Turning back the clock on encryption: How to perform ransomware backups in one-click

The ThreatDown EDR Ransomware Rollback feature has been updated to extend the max recovery window from 72 hours to 7 full days.  

With ransomware attacks reaching all-time highs, the ability to swiftly backup encrypted data is more crucial than ever. The common approach of using Windows Shadow Volume Copy (VSS) for ransomware backups, however, has its pitfalls. While VSS is great for creating snapshots of your data, it falls short against sophisticated ransomware which targets and compromises VSS backups directly. Translation: If your system is hit with advanced ransomware, those VSS backups stored on the same system aren’t safe either. 

Enter ThreatDown Ransomware Rollback. 

The previous three-day limit for reversing ransomware encryption was designed with the weekend in mind, allowing IT professionals to last-minute address attacks by the following Monday. However, with 7-day rollback, IT teams can now approach ransomware recovery with even less haste and more time for planning. Given that recovery from ransomware attacks often spans multiple weeks, the option to ‘dial back the clock’ instantly with ThreatDown Ransomware Rollback becomes one of the quickest paths to restoring normal operations. 

Let’s dive more into Ransomware Rollback and the new 7-day rollback window. 

How it works 

The bedrock of Ransomware Rollback is a kernel mode driver to monitor file system changes and make a copy of files before modification. This driver creates backups of files before they are modified, ensuring it also protects these backups from potential attacks. 

ThreatDown Endpoint Detection and Response (EDR) begins with a 14-day learning phase, where it identifies which applications on the system are safe. It does this by observing which applications typically work with files. After this learning phase, the EDR compiles a list of these safe, or “allowlisted,” applications. 

To enhance system performance, the EDR system does not monitor applications on the whitelist. This means that if an application from the allowlist tries to change a file, the EDR won’t create a backup of that file. 

However, for any other application that tries to modify a file, ThreatDown EDR creates a backup copy of the file before allowing any changes. This is because it’s initially unclear whether a modification is harmful. Thus, every file is backed up just in case. 

If it turns out that an application modifying a file is ransomware, the EDR system has a backup to restore the file to its original state. This recovery process is what is known as “rollback.” 

Ultimately, this strategy effectively counters ransomware attacks by ensuring that there is always a recent, clean, and unencrypted version of the file available for restoration.  

Setting the 7-day rollback window 

To set the new 7-day rollback window in Nebula, first locate the Endpoint Detection and Response settings tab in your policy: 

1. On the left navigation menu, go to Configure > Policies. 

2. Select a policy. 

3. Select the Endpoint Detection and Response tab to see the specific settings available for each operating system.  

On this page, turn Ransomware Rollback on. Select Advanced settings include additional features for Ransomware Rollback.  

Toggle the slider for Rollback timeframe to Max 7 Days.  

Try Ransomware Rollback Today  

With Ransomware Rollback, organizations can avoid the issues with traditional, VSS-focused backup solutions and ensure that, if an encryption event occurs, they can quickly get back to their feet with their data intact. 

By extending our Ransomware Rollback to a full 7-day period, we’re giving IT teams even more time to respond to an attack how they see fit. IT admins no longer have to rush to rollback ransomware changes before the 72-hour window is up, making this new feature especially useful during longer breaks like Thanksgiving or Christmas.  

7-day Ransomware Rollback is available as part of Advanced, Elite, and Ultimate ThreatDown Bundles. Learn more.