Back in the day, miners needed a way to detect if the carbon monoxide levels in mine shafts were becoming unsafe and potentially deadly. As a result, they would take a canary into the coal mines with them, as canaries were particularly sensitive to carbon monoxide gas. As a result, the adage “canary in the coal mine” was born as an analogy for solutions that helped to identify early warning signs of a potentially catastrophic incident.
As we first defined in a 2017 blog article, a ransomware event is straight-up extortion – It’s when a bad actor triggers the encryption of the files on your computers, network, and/or cloud resources, then extorts the payment of a ransom for the keys to decrypt the data, often at an exorbitant cost, but just less than the aggregate costs associated with the pains of a manual recovery from data backup resources.
While a variety of security solutions can be put in place to prevent a ransomware event, most small businesses have limited solutions in place to help detect if an incident has already begun. Enter the use of a ransomware canary.
A ransomware canary is nothing more than a file that sits quietly on a system or server and is monitored for unauthorized access or changes. If an attempt is made to encrypt the file due to a ransomware outbreak, this signifies a change to the file and triggers an alert so that investigation and response can begin.
Ransomware canaries are a feature of our ThreatHunter Managed Detection and Response (MDR) platform. This is a critical addition to the security stack that should be in place for all of our clients, and we strongly encourage everyone adopt MDR to extend security from the Protection to Detection functions of the NIST CyberSecurity Framework.