As the old cybersecurity saying goes: "It's not if, but when."
Everyone and their grandma have repeated this foreboding maxim about the nature of ransomware attacks, but sadly, that doesn’t make it any less true. Time and again we're reminded that ransomware can slip past even the best defenses.
Prevention alone, it seems, can only take us so far–so when ransomware hits, organizations need a way to emerge safely from the fallout, data intact.
Enter Malwarebytes Ransomware Rollback, which rescues your data from encryption by effectively "turning back the clock" of a ransomware attack. Dr. Strange style.
But how does it work, exactly? And what are some of the advanced settings that are available?
Let's dive into the finer details in this post.
The bedrock of Ransomware Rollback is a kernel mode driver to monitor file system changes and make a copy of files before modification. This includes self-protection against attack to the backups.
Malwarebytes Endpoint Detection and Response (EDR) first spends a 14-day period learning what applications on the system can be trusted. During this time, it logs the various applications that typically interact with files. After this period, the EDR establishes a list of trusted, or “whitelisted,” applications.
Advanced settings includes additional features for Ransomware Rollback. Learn more here.
For performance optimization, an application that is on the whitelist is ignored.
Before any application can make any changes, apart from ignored applications, Malwarebytes EDR saves a backup copy of the file it’s trying to modify. It is unknown at the time of modification whether a process is malicious, so every file is backed up.
If the application is later found to be ransomware that encrypts the file, making it unreadable and demanding a ransom for its decryption, the EDR system can use the backup copy it saved to restore the file to its previous state. This is what is meant by “rollback.”
When all’s said and done, the system effectively nullifies the ransomware attack by ensuring a recent clean, unencrypted copy of the file is always available.
No, ransomware rollback does not use Volume Shadow Copy Service. Instead, it uses proprietary and patent-pending technology, with protected folders as malware often targets the Volume Shadow Copy Service.
Backups are continuous, for any files modified, and are not a snapshot
The process making the change is recorded for each file. Subsequently when a rollback is performed, it is precise because only files modified by the specific process are restored.
The rollback cache is stored in a hidden Windows system folder. Typically, you can find it under: C:\ProgramData\Malwarebytes Endpoint Agent\Plugins\EDRPlugin\Backup.
Yes, ransomware rollback always uses some disk space due to its buffer and cleanup operations. This means there will always be some small disk space used by the feature.
For every file modified, e.g., documents, pictures, etc., space for a copy is required. If there is no activity, then after a few days there would be zero used. However, if ransomware encrypted 10 Gb of files, then there would be 10 Gb of backup/before copies.
On a typical laptop using common applications like Microsoft Office, the endpoint usually uses less than 200MB of space for a 72-hour rollback window and a maximum individual file size of 20MB - 100 Mgb.
If a computer is under attack and 10 GB of files were encrypted, we would use approximately 10 GB of space for each ‘before’ encryption file. The system will back up the files in their original state before encryption, so the space used is equal to the size of the original files.
By default, ransomware rollback stores the last 48 hours and is configurable up to 72 hours of file changes for files. You can alter these parameters in the Endpoint Protection Advanced policy.
Ransomware rollback preemptively backs up all file types including pictures, documents, JSON/XML configurations, EXEs, unless they are explicitly excluded, globally excluded, or exceed the maximum file size.
If the hard drive is full and file encryption starts without enough disk space for a backup copy of the files, the data will be lost. Therefore, it’s crucial for users to monitor for low disk space.
Yes, our system is designed to be self-cleaning. Files that are backed up by EDR are frequently cleaned, if they are older than the configured period.
To recap, Malwarebytes Ransomware Rollback is a last-resort recovery tool within Malwarebytes EDR, designed for swift recovery after other defense layers have been compromised.
While useful, Ransomware Rollback doesn’t replace classic backups or EDR’s other proactive measures like Suspicious Activity Monitoring. It’s a rarely needed, but vital last-resort option.
Read our Ransomware protection with Malwarebytes EDR: Your FAQs, answered! article for more on how Malwarebytes EDR stops ransomware attacks.
For a more technical deep-dive into Ransomware Rollback, check out <https://service.malwarebytes.com/hc/en-us/articles/4413802760851-Configure-Ransomware-Rollback-in-Nebula>