Backup on the Wire: Recover Ransomware-Encrypted Files from Packet Capture

A demonstration of how to use a packet capture to recover ransomware-encrypted files from network storage shares.

I was recently on-site with a customer, talking about our ransomware detection bundle and how ExtraHop fills a gap in defenses by providing east-west visibility inside the perimeter.

The customer responded: If there's already ransomware in your environment, it's too late. You've already had files encrypted. You'll either have to pay a ransom or lose the files forever, unless you have a backup that escaped unscathed. That's fair, but there's still value in mitigating the damage by detecting an infection in real time and then automating a response, as my colleague Tom Roeh has demonstrated.

The conversation stuck with me, and got me thinking about how we could reduce the impact of a ransomware infection even more. Specifically, I wondered if there was anything we could do if we didn't have a backup, or if my backup was old. If I get hit with a ransomware attack at the end of the day, and my backups only run daily, then I'm at risk of losing a full day's work.

It came to me: The data needed to recover the files is actually transmitted over the network. If you could capture that data, then you could potentially reconstruct your unencrypted files, even without a backup. Now, this is a huge "if." You'd need to be able to capture and collate the right packets—not a trivial task in today's environments.

Fortunately, ExtraHop can not only identify ransomware activity very quickly, but can also precisely capture the packet flows associated with ransomware events. Watch the video embedded above to see how this works, but I think we've got a pretty good answer for taking our ransomware bundle's capabilities one step further, to the point where we can actually recover the files that are being held ransom without paying, even if they haven't been backed up.

To do this, I used two pieces of functionality in ExtraHop:

• Ransomware detection bundle - This is a free bundle that uses four methods to detect ransomware attacks in flight. Any ExtraHop user can download and deploy this on their own system with a few clicks.
• Precision packet capture - This functionality is built into ExtraHop that allows you to automatically capture packets from our ring buffer in response to a designated event.

The basic premise here is that we're going to use our ransomware detection capabilities to pull down just the packets connected with that flow, and then further extract the unencrypted binaries of our original files from those pcaps, using a process sometimes called "file carving" or "data carving."

Here's how the magic happens:

1. We detect a ransomware-related WRITE operation in flight and fire a precision packet capture.
2. The precision packet capture saves all the packets for that flow, including the preceding READ operation since ransomware needs to execute a READ against your CIFS/SMB file shares.
3. Since we've captured the packets, including payload, from the transactions where the ransomware first read our files, we have everything needed to reconstruct the unencrypted files! So we can download the packet captures, open them up in Wireshark, and use File > Export Objects > SMB. This exports all the actual files that had been transmitted via SMB at any time during our packet capture's lookback window.
4. Save those files to another location, open them up, and voilà, we have copies of all the files as they were the instant before they were encrypted.

Traditional security solutions spend a lot of effort trying to keep ransomware infections out of your system completely, which is worthwhile, but guaranteed to fail sometimes, especially given that there have been 4,000 ransomware attacks per day in 2016. Adding the ability to both detect ransomware attacks already in progress, and automatically initiate a process to recover the lost files, gives us a much more complete response to this growing problem.

Learn more about how to automatically detect, mitigate, and recover from ransomware attacks in our new whitepaper: Detect and Stop Ransomware with a New Mitigation Approach