ExtraHop Takes Packet-Based Ransomware Recovery Tack


Lorna Garey**Editor’s Note: Click here for our recently compiled list of new products and services.**

Data analytics appliance provider ExtraHop has released a new version of its ransomware-mitigation product that it says will allow customers to recover encrypted files even without a backup.

The offering uses ExtraHop’s proprietary Precision Packet Capture capability to detect ransomware attacks as they happen, move quickly to squash the outbreak and then recover data.

ExtraHop's John LeonExtraHop appliances analyze traffic in real-time as it traverses enterprise networks, both local and cloud. The main purpose is to gain visibility into the performance and security stance of critical applications. Appliances can ingest unstructured data, and there’s no need to deploy agents. The company has a rapidly growing global channel program, with more than 125 partners in North America, including Presidio, Adaptive Communications, Trace3, Optiv and ePlus.

“One hundred percent of the company’s sales in EMEA are through the channel, and channel partners account for a significant and growing volume of deals in North America and APAC,” said John Leon, VP of business development. “The ransomware solution is a value-add for ExtraHop channel partners. In addition to stream-analytics-based performance monitoring, the platform also gives customers the persistent visibility they need to thwart one of today’s most serious security problems.”

ExtraHop points out that since January, the U.S. has seen more than 4,000 ransomware attacks every day, a 300 percent increase over 2015. Its approach is to use packets to reconstruct files as they existed immediately before encryption, recovering data without paying ransom.{ad}

“We’ve already worked with customers around the globe to detect ransomware before it can do significant damage,” said John Smith, principal solutions architect for security at ExtraHop. “By incorporating Precision Packet Capture into our ransomware solution, ExtraHop now truly puts IT security back in control, helping them detect and short-circuit attacks and rapidly restore impacted files.”

The new ransomware offering works by analyzing SMB/CIFS traffic. When the system detects a ransomware attack, it uses a REST API to launch orchestrated mitigation actions in security products that support its Open Data Stream — for example, block malicious IP addresses with a firewall or quarantine infected clients with a …


… NAC device. The ExtraHop platform communicates with a variety of security systems from technology partners including AWS, FireEye, Cisco, Microsoft and VMware.

Ransomware ranks among the 7 Looming Cybersecurity Risks For 2017, along with DDoS attacks and a few new threats. Here’s how to protect customers from problems they may not even see coming. Download the free reports now.

Meanwhile, packet capture starts automatically as soon as ransomware is detected. Once the attack is contained, any encrypted files can be restored from the captured packets.

ExtraHop has a demo of the process as well as an in-depth white paper.

“CIFS would allow them to detect when the ransomware starts bulk-encrypting files on the NAS,” says Don MacVittie, founder of consultancy Ingrained Technology. “At that point, since in order to encrypt they need to get the data to the infected machine, ExtraHop captures all packets in the stream being sent to the infected client. Storing that information literally gives them a snapshot of the file as it is being encrypted.”{ad}

MacVittie points out a few caveats. Data stored on a local end-user or branch-office drive would not be protected. Neither would data on a SAN, should the ransomware make it to the storage-area network. And, reassembling files from packet streams can be messy.

“For example, unless detection happens before the first bytes are encrypted, at least one file will be non-recoverable,” he says. “If that one file is the orders database, that would limit the usefulness.”

Still, while not a 100-percent solution, it’s well worth adding for ExtraHop appliance owners. The ransomware bundle itself is free. Customers need either the ExtraHop Discover Appliance, which starts at $10,000, or the ExtraHop Trace Appliance, which is $73,500.

Follow editor in chief @LornaGarey on Twitter.

Leave a comment

Your email address will not be published. Required fields are marked *

The ID is: 52097