Oregon City Using Behavioral Analysis to Halt Cyber Attacks

If you’re a business or municipality, chances are you’ve been hit by a ransomware attack, or you will be in the future. You might even have to pay up.

That’s the consensus of experts in the field. Another consensus: Once the bad guys focus on you, there’s no way to stop them.

Bill Hopkins, IT director for the city of Keizer, Ore., knows what it’s like to be hit with a ransomware attack, having seen the city become a victim in 2020.

“They encrypted about a dozen of our servers,” Hopkins said. “We hired a breach company through our insurance company, and we negotiated and we had to pay.”

Part of the data that was encrypted was police electronic evidence, which presented some legal ramifications, Hopkins said.

From there, he set about finding a solution and within the last year arrived at SnapShield, from the storage company 45Drives. The SnapShield product detects when an attack is occurring, shuts it down and immediately goes about backing up existing files.

“To protect against something happening, I’m looking at SnapShield to mirror that data,” he said. “It gives me a backup in case of a worst-case scenario. It will take effect and I only have to worry about potential files that were infected instead of an entire server being affected.”

The product doesn’t prevent attacks, but will stop one in its tracks before it becomes major and therefore will likely shield the organization or municipality from having to pay a ransom.

For a police department, stopping an attack before it encrypts key intelligence is akin to preventing a nightmare. For a 911 call center, thwarting an attack could mean not having to shut down, which would be catastrophic during a hazardous event. Last year, a ransomware attack in Dallas impacted the Police Department, resulting in disruptions to services from both police and fire as well as difficulty in accessing evidence relevant to cases that were moving through the judicial system. Recovery from the incident took months.

Hopkins said he feels that discussing the attack in Keizer, however unpleasant, will help other entities become aware and possibly thwart something similar happening elsewhere.

“What basically happened to us is there was a server that wasn’t configured correctly and that gave them the gateway to the network,” he said. “It all went downhill from there. I’m of the opinion that the more information that people have the less likely they are to be attacked.”

SnapShield is set up with 45Drives’ on-premises clustered servers and data, and with a combination of hardware and software. It is constantly monitored by behavioral analysis that looks for patterns of ransomware. “It catches the attack within a few tens of files,” said 45Drives President Doug Milburn.

“On top of that, it has a complete logging of any file that is touched in there and it’s snapshotting,” he added, “thus you can role any file back to any state that you want.”