Ransomware has become the scourge of many businesses and is likely not to disappear as a threat anytime soon. If anything, ransomware is on the rise, as evidenced by the Cybersecurity and Infrastructure Security Agency (CISA), which has observed an increase in ransomware attacks across the world so far this year. That proves to be troubling news to organizations that have recently adopted work-from-home policies to address the concerns around the COVID-19 pandemic.
Fremont, Calif.-based NeuShield is aiming to take the bite out of the ransomware threat with its Data Sentinel product, which puts a new twist on ransomware infection prevention by using a multifaceted approach to identify and block known ransomware strains. At the same time, it protects systems from zero-day threats of ransomware or malicious attacks. What’s more, Data Sentinel offers a unique approach to recovering from an attack, which eliminates any potential damage that a zero-day attack could cause.
A Closer Look at NeuShield Data Sentinel
NeuShield’s developers conceptualize ransomware in a different way; they look at ransomware from the point of view of what damage ransomware can cause and then focus on eliminating the potential of that damage. Basically, the company is acknowledging that there is no way to completely block every piece of malicious code that may be developed in the future. This is an ideology that is the culmination of an inconvenient truth: No matter what technology you put in place, you may not be able to conceive of and block any future attacks, especially those that fall under the auspices of zero-day designs.
By focusing on mitigating the damage, NeuShield goes much further than many competitors who only look to block a ransomware infection in the first place. That proves to be a wise path to follow as evidenced by the recent increases in successful ransomware attacks on businesses and government agencies.
NeuShield’s patented Mirror Shielding technology is responsible for protecting files from damage by shielding those files from unwanted changes, such as what ransomware does by encrypting files. Mirror Shielding works by placing a protective layer over data files, which prevents unwanted file commits to be written to the original data file. It proves to be an elegant method for protecting files from ransomware without requiring any end-user intervention.
Explaining how Mirror Shielding works is perhaps best left to an analogy the company offers: “Imagine you had a business plan sketched out on a whiteboard that would take several days to complete, but it is placed in a location where others could make changes to it. You could protect the whiteboard by placing a piece of glass over it. Anyone who tried to write over or erase it would only affect the glass, the whiteboard behind the glass would be protected. When you return to the white board, you can just wipe off the glass and your business plan would remain intact.”
Remember the invisible shields around the spaceship in the 1996 movie “Independence Day”? Now you’re getting the picture.
Although not perfect analogies, they do get the point across. Mirror Shielding acts as a layer of protection between changes to the file and the actual data in the file. More simply put, NeuShield Data Sentinel uses Mirror Shielding to add a barrier to protected files, preventing them from direct changes. When an application tries to modify a protected file, it gets redirected and the file modification is stored on an overlay, keeping the original file intact.
Hands On With NeuShield Data Sentinel
NeuShield Data Sentinel is designed to work on a local system and be administered via a portal. That means installation requires that the product be installed on the local machine, and if the ability to recover systems remotely is desired, an account must be set up on the NeuShield Portal. Installation and setup prove straightforward on the endpoint and can be automated using scripts. Registering systems on the portal proves simple as well.
Being able to remotely recover systems proves important, especially when it comes to ransomware. In many cases, a ransomware may completely lock down a system, preventing someone from resolving the problem locally. The NeuShield Portal gives administrators the ability to execute recovery remotely, allowing files to be rolled back to their “non-damaged” state.
The portal offers a great deal of information and uses a paradigm with which any administrator should be instantly familiar. The portal provides access to a hierarchy that is definable by the administrator, allowing the different organizations to be defined as tenants, and groups of systems to be further defined under that tenant paradigm. Administrators can drill down to the specifics of a protected system and identify recent activity. What’s more, it only takes a mouse click to roll back (Restore/Revert in NeuShield’s parlance) a file on a client system.
Executing a recovery offers administrators additional options, in which they can select what folders/files to recover and control other factors around the recovery process. File recoveries are for all intents and purposes almost instantaneous, which proves to be somewhat unique in the data recovery arena. The ability to rapidly restore files to a previous state comes from the product’s Mirror Shielding capability, as explained above.
