Existing approaches to ransomware detection are applied on the system being protected, and utilize some combination of static analysis of executables for known malware, and dynamic analysis of the behavior of running processes for suspicious behavior. In addition to requiring the deployment and maintenance of software on every host, these kinds of solutions need to detect ransomware before it detonates and must make quick decisions to allow or block a particular process or file write. On server class systems in particular this can be computationally expensive and the cost of a false positive is high.

Elastio has the advantage of access to multiple point-in-time backups of the existing data, and performs its analysis off-host where low latency and quick results are less critical. Not only does this allow us to perform more complex analysis than would be practical on host, but it also lets us leverage our access to prior versions of the backup to identify suspicious patterns of changes across the entire system, not just one process or one write operation at a time. Combined with the optimizations built in to our ScaleZ storage engine which allow us to compute very efficiently which regions of which files have changed since a prior point in time, we're able to do a much more thorough analysis of changes and thereby produce a high-confidence signal as to the presence or absence of a ransomware detonation. This means we can detect ransomware attacks, and also reliably detect which backups are tainted and which are not, so as to speed recovery efforts.

This approach is complementary with existing on-host systems in a defense-in-depth strategy. On-host anti-ransomware products can provide a first line of defense, with Elastio's protection of backup integrity ensuring that a failure in the front line doesn't mean a total loss.