Search

US-12627681-B2 - Ransomware detection and/or remediation as a service in file server systems

US12627681B2US 12627681 B2US12627681 B2US 12627681B2US-12627681-B2

Abstract

Examples of analytics systems may include a cloud based no-touch auto-update mechanism that may have access to ransomware signatures. For example, the service may pull ransomware signatures from a centralized public datastore through APIs and update the ransomware signatures on file servers subscribed to the analytics system.

Inventors

  • Pankaj Kumar SINHA
  • PARTHA PRATIM NAYAK
  • Tushar Dnyandev Adivarekar

Assignees

  • Nutanix, Inc.

Dates

Publication Date
20260512
Application Date
20231031
Priority Date
20230626

Claims (20)

  1. 1 . A system comprising: a repository of ransomware signatures, each of the ransomware signatures including a pattern of file events indicative of a ransomware attack; an analytics system configured to periodically access a source of ransomware signatures and identify new or changed ransomware signatures and to provide new or changed ransomware signatures to file servers subscribed to a ransomware signature update service.
  2. 2 . The system of claim 1 , wherein the analytics system is configured to prevent adding a ransomware signature from the repository to a particular file server when a particular client has previously blocked the ransomware signature.
  3. 3 . The system of claim 1 , wherein the analytics system is configured to allow additional ransomware signatures at a particular file server when the particular file server has added the ransomware signature.
  4. 4 . The system of claim 1 , wherein the analytics system is configured to detect a new ransomware signature based on a ransomware attack on one of the file servers, the analytics system further configured to distribute the new ransomware signature to other ones of the file servers.
  5. 5 . The system of claim 1 , wherein the analytics system comprises a listener service configured for periodic communication with the repository of ransomware signatures.
  6. 6 . The system of claim 1 , wherein the pattern of file events indicative of the ransomware attacks include a rename event.
  7. 7 . The system of claim 1 , wherein at least one of the file servers includes a local ransomware signature repository, and wherein the new or changed ransomware signatures are used to update the local ransomware signature repository.
  8. 8 . The system of claim 7 , wherein the at least one of the file servers is configured to remediate a ransomware attack based on the local ransomware signature repository.
  9. 9 . A method comprising: periodically connecting to a ransomware signature repository to identify a new or changed ransomware signature, wherein the new or changed ransomware signature is based on a pattern of file events; comparing the new or changed ransomware signature with ransomware signatures stored locally at a file server; and updating the file server with the new or changed ransomware signature based on said comparing.
  10. 10 . The method of claim 9 , wherein said periodically connecting comprises transmitting an API call to the ransomware signature repository.
  11. 11 . The method of claim 9 , further comprising identifying a deleted ransomware signature based on the ransomware signature repository.
  12. 12 . The method of claim 9 , wherein said updating the file server comprises updating a behavior of a file blocking policy of the file server.
  13. 13 . The method of claim 9 , further comprising refraining from updating a second file server with the new or changed ransomware signature when the second file server had previously removed the new or changed ransomware signature.
  14. 14 . The method of claim 9 , further comprising determining a particular sequence of events has occurred previously at a second file server; and refraining from updating the second file server with the new or changed ransomware signature when the new or changed ransomware signature includes the particular sequence of events.
  15. 15 . The method of claim 9 , further comprising: identifying a second ransomware signature based on a ransomware attack occurring on the file server; and updating the ransomware signature repository with the second ransomware signature.
  16. 16 . The method of claim 9 , further comprising distributing the new or changed ransomware signature to multiple file servers in accordance with a prioritization rule.
  17. 17 . The method of claim 16 , wherein the prioritization rule comprises a rule which prioritizes distribution of the new or changed ransomware signature to file servers associated with a same tenant from which the new or changed ransomware signature was discovered.
  18. 18 . The method of claim 9 , further comprising identifying pre-existing infection on the file server based on the new or changed ransomware signature.
  19. 19 . The method of claim 9 , further comprising identifying a malicious client based on the new or changed ransomware signature.
  20. 20 . At least one non-transitory computer readable media encoded with instructions which, when executed, cause a system to perform operations comprising: periodically connecting to a ransomware signature repository to identify a new or changed ransomware signature, wherein the new or changed ransomware signature is based on a pattern of file events; comparing the new or changed ransomware signature with ransomware signatures stored locally at a file server; and updating the file server with the new or changed ransomware signature based on said comparing.