End users are always kept in the loop and are informed if an administrator is reverting files to a previous state. Administrators have the option to force a recovery without any interaction with an end user. That proves useful if recovering systems in the off-hours.
Simply put, NeuShield makes recovering of files quick and easy and dispels with the numerous complexities found in many other data protection products. The platform offers a great deal of flexibility and brings forth a new paradigm for dealing with ransomware.
Perhaps the product’s biggest strength lies with its speed. Unlike traditional backup products, which require executing a backup and then relying on a complete file restore, NeuShield is able to roll an impacted file back to a previous state. That potentially changes the game when dealing with ransomware. Prior to NeuShield’s technology, businesses impacted by ransomware usually only had one choice, and that was to pay the ransom to decrypt their files.
Ad-Hoc Testing
Traditional backup solutions often were not effective when dealing with a ransomware infestation, simply because the backup data was only as good as the last backup, and even then, those files may have been already infected. This is something business owners would only discover after spending numerous hours on restoring a backup, which basically adds insult to injury. This means that the backup left them no better off than before and several hours of productivity had been lost, an assumption backed by some ad-hoc testing.
To better understand the value proposition that NeuShield offers, it was tested and compared to some other basic recovery techniques, such as files stored on Google Drive and Microsoft OneDrive, as well as using a freeware backup product, Macrium Reflect Free.
Testing was performed on a virtual machine environment running Windows 10, with files synced to both Google Drive and Microsoft OneDrive. A ransomware attack was conducted using BadRabbit and Unlock92, two pieces of ransomware that can be found in the wild, and are often used as a starting point for many cybercriminals.
Test Environment:
Platform |
VMWare 15 Client, Intel i7 2.9Ghz (2 Cores), 4GB Mem, 60GB SSD Disk |
|
Network |
Gigabit LAN |
|
FileServer |
Windows 2016 Datacenter |
|
OS |
Windows 10 Pro 1909 Build 18363.657 |
|
Data |
OneDrive |
626 Files (1.98GB) |
Google Drive (G-Suite) |
306 Files (93.1MB) |
|
Local Document |
123 Files (53.7MB) |
|
Local Pictures |
477 Files (1.34GB) |
|
Backup |
Macrium Reflect 7 7.2 Build 4808 |
|
Anti-Ransomware |
NeuShield Data Sentinel 2.2 Build 1162 |
|
Ransomware |
BadRabbit, Unlock92 |
Testing methodology consisted of starting with a restored VM snapshot (to set up the basic system for testing), executing the ransomware, then using a recovery method to restore the OS and the damaged data files. The results of the tests exemplify the differences between the different recovery methods and offer a practical assessment of how NeuShield can benefit a business that has suffered a ransomware attack.
Recovery Method |
OS Recovery |
Cloud Data Recovery |
||
Success |
Time |
Success |
Time |
|
NeuShield |
Y |
7 mins |
Y |
2 mins |
OneDrive |
N |
1-8 hours* |
Y |
25 mins |
Google Drive |
N |
1-8 hours * |
N |
Data Loss |
Macrium |
Y |
~1 hours** |
Y |
30 mins** |
* Based on Microsoft’s time of one hour to install Windows, plus any additional time to install patches and applications and set up email and other custom settings required by the user.
** Macrium requires a reinstallation of the OS and the Macrium software before it can do a full restore on the original OS and data from the backup image. In the latter case, it took 30 mins.
Conclusions
NeuShield Data Sentinel delivers on the promise of reducing recovery times from ransomware attacks and making the recovery process exceptionally easy. That said, NeuShield, like any other restoration product, should be considered a last resort for recovering from ransomware and should not be thought of as a replacement for anti-malware solutions or the adoption of best practices, at least when it comes to securing systems from malicious activity. However, as a last resort, NeuShield proves effective and may very well save countless organizations from having to pay a ransom to recover their data.
Frank Ohlhorst is a veteran IT product reviewer and analyst who has been an eWEEK regular for many years.