Threat Indicators - File Extension Anomalies in Backup Jobs

The File extension tab in the Threat Indicators dashboard lists Windows file system clients with file extension anomalies.

Clicking a client computer opens the File Extension Report, which allows you to analyze the statistics for that client.

The File Extension Report displays information related to the possible presence of ransomware. The system monitors Windows file system backup jobs to detect if files have been encrypted. Ransomware can sometimes change the extensions of those files after encryption (for example, .ecc, .ezz, .zzz, .xyz, .abc, .ccc, .micro, .encrypted, etc.).

As part of Windows file system backups, the system scans for information on these file types (under the subclient content in the default backupset) to establish a baseline. Once the baseline has been established, subsequent incremental jobs continue to scan for information on these file types and identify potential file renames. The system then runs machine learning algorithms on the observed datapoints to identify if there has been abnormal activity resulting in a large number of file renames.

File Extension Tab

The table in the File extension tab is comprised of the following columns:

Column	Description
Name	The client computer. When you click the client computer, the File Extension Report appears (see below), which allows you to analyze the statistics for that client.
Indicators	File extension
Detected time	The time when the anomaly was detected.
Server type	File system.
File Count	Number of files detected with the anomaly.
Tags	Audit tags that you can use to record actions.
Actions	Click the action button , and then select one of the following options: Details: View details about the suspicious files found on the client. Delete anomaly: Remove a client or multiple clients from the client list on the panel. Manage tags: Add or remove a tag. For more information, see Creating a Tag for an Entity. Recover as VM: Recover the client as a virtual machine. For more information, see Performing Virtualize Me for Windows or UNIX Computers.

Report Description

Click a client name in the File Extension tab to open the File Extension Report.

The File Extension Report is divided into the following sections: File Extension Trend chart and Suspicious Files table.

File Extension Trend

This chart displays information about the number of files and their file extensions that were backed up per backup job.

The following image is an example of the File Extension Trend chart for file extension anomalies:

file extension report)

Click a node on the chart to open the event details for the backup job. The following image is an example of the event details for a job:

event details)

Suspicious Files Table

The following table includes descriptions for all columns in the Suspicious files table.

Column	Description
File name	The name of the suspicious file.
Path	The file path of the suspicious file.
Size	The size of the susicious file.
Modified time	The time when the suspicious file was modified.

Performing File System Restores

Threat Indicators - File Extension Anomalies in Backup Jobs

File Extension Tab

Report Description

File Extension Trend

Suspicious Files Table

Related Topics