Skip to main content

Ransomware and malware

Alcion not only provides data protection, but also improves the security posture of your organization. With no additional effort, administrators get malware-free backups as well as early detection, appropriate response, and easier recovery in cases of ransomware attacks.

Information about any anomalies discovered by Alcion can be found on the Incidents page.

Docusaurus themed imageDocusaurus themed image

Malware elimination

When performing backups, Alcion detects items that are infected by malware and preemptively keeps compromised data out of backups. The result is clean backups and peace of mind that restores won't result in proliferation of malicious data.

From the Malware tab on the Incidents page, administrators have centralized visibility into which resources (for example, users and sites) and files contain malware. This allows for corrective action, either directly or by requesting cooperation from users, to remove any infected files before resolving the malware incident.

Ransomware detection

Ransomware refers to a type of cyber attack in which an adversary typically denies a user or an organization access to their data using encryption and later demands a ransom in exchange for decrypting the data.

To detect such attacks early, Alcion monitors the contents of your backups and analyzes the access patterns in your data. If signs of abnormal or suspicious activity indicative of ransomware are detected, Alcion will create an incident on the Ransomware tab of the Incidents page. Additionally, Alcion will initiate pre-emptive backups to minimize the potential data loss window.

For reliable ransomware detection, a resource must be protected with an intelligent or recurring backup policy for at least 30 consecutive days before ransomware incidents can be detected accurately. This initial period is used to train an anomaly detection model which encodes the expected item characteristics and data access patterns for the resource, resulting in tailored and much more accurate insights.

Lastly, to aid in recovery once all attack vectors have been resolved, Alcion visually identifies all affected resources and, within each resource, marks as safe any unaffected backups that are suitable restore candidates.

Ransomware and malware detection insights

Ransomware detection is a powerful capability, but it can be difficult to understand the overall status of the protection. Alcion exposes a number of key metrics that give administrators more confidence that their data is protected.

  • Resource-level detection status - indicates the extent to which the detection model has been trained on observations for a given resource. To reach maximum strength, the model for each resource needs to collect 90 days of backup training data with reliable predictions available after 30 days.
  • Account-level detection statistics - includes high-level information on the historical threats that have been detected across the Alcion account.

Security integrations

In addition to using its own logic to detect ransomware and malware incidents, Alcion can also leverage external Extended Detection & Response (XDR) solutions for additional signals that increase the quality of detection. The initial integration of this type is with Microsoft 365 Defender.

Microsoft 365 Defender

Microsoft 365 Defender is a service with a number of components that can be licensed, configured, and used independently. The primary services include:

  • Microsoft Defender for Office 365 Advanced protection for your apps and data in Office 365, including email and other collaboration tools.
  • Microsoft Defender for Cloud Apps Identify and combat cyber threats across your Microsoft and third-party cloud services. While there is some overlap with Defender for Office 365, Defender for cloud apps brings some valuable ransomware specific signals when enabled for Office Apps. If you have access to this service, Alcion recommends enabling it.
  • Microsoft Defender for Identity Defend against advanced threats, compromised identities, and malicious insiders using correlated Active Directory signals.
  • Microsoft Defender for Endpoint Endpoint protection suite built around powerful behavioral sensors, cloud analytics, and threat intelligence.

For a summary of all Microsoft 365 Defender options you can see the official Microsoft documentation.

The landscape of Defender services can be challenging to navigate, but backup administrators aren't exposed to this complexity. Alcion works with the Defender configuration that security focused administrators have already setup in your organization. Without any Alcion specific configuration, the system will pick up any relevant signals that represent additional data points and can aid in detecting ransomware incidents.