How to use Commvault V11 SP6 to Detect, Protect, Alert and Recover from Ransomware Attacks...

Detecting Ransomware Malware

Ransomware is a type of malware that restricts access to infected computers and demands that the user make a payment to the malware operators to remove the restriction.

Commvault detects the presence of Ransomware malware on your client computer.

Commvault notifies the CommCell Console administrator immediately by displaying the following event message: Detected a possible Ransomware attack. Please verify the data on the machine.

This message helps you to investigate the attack on the affected computer and prevents long term damage. The predefined Ransomware alert is configured, and it sends an email to the administrator when ransomware is detected. To remove infected files from the network, you can trigger a workflow based on the Ransomware alert.

Protecting Mount Paths (Backup Data) from Ransomware

Commvault software provides the ability to protect mount paths from Ransomware attacks by write-protecting mount paths from all processes except the Commvault processes.

This feature is currently supported for Windows MediaAgents.

You can enable Ransomware protection for all mount paths accessible from a specific MediaAgent.

Enabling Ransomware Protection on MediaAgents

Commvault software provides the ability to protect all mount paths associated with disk libraries configured from a MediaAgent against Ransomware attacks.

Procedure

1. From the CommCell Browser, expand to Storage Resources > MediaAgents.
2. Right-click the appropriate MediaAgent and click
3. Click the Advanced  (This tab will be available for Windows MediaAgents with access to a mountpath.)
4. Select the Secure Disk Storage check box.
5. Click the Additional Settings 
6. Click Add.
7. In the Add Additional Settings dialog box, enter the following details for the additional setting:
   • In the Name box, type nLockMountPathVolumes.
   • In the Category box, type or select MediaAgent.
   • In the Type box, select Integer.
   • In the Value box, type 
   • Click OK.
8. Click OK to save the information and close the MediaAgent Properties dialog box.

Note: To disable this feature, clear the Secure Disk Storage check box.

Result - This will enable write-protection from Ransomware on all mount paths associated with disk libraries configured in the MediaAgent within a few minutes (maximum of 30 minutes).

Ransomware Alerts and Events

Commvault software automatically detects the presence of Ransomware on your client computers. The Ransomware check happens once a day. If you want frequent checks at regular intervals, enable the nTimer_CheckForRansomware additional setting on the client computer.

Commvault software notifies the CommCell Console administrator immediately by sending an Alert and displaying an Event Message as follows:

• The Ransomware Alert is by default configured to send out an alert to all the users included in the Master CommCell User Group.
• The following event message will also be displayed, if the Commvault software detects the presence of Ransomware on your computer: Detected a possible Ransomware attack. Please verify the data on the machine.

Recovering From a Ransomware Attack

Perform the following steps when Ransomware is detected in a client computer.

1. Disable network connections to the affected client and make sure that the Ransomware is cleared.
2. Disable all backups from the client.
   • From the CommCell Browser, right-click theClient and select Properties.
   • On the Activity Control tab, clear the Enable Backup check box.
   • Click OK.
3. Enable network connections to the client once you are sure that the client is clean.
4. Restore the necessary data from an older backup.
5. Enable all backups from the client.
   • From the CommCell Browser, right-click theClient and select Properties.
   • On the Activity Control tab, select the Enable Backup check box.
   • Click

Contact COOLSPIRiT today for more information on how we can help your strategy