After ransomware intrudes into your assets, business data in your assets is encrypted and used for ransom. This can cause severe risks, such as service interruptions, data leaks, and data loss. To defend against ransomware, Security Center provides the following features: anti-ransomware for servers and anti-ransomware for databases. You can use the features to protect your servers and databases from ransomware.
Protection system against ransomware
Block known ransomware in real time
Security Center blocks a large amount of known ransomware by using the threat intelligence library of Alibaba Cloud. Security Center blocks ransomware to avoid potential loss. After you enable malicious host behavior prevention, Security Center blocks known ransomware. For more information, see Enable features on the Host Protection Settings tab.
ImportantThe Anti-virus edition of Security Center and higher support malicious host behavior prevention.
After you install the Security Center agent on a server, the defense process of Security Center requires a specific period of time to take effect on the server. During this period of time, Security Center cannot block threats such as ransomware and DDoS trojans.
Capture and block unknown ransomware
Security Center sets up trap directories on your servers to capture potential ransomware attacks. To protect against unknown ransomware, Security Center immediately blocks viruses that perform unusual encryption operations and notifies you of the operations for further handling. If you use the Advanced, Enterprise, or Ultimate edition of Security Center, you can turn on Anti-ransomware (Bait Capture) in the Security Center console to enable the anti-ransomware feature. For more information, see Enable features on the Host Protection Settings tab.
NoteIf you find a suspicious directory on your server after the anti-ransomware feature is enabled, submit a ticket to contact Alibaba Cloud technical support to check whether the directory is a trap directory that is set up by Security Center. Trap directories do not affect your workloads and are not malicious. You cannot manually delete trap directories.
Back up data
You can create an anti-ransomware policy to back up core data and purchase anti-ransomware capacity to store the backup data. If your business is infected with ransomware, you can restore core data by using the backup data in a timely manner.
Anti-ransomware implementation based on data backup
Security Center and Cloud Backup jointly launch the anti-ransomware feature that allows you to back up and restore data. If your server or database is intruded by ransomware, you can use backup data to restore data. The following process describes how the anti-ransomware feature works:
If Cloud Backup is not activated, the system automatically activates Cloud Backup when you enable the anti-ransomware feature in the Security Center console.
NoteYou are not charged for the activation of Cloud Backup. The fees for the storage usage of backup vaults in Cloud Backup are included in the fees for the anti-ransomware capacity. You are not separately charged for the storage of backup data.
After you create an anti-ransomware policy for a server, the system installs the anti-ransomware agent on the server. This agent is a Cloud Backup client.
The anti-ransomware agent reads protected data and transfers the data to Cloud Backup at the time that you specify in the anti-ransomware policy.
When data is being backed up, server resources are consumed.
If your data is encrypted by ransomware, you can restore data by using the backup data.
When data is being restored, the backup data is transferred from Cloud Backup to the server directory that you specify.
Usage notes
Feature differences
Anti-ransomware for servers and anti-ransomware for databases protect different types of data. If you want to protect database files, use anti-ransomware for databases. If you want to protect other files in the specified directories of your server, use anti-ransomware for servers. If you want to protect both database files and other files in the specified directories of your server, use anti-ransomware for databases together with anti-ransomware for servers. For more information about how to create anti-ransomware policies, see the following topics:
If you want to back up files from a non-local path, we recommend that you do not specify the path as the protected directory when you create an anti-ransomware policy. This prevents additional fees from being generated when the system accesses data from the path. A non-local path refers to a mount path, such as a directory in an Elastic Compute Service (ECS) instance to which an Object Storage Service (OSS) object or File Storage NAS (NAS) file system is attached. In this scenario, we recommend that you use Cloud Backup to back up files from a mount path. For more information, see Get started with OSS backup and Get started with on-premises NAS backup.
To protect database files on a server, use anti-ransomware for databases.
Procedure
You can use the anti-ransomware feature to back up data on your servers or databases. If your business data is encrypted by ransomware, you can restore the encrypted files based on the backup data. This reduces the adverse impacts on your workloads.
Purchase a specific anti-ransomware capacity and complete the required authorization. For more information, see Enable anti-ransomware.
Select anti-ransomware for servers or anti-ransomware for databases based on the type of data that you want to protect. For more information, see Feature differences.
Create anti-ransomware policies for your servers or databases to back up your data. For more information, see Create anti-ransomware policies for servers and Create anti-ransomware policies for databases.
Create restoration tasks to restore data that is encrypted by ransomware. For more information, see Create restoration tasks for servers and Create restoration tasks for databases.
Limits
Protection for databases within containers
Anti-ransomware feature cannot be used to back up data on databases deployed in containers.
Anti-ransomware feature protects directories on servers or databases. To protect directories in a container, you can map the container directory to the servers.
You can use the -v
parameter to map the directory in the Docker container to the directory in the host when the container starts running. Run the following command:
docker run -v <host directory>:<container directory> <image_name>
For example, if you want to map the /app/data
in the container to /home/user/data
in the host, run the following command:
docker run -v /home/user/data:/app/data your-image-name
CPU and memory requirements for the backup feature
The following table describes the CPU and memory requirements for backing up data of different volumes.
