Flexense Logo
Resources:

Ransomware attacks are becoming more wide spread and more sophisticated. Hackers are trying to inject ransomware software into as many servers as possible and when a server is infected, the ransomware software encrypts all files located on the system disk or data disks connected to the infected server.

Due to the fast-pacing nature of ransomware attacks, protection from such attacks is not simple and recovering a server after such an attack is even more complicated and time-consuming. Once a server is infected, the ransom software encrypts files very fast leaving almost no time to react to the ransomware attack. It makes little sense to try to detect the ransomware software during an ongoing ransomware attack because when the ransomware software will be detected the attack will be probably finished and all the files stored on the server already encrypted.

A more effective way to protect servers from ransomware attacks is to detect a ransomware attack when the ransomware software just started to encrypt files, send an E-Mail notification to the administrator of the server and then shutdown the server as fast as possible, which will definitely prevent the ransomware software from encrypting all files stored on the server.

Usually, ransomware software encrypts all files stored on the server and then changes the extensions of already encrypted files. During a normal operation mode, changes in file extensions are relatively seldom and when a server suddenly starts to change hundreds of file extensions per minute, it may be a very clear sign of a started ransomware attack.

In order to be able to detect such an attack, a protection software component should perform real-time monitoring of all changes made in the system disk and/or one or more data disks connected to the server and automatically detect when the rate of changed file extensions is becoming abnormally high.

Flexense develops a real-time disk change monitoring solution, named DiskPulse Server, which is capable of monitoring disks and detecting ransomware attacks. DiskPulse Server allows one to detect the very beginning of a ransomware attack, send an E-Mail notification to the administrator of the infected server and then automatically shutdown the server as fast as possible in order to prevent the ransomware software from encrypting all files stored on the server.

DiskPulse Server client GUI application

DiskPulse Server is a very effective disk change monitoring solution, which runs in the background as a service and consumes almost no CPU and memory resources. DiskPulse Server intercepts NTFS file system change notifications and then sends notifications and/or executes custom actions when user-specified file system changes are detected.

DiskPulse Server Monitor Directories

DiskPulse Server is capable of monitoring an unlimited number of disks simultaneously and allows the user to configure a customizable disk change monitoring command for each monitored disk or directory. In order to create a new disk change monitoring command, start the DiskPulse Server client GUI application and press the 'Add' button located on the main toolbar.

DiskPulse Server Monitor Changed File Extensions

First of all, select the 'Directories' tab and add one or more disks or directories to be monitored. Then, select the monitor tab and enable the 'Show Changed File Extensions Only' option. When this option is enabled, DiskPulse Server will monitor only changed file extensions and skip all other types of disk changes.

DiskPulse Server Monitoring Actions

Now, select the 'Advanced' tab, enable disk change monitoring actions and set the number of changes to trigger the actions to 100. After that, press the 'Monitoring Options' button located beside the changes trigger entry, select the 'If Change Rate Is More Than' option and set the change rate to 100 changes per minute.

DiskPulse Server Monitor Change Rate

In order to add disk change monitoring actions, press the 'Add Action' button, select the 'Send HTML Notification' action type and specify an e-mail address to send E-Mail notifications to. After that, press the 'Add Action' again, select the 'System Shutdown' action type and press the 'Ok' button. Finally, open the main options dialog, select the 'E-Mail' tab and specify an E-Mail server to use to send E-Mail notifications.

DiskPulse Server E-Mail Configuration

When a ransomware attack will be detected, DiskPulse Server will send an E-Mail notification to the specified e-mail address and then the infected server will be automatically shutdown definitely preventing the ransomware software from encrypting all files stored on the infected server.

The FDM platform is a fully integrated and scalable solution allowing SMBs and large enterprises to fully automate the data management operations according to the user-specified rules and policies. The product provides an extensive set of file classification, disk analysis, file search, file management, file archiving and secure file delete operations especially designed for the data lifecycle management and compliance purposes.

SyncBreeze is a fast, powerful and reliable file synchronization solution for local disks, network shares, NAS storage devices and enterprise storage systems. Users are provided with multiple one-way and two-way file synchronization modes, periodic file synchronization, real-time file synchronization, bit-level file synchronization, multi-stream file synchronization, background file synchronization and much more.

DiskPulse is a real-time disk change monitoring solution allowing one to monitor one or more disks or directories and detect file creations, modifications, attribute changes and file delete operations. Users are provided with multiple desktop and server-based product versions capable of sending E-Mail notifications, executing custom commands, saving disk change monitoring reports or exporting changes to an SQL database when a user-defined number of changes are detected.

DiskSavvy is a disk space usage analyzer capable of analyzing disks, network shares, NAS devices and enterprise storage systems. Users are provided with multiple disk usage analysis and file classification capabilities allowing one to gain an in-depth visibility into how the disk space is used, save reports and perform file management operations.