Why Real-Time Encryption Detection Matters
When Zerto came out of stealth mode in 2011, we immediately made a splash by winning VMworld’s Best of Show award and earning some great early customers—including banks, colleges, and retailers that are still partnering with us a dozen years later. Early customers primarily implemented Zerto for disaster recovery, but it wasn’t long until these organizations began telling us about another critical use case: cyber recovery and ransomware recovery.
The mid-2010s saw the rise of some very disruptive ransomware variants, including CryptoLocker and Teslacrypt. Customers started using Zerto to recover encrypted files, folders, and VMs and doing so with ease and speed. Fast forward to 2023, and the ransomware market is more explosive and profitable than ever before.
The tools to fight back have been evolving right alongside the malware. Preventive cybersecurity solutions can be excellent at detecting and stopping attacks, but ransomware can still break through despite all the barriers. Recovery solutions can be critical in these scenarios, but how do you know what data to restore: which recovery points are clean and unencrypted, and which are compromised?
Unfortunately, traditional methods to determine clean recovery points aren’t fast enough to keep up with the pace of today’s rapidly evolving security landscape. Existing solutions typically scan backup copies, so the data is already hours old to start with (likely from last night’s backup job) and the malware scanning process itself takes quite a few hours added on top. Worse, you might be locked into a vendor’s own security scanning tools—all at added cost to you—which they’ve either bolted on to an existing product or licensed from a third party.
Zerto has innovated new technology to bring real-time encryption detection to the market. Zerto’s software-only solution applies unique algorithmic intelligence to alert you within seconds when there’s an encryption anomaly that could signal the start of ransomware’s detonation phase. Since you no longer need to wait hours or days to know when recovery is necessary, you’ll be able to radically reduce data loss and downtime following an attack—and do so without paying any ransoms.
Why does real-time detection really matter?
Real-time encryption detection can help minimize the scale or blast radius of ransomware’s impact phase. Some businesses may misunderstand how much and how fast ransomware typically encrypts, but the numbers tell the story.
An internal analysis of 116 globally diverse ransomware attacks, spanning 43 different ransomware variants, uncovered that a median dataset of 183.5 GB was compromised. A separate study from Splunk, An Empirically Comparative Analysis of Ransomware Binaries, found the average ransomware can encrypt a gigabyte of data in 47.7 seconds. This means that in a typical attack, the full encryption detonation would be estimated to take 2 hours and 26 minutes.
Unfortunately, waiting for a nightly backup to run and then scanning those copies means the average ransomware has already finished encrypting the entire dataset 12–24 hours beforehand—in a race against time, the attackers are miles down the road before there’d be any alerts that there’s an issue.
Zerto, on the other hand, can detect and alert within seconds. If ransomware is detected within 15 seconds, for example, not only is the average ransomware not finished encrypting, but it would’ve only managed to encrypt about 300 MB out of the 183.5 GB—about a 99.8% savings in amount of locked data.
The sooner you can detect, the sooner you can take action: that’s why real-time encryption detection has real-world ramifications.
Learn more about Zerto’s detection innovations in our technical whitepaper, Understanding Real-Time Encryption Detection with Zerto.