Abstract: Backup data is leveraged to determine whether primary data has been encrypted by malware. The disclosed approach does not rely on recognizing particular malware instances or malware provenance, and thus can be applied to any body of data. Even a novel and previously unknown malware attack can be detected in this way. An illustrative data storage management system analyzes secondary copies it created over time, applies a multi-factor analysis to data recovered from the secondary copies and, based on the analysis, infers whether the primary data from which the secondary copies were created may be encrypted. The present approach uses successive versions of backup copies to find indicia of malware encryption, rather than trying to trace or identify the malware itself. Indicia of entropy correlate highly with encryption, such as encryption performed by malware attacks. Conversely, indicia of similarity correlate highly with lack of encryption of successive versions of documents.

Abstract: After completion of a backup job, the illustrative system performs a threat analysis of the freshly generated backup copies. Each copy is restored at a secure storage area. The system scans the restored data using, preferably, a signature-based malware scanning engine. If the scan finds malware infection or some other unsafe condition, a tracking index is updated to indicate that the copy is unsafe, and the secondary copy is quarantined. The quarantine prevents the copy from being restored to the production environment, and from acting as a source for other copies. The system iterates, scanning preceding versions of the copy, updating the index, and quarantining, until a clean or uninfected copy is found. The clean copy is so indexed. Responsive to a restore request, the illustrative system automatically restores the clean copy and skips over the infected copy/copies, preferably without asking the requesting user for input or approval.

Abstract: Backup data is leveraged to determine whether primary data has been encrypted by malware. The disclosed approach does not rely on recognizing particular malware instances or malware provenance, and thus can be applied to any body of data. Even a novel and previously unknown malware attack can be detected in this way. An illustrative data storage management system analyzes secondary copies it created over time, applies a multi-factor analysis to data recovered from the secondary copies and, based on the analysis, infers whether the primary data from which the secondary copies were created may be encrypted. The present approach uses successive versions of backup copies to find indicia of malware encryption, rather than trying to trace or identify the malware itself. Indicia of entropy correlate highly with encryption, such as encryption performed by malware attacks. Conversely, indicia of similarity correlate highly with lack of encryption of successive versions of documents.