Technical Deep Dive on Anomaly Detection for Ransomware



Ransomware is a huge global threat to businesses around the world. Businesses are projected to have paid out $20B in 2021, a 100% Y-o-Y increase for the last four years, and it’s only going to get worse with new business models like RaaS: ransomware-as-a-service. With Retrospect Backup, businesses can protect their infrastructure with immutable backups for ransomware protection.

Organizations need to detect ransomware as early as possible to stop the threat and remediate those resources. Anomaly Detection in Retrospect Backup identifies changes in an environment that warrants the attention of IT. Administrators can tailor anomaly detection to their business’s specific systems using customizable filtering and thresholds for each of their backup policies, and those anomalies are aggregated on Retrospect Management Console across the entire business’s Retrospect Backup instances or a partner’s client base with a notification area for responding to those anomalies.

The key to detection is combining technologies such as signature detection in processes with file-based irregularities. Using a multi-pronged defense, with immutable backups, anomaly detection, and other security layers, businesses will know when they’re being attacked and will have the tools to remediate it and move on.

Detecting Anomalies

Ransomware is now a vast ecosystem with many different forms of attacks. Many attackers have their own versions of ransomware, and these are called variants. Each variant has the same purpose, but it uses a different mechanism or simply a different naming convention. The majority of ransomware variants and all of the top 10 forms for 2021 followed the same attack pattern: infiltrate a computer and rename the files with a different extension.

As a backup solution, Retrospect Backup has a significant footprint in a business’s computer environment with visibility into endpoints, servers, NAS volumes, and even cloud storage. To detect anomalies, Retrospect Backup provides a per-policy option for filtering and threshold to decide whether or not certain file changes are an anomaly with options for notifications. Let’s walk through each:

  • Filtering: Configure a filter to identify the files to observe. Retrospect lets administrators tailor this to file types, paths, dates, or specific attributes, and the built-in filter focuses on office documents, photos, and movies.

  • Threshold: Set the threshold for the alert. If the percentage of files new or changed out of the total number of files matched by the filter is greater or equal to the threshold, Retrospect will create an anomaly event.

  • Notification: Access notifications on Retrospect Management Console, receive them immediately in an email, and find them in the Execution History and Backup Report. Retrospect surfaces the notification for anomaly detection in the best place for an organization.

The diagram shows the volume being monitored as a whole, the subset of files that match the "Anomaly Detection" filter, and the files that are new or changed within that subset. Retrospect generates an alert if the percentage exceeds the threshold.

Step-by-Step Setup Guide

Let’s walk through setting up Anomaly Detection for both Retrospect Backup for Windows and Retrospect Backup for Mac.

  1. Launch Retrospect.

  2. Open "Scripts" and select the policy you would like to change (or create a new one).

  3. Note: Anomaly Detection is only supported for "Backup" and "ProactiveAI" script types. You cannot perform anomaly detection during a replication/duplicate/copy process.

  4. Under "Options", click "Anomaly Detection".

    Retrospect Backup for Windows

    Retrospect Backup for Mac

  5. Click "Enable Anomaly Detection" to enable the feature.

  6. Select the appropriate filter. These are called "Selectors" (Windows) or "Rules" (Mac). You can edit them under "Preferences".

  7. Set the appropriate threshold percentage.

  8. Save the script.

Anomaly Detection is now enabled for the volumes within that policy. If an anomaly is detected, you can find notifications in a number of locations:


Retrospect Management Console

Retrospect Backup for Windows - Backup Report

Retrospect Backup for Mac - Backup Report

You can also integrate Anomaly Detection with third-party notifications services like Slack using Retrospect’s Script Hooks and the "AnomalyAlert" event. You can even customize the backup to stop when it detects an anomaly. See Script Hooks for more information.

Last Update: February 15, 2022