to the cloud copy. You can go back to a point in time right before the infection occurred and recover. It seems to me that ransomware is a new form of technology and it is evolving fast. The best defense is to backup, which is one of the oldest technologies designed to protect data.

Kelvin: We know that macro infections were one of the first threats to machines in 1995 and they still are today. Backup have been around forever. Email has been and remains the number one attack vector today. It is funny in the IT industry how some things change and other things remain the same. Making good backups, updates and patches and the use of good passwords have all been around forever and are still so important to protect against attacks.

Christophe: Kelvin, I wish to thank you for sharing your thoughts about ransomware and the important ways that customers can protect their data. Thank you.

Arcserve Asks the Experts is a blog series where we ask industry experts the questions you all want answered. Subscribe to our blog to receive updates on interviews with security experts, legal/regulatory specialists and more.

About Webroot
Webroot delivers next-generation endpoint security and threat intelligence services to protect businesses and individuals around the globe. Their approach harnesses the power of cloud-based collective threat intelligence derived from millions or real-world devices to stop threats in real time and help secure the connected world.