Real-Time Ransomware Detection with HPE Zerto Software

Traditional periodic ransomware detection methods, such as scheduled backups, inherently introduce delays in identifying and responding to ransomware. Since these backups typically occur once daily, the data being analyzed is often outdated and potentially already compromised for several hours.

Moreover, the large volume of data involved means ransomware detection takes much longer. This challenge applies to in-line scanning during the backup job process and post-backup analysis performed by third-party tools like antivirus software or rule-based detection systems.

In a real-world test by Splunk on ransomware encryption speeds, the LockBit executable (lockbit-9.exe) demonstrated an average encryption time of 05 minutes and 50 seconds across 98,561 files.

It is imperative to use technologies that minimize this gigantic impact, using real-time detection and recovery capabilities with RPOs and RTOs much better than those offered by scheduled backup.

HPE Zerto’s always-on, agentless, near-synchronous replication engine enables near-real-time recovery and ransomware encryption analysis.

This highly scalable solution can protect up to 10,000 VMs simultaneously per environment. Designed to detect ransomware activity in real-time, it effectively eliminates detection delays, ensuring rapid response to threats.

Differentiators

HPE Zerto’s Continuous Data Protection (CDP) technology forms the backbone of block-based (rather than file-based) hypervisor-level replication, unlocking key advantages for encryption detection, including:

Real-time: Zerto’s always-on, near-synchronous replication engine allows users to analyze data in virtually real-time with high degrees of granularity.

Agnostic: the encryption analyzer block-based inspects, assesses, and dynamically adjusts as the I/O comes in, regardless of what the data is, how it’s encoded, how large it is, or where it’s coming from.

Relative: The encryption analyzer is dynamically adaptive. It constantly adjusts to the environment’s ever-changing conditions. A continuous, moving training period helps HPE Zerto learn standard write patterns and identify anomalies and expected encryption.

Agentless: Zerto’s agentless real-time replication offers two key benefits: it eliminates the need for agent installation, configuration, or maintenance, reduces management overhead, and improves performance by consuming no additional resources on protected VMs. Most importantly, during a ransomware attack, the absence of agents means no Zerto components can be disabled or exploited by attackers, ensuring better security and protection.

Lightweight: The encryption analyser’s block-level, real-time nature requires light infrastructure. There are no additional Zerto elements or software to install, configure, or manage.

Scalable: Zerto’s CDP with elastic infrastructure is designed to effortlessly scale across virtualized and cloud environments, adapting seamlessly to your organization’s growth and evolving workload demands. It supports the protection and encryption inspection of up to 10,000 virtual machines (VMs) simultaneously per VMware environment.

API-First: HPEZerto’s analyses and metrics are also exposed via our open REST, Swagger-based API to enable integration with an organization’s larger security stack. You can integrate it with your existing security or observability stack: EDR, SIEM, SOAR, Prometheus, and Grafana.

Signatureless: HPE Zerto’s encryption analyzer employs a signatureless approach to detect encryption by evaluating data patterns and entropy. It doesn’t rely on predefined signatures, making it capable of identifying encrypted data regardless of the type or nature of the encryption, including newer and more sophisticated encryption methods.

How does it work?

The encryption analyzer is enabled by default, but this can be toggled on or off via the virtual manager GUI under Site Settings → Encryption Detection.

It operates in three main phases: Collection, Inspection, and Reaction. Together, these phases form the CIR process, which powers Zerto’s real-time encryption detection capabilities.

In the Collection phase, Zerto Virtual Replication Appliances (VRAs) capture every I/O operation into an in-memory buffer. Once sufficient data has been gathered for meaningful analysis, the process transitions to the second phase: Inspection. Each protected VM volume undergoes its dynamic training period during Collection. These training periods are independent, ensuring resetting one does not affect the others.

To minimize performance impact, data writes are collected by the source VRA before Continuous Data Protection replication and data compression commence. Zerto will prioritize replication and discard I/Os from the collection buffer to ensure unaffected performance if necessary.

The Inspection phase occurs on the Zerto Virtual Manager (ZVM) and utilizes two proprietary, patent-pending Real-time Encryption Detection (RED) algorithms: RED-C and RED-E.

RED-C uses a cumulative sum (CuSum) test to assess randomness, while the RED-E algorithm evaluates the entropy of the sample dataset. RED-E’s ability to measure relative entropy by dynamically adapting to incoming data patterns makes it unique in data protection.

This enables RED-E to set dynamic thresholds independent of the data type—whether text, images, binaries, or other formats. Together, these two algorithms allow Zerto to evaluate both the likelihood that an encryption event is expected or anomalous and its severity.

In the Reaction phase, Zerto assigns an encryption detection score based on the site, rather than individual VMs or volumes. This approach reduces false positives and enhances detection accuracy.

The site score aggregates and analyzes all data related to encryption detection, generating alerts only when a potential ransomware threat exists that could affect multiple disks, VMs, or both across various vectors.

Alerting: Zerto generates alert ENC0001 if the overall site score reaches its threshold.

Tagging: Zerto sets all VPGs’ impacted state to “Potential Encryption Event” and tags journal checkpoints in two places: the time the encryption was detected and the clean checkpoint for a more confident recovery.

• Suspicious Encryption Activity. This checkpoint marks the exact moment when the abnormal encryption behavior was identified. It is a reference point for investigating the potential threat or event causing suspicion.
• Suspicious Encryption Activity—Clean Checkpoint. This checkpoint is created 10 minutes before the suspicious activity is detected and is a safe restoration point. Contact Zerto Support if you wish to adjust the time interval between detecting the abnormal encryption behavior and creating the “clean” checkpoint.

User Response: User response is required to validate or invalidate the detection event. By design, Zerto does not automatically take action on a VPG in response to detection.

The final step of the Reaction phase is always user-initiated: recovering and restoring encrypted files, folders, VMs, or the entire site.

Using the Detection API

Zerto’s API-first development approach extends to its real-time encryption detection features. By making detection analyses accessible, organizations can strengthen their defense-in-depth strategies by integrating Zerto with existing cybersecurity solutions, such as EDRs, SIEMs, SOARs, and AI/ML toolsets.

An example of what can be achieved with Zerto’s API is available on GitHub. The Zerto Resilience Observation Console (zROC), an open-source project, leverages Prometheus and Grafana to visualize various Zerto metrics, including those related to encryption detection, as presented in the figure below.

HPE Zerto provides seven API endpoints for the encryption analyzer:

Conclusion

HPE Zerto integrates real-time detection with seamless recovery, delivering a comprehensive threat detection and rapid remediation solution. A real-time, agnostic, and dynamically adaptive encryption analyzer offers instant visibility, enabling swift identification and response to ransomware threats.

References:

What Is Real-Time Encryption Detection | Zerto

Understanding Real-Time Encryption Detection with Zerto – Zerto

API Integration – Customize your Workflow – Zerto

An Empirically Comparative Analysis of Ransomware Binaries | Splunk

Automating Zerto With PowerShell And REST APIs

GitHub – ZertoPublic/zroc: Zerto REST API based Observability stack