Description

CROSS-REFERENCE TO RELATED APPLICATION(S) This application claims the benefit under 35 U.S.C. 119 of the earlier filing date of Indian application No. 202311042690, filed Jun. 26, 2023, which application is hereby incorporated by reference in its entirety for any purpose. TECHNICAL FIELD Examples described herein relate to ransomware detection and/or remediation systems for file server systems, including virtualized distributed file servers hosting file systems. Examples of systems which may provide real-time updates of ransomware signatures and/or detect new ransomware signatures are described. BACKGROUND Data, including files, are increasingly important to enterprises and individuals. The ability to store significant corpuses of files is important to the operation of many modern enterprises. Existing systems that store enterprise data may be complex or cumbersome to interact with in order to quickly or easily establish what actions have been taken with respect to the enterprise's data and what attention may be needed from an administrator. In addition, an incomplete catalog of the file system may result in an incomplete analysis of the enterprise data to determine usage characteristics and to detect anomalies. Ransomware is a type of malicious software, examples of which may be designed to block access to a computer system or computer files until a sum of money is paid. Most ransomware variants encrypt user files on the affected computer, hold the decryption key (making user files inaccessible), and demand a ransom payment to restore access. Ransomware is a growing threat, and many existing solutions are not able to provide automated detection of, remediation of, and recovery from attacks. Some existing approaches include intrusive detection implemented at the network layer monitoring an end point. Such monitoring approaches generally focus on who and what are being attacked rather than detecting evidence of attack. Further these approaches are generally not designed to inform the end-user that infection has been detected. Other existing approaches include taking backup or snapshots of the file system at regular intervals, such that snapshots may be used to restore an attacked system. Such approaches generally lead to loss of data, as data created between backups is often lost and not recoverable after ransomware attack. Further existing approaches may detect ransomware through pre-defined digital signatures. Such methods capture already known ransomware, but systems remain vulnerable to new and non-cataloged ransomware. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1A is a schematic illustration of a distributed computing system hosting a virtualized file server arranged in accordance with examples described herein. FIG. 1B is a schematic illustration of the distributed computing system of FIG. 1A showing a failover of a failed file server virtual machine (FSVM) in accordance with examples described herein. FIG. 2 is a schematic illustration of an analytics system in communication with a file server arranged in accordance with examples described herein. FIG. 3 is a schematic illustration of a system arranged in accordance with examples described herein. FIG. 4 is a schematic illustration of an analytics system including a ransomware service in accordance with examples described herein. FIG. 5 is a schematic illustration of an implementation of a ransomware as a service system in accordance with an example described herein. FIG. 6 is a schematic illustration of components of a computing node (e.g., computing device or computing system) in accordance with embodiments of the present disclosure. DETAILED DESCRIPTION Certain details are set forth herein to provide an understanding of described embodiments of technology. However, other examples may be practiced without various of these particular details. In some instances, well-known circuits, control signals, timing protocols, and/or software operations have not been shown in detail in order to avoid unnecessarily obscuring the described embodiments. Other embodiments may be utilized, and other changes may be made, without departing from the spirit or scope of the subject matter presented here. Data analytics systems described herein may provide a cloud-hosted analytics and monitoring service for file servers. The file servers may be hosted on any number of architectures, such as Nutanix Files and/or Isilon and/or NetApp file servers. Data analytics systems described herein may centralize data from clusters connected to admin systems operating at various data center locations. Cloud resources may reduce scaling constraints, as the cloud is not dependent on the file server resources, which may provide near-real-time analytics and alerts even for load-heavy file servers of more than 250 million files and over 500 TB of storage. Hosting file analytics on premises may limit the service to local file servers only. In contrast, systems described herein may function on a