📝NOTE: The availability of this feature may be limited based on the license type, region, and other criteria. To enable this feature, contact support.
Overview
Ransomware Impact Detection is a two-stage detection framework that uses Artificial Intelligence (AI) and Machine Learning (ML) to identify ransomware activity within backed up data.
It analyzes key ransomware indicators and behavioral patterns such as file extension changes, dropped artifacts, and encryption techniques to generate high-confidence, explainable alerts. This enables precise differentiation between legitimate operational activity and malicious behavior.
Key Benefits
Precision Detection: Get alerted only when it truly matters, high-confidence signals of real issues, with minimal noise and near-zero false positives.
Alert Prioritization: Clear severity mapping (high to critical) based on the stage of detection.
Zero-Day Protection: It detects known, unknown, and new ransomware strains by identifying suspicious behavioral patterns.
Scalable Telemetry: Powered by field-driven data for continuous model refinement.
How it Works: The Two-Stage Framework
Ransomware Impact Detection utilizes a layered defense strategy to correlate multiple signals before escalating an alert.
Stage | Category | Alert Title | Alert Severity |
Stage 1 | Pre-Ransom Checks | Potential Ransomware Activity | High |
Stage 2 | Ransom Impact | Ransomware Activity Confirmed | Critical |
Stage 1: Potential Ransomware Detection of Ransomware Activity
In the first stage, the system, using enhanced Machine Learning (ML), first scans your backup metadata for "Heuristics" —suspicious patterns that suggest ransomware is currently active.
Upon detecting high-risk patterns, the system generates a Potential Ransomware Activity alert via email.
This alert is triggered by correlating specific indicators that include the following:
Extension Insights & Drift: The system notices if your files are suddenly changing from
.docxor.pdfto strange extensions. Example,.lockedor.crypted.Dropped Artifacts: It looks for specific "calling cards" left by hackers, such as Extortion Notes. Example,
README_TO_RECOVER.txt).
As a result, the impacted snapshots are immediately elevated to Stage 2 for in-depth validation.
Stage 2: Forensic Validation of Ransomware Activity
If the first stage detects any potential ransomware activity in a snapshot, the system initiates stage 2 to perform a deep-dive forensic analysis for confirmation of ransomware encryption.
This stage triggers the Ransomware Impact Confirmed alert via email, providing the forensic evidence needed for a confident response.
This alert is triggered after a thorough file encryption verification. This verification process relies on a combination of essential checks which includes -
Entropy Analysis: Measuring the "randomness" of data. High entropy is a primary sign of ransomware.
MIME Mismatch: Checking if a file’s "identity" matches its "behavior.
File Integrity: Checking the internal "skeleton" of a file. Ransomware often disrupts standard file formats. The engine spots these "broken" headers instantly.
Delta Comparison: Comparing the "Before" vs. "After."
Ransomware Impact Detection Workflow: Administrator-Specific
For Security Operations Center (SOC)
A four-step workflow designed to help SOC manage and mitigate digital extortion threats.
Detection: The Druva Cloud Platform administrators will receive alerts via email for Potential Ransomware Activity and Ransomware Impact Confirmed identified through behavioral Machine Learning (ML) signals.
Escalation for next level detection: The system automatically validates this threat as confirmed ransomware activity by applying specialized detection checks that identify characteristic encryption behavior.
Investigation: View correlated signals alongside explainable evidence to clearly understand the full scope of impact.
Response: Leverage summarized incident context to confidently initiate containment actions or assess impact.
For IT Operations (Backup Administrator)
A five-step workflow designed to assist IT Operations (Backup Administrator) in managing ransomware threats.
Detection Awareness: Identifies suspicious snapshots early in the backup lifecycle, enabling faster response.
Impact visibility: Clearly distinguishes between infected and clean restore points, providing precise visibility into affected data.
Investigation: Navigation from alert to affected snapshots and file-level impact. Leverages indexed metadata, such as file extensions and the extortion note, for rapid lookups.
Recovery Action: Identifies clean recovery points based on a trusted pre-infection baseline and optionally performs quick or deep scans to validate integrity before restoration.
Restore & Validation: Perform a trusted restore, ensuring no reinfection occurs in the production environment.
Get Started with Ransomware Impact Detection
Supported workloads
VMware Virtual Machines
Azure Virtual Machines
AWS Workloads - EC2 and EBS Volume
What Druva License is required to use this feature?
Ransomware Impact Detection feature is available with the Premium Security SKU.
How to enable this Ransomware Impact Detection feature?
Contact your Account Manager or raise a case via Dru Assist to enable this feature.
Set up
Ransomware Impact Detection is designed as a plug-and-play capability, requiring no learning period unlike the Data Anomaly feature. Once enabled, Stage 1 or heuristic-based modeling begins to detect suspicious ransomware activity.