Backup data volume | CPU | Memory size |
100,000 files | Dual-core | 4 GB |
1 million files (up to 8 TB) | Dual-core | 8 GB |
10 million files | Quad-core | 16 GB |
Anti-ransomware for databases consumes a small number of resources to back up data. Anti-ransomware for servers consumes a large number of resources to back up data. The process that anti-ransomware for servers runs to back up data consumes server resources. The consumed server resources vary based on the size and number of files. In most cases, your business is not affected. If you want to manage the server resources that are consumed to back up data, you can evaluate the backup speed and limit the maximum usage of server memory. For more information, see Backup speed and recovery speed and How do I resolve OOM issues on a Cloud Backup client?
Supported regions
If you create an anti-ransomware policy for a server that is not deployed on Alibaba Cloud, select the region in which the server is deployed. If an ECS instance for which you want to create an anti-ransomware policy resides in a region in which the anti-ransomware feature is unavailable, the instance is not displayed in the asset list.
Starting December 20, 2024, Security Center supports anti-ransomware backups for ECS instances in regions such as China (Ulanqab) and China (Heyuan). To ensure these servers receive effective protection, authorize the service-linked role
AliyunServerRoleForHbrMagpieBridge
on the Anti-ransomware page in the Security Center console. For more details about the service-linked role, see Service-linked roles. If you do not complete this authorization, Security Center cannot provide anti-ransomware services for servers in the specified regions.Anti-ransomware for databases is not available for ECS instances in a classic network.
Feature | Area | Supported region |
Anti-ransomware for servers | Chinese mainland |
|
Asia Pacific | Indonesia (Jakarta), Japan (Tokyo), Malaysia (Kuala Lumpur), China (Hong Kong), Singapore, and Philippines (Manila) | |
Europe and Americas | US (Silicon Valley), US (Virginia), Germany (Frankfurt), and UK (London) | |
Middle East | SAU (Riyadh) | |
Anti-ransomware for databases | Chinese mainland |
|
Asia Pacific | China (Hong Kong), Singapore |
Operating systems and versions supported by anti-ransomware for servers
Database versions and operating system versions supported by anti-ransomware for databases
Anti-ransomware endpoints
ECS instances
Servers that are not deployed on Alibaba Cloud
Region | Purpose | Endpoint |
China (Hangzhou) | For management. The endpoints are used to transfer control signals between the anti-ransomware agent and Cloud Backup. | 100.103.8.175 |
post-cn-mp90rcien05-internal.mqtt.aliyuncs.com | ||
For data transmission. The endpoints are used to transfer backup data. | *.oss-cn-hangzhou-internal.aliyuncs.com | |
China (Shanghai) | For management. The endpoints are used to transfer control signals between the anti-ransomware agent and Cloud Backup. | 100.103.83.79 |
post-cn-4590rcihm02-internal.mqtt.aliyuncs.com | ||
For data transmission. The endpoints are used to transfer backup data. | *.oss-cn-shanghai-internal.aliyuncs.com | |
China (Qingdao) | For management. The endpoints are used to transfer control signals between the anti-ransomware agent and Cloud Backup. | 100.100.0.111 |
post-cn-n6w1oj5j506-internal-vpc.mqtt.aliyuncs.com | ||
For data transmission. The endpoints are used to transfer backup data. | *.oss-cn-qingdao-internal.aliyuncs.com | |
China (Beijing) | For management. The endpoints are used to transfer control signals between the anti-ransomware agent and Cloud Backup. | 100.103.83.105 |
post-cn-mp90rcibd04-internal.mqtt.aliyuncs.com | ||
For data transmission. The endpoints are used to transfer backup data. | *.oss-cn-beijing-internal.aliyuncs.com | |
China (Zhangjiakou) | For management. The endpoints are used to transfer control signals between the anti-ransomware agent and Cloud Backup. | 100.100.1.236 |
post-cn-45917akja09-internal.mqtt.aliyuncs.com | ||
For data transmission. The endpoints are used to transfer backup data. | *.oss-cn-zhangjiakou-internal.aliyuncs.com | |
China (Hohhot) | For management. The endpoints are used to transfer control signals between the anti-ransomware agent and Cloud Backup. | 100.100.0.123 |
post-cn-0pp1epkb50h-internal.mqtt.aliyuncs.com | ||
For data transmission. The endpoints are used to transfer backup data. | *.oss-cn-huhehaote.aliyuncs.com | |
China (Shenzhen) | For management. The endpoints are used to transfer control signals between the anti-ransomware agent and Cloud Backup. | 100.103.31.50 |
post-cn-v0h0rcijv04-internal.mqtt.aliyuncs.com | ||
For data transmission. The endpoints are used to transfer backup data. | *.oss-cn-shenzhen-internal.aliyuncs.com | |
China (Chengdu) | For management. The endpoints are used to transfer control signals between the anti-ransomware agent and Cloud Backup. | 100.100.0.12 |
post-cn-st21piid30e-internal-vpc.mqtt.aliyuncs.com | ||
For data transmission. The endpoints are used to transfer backup data. | *.oss-cn-chengdu-internal.aliyuncs.com | |
China (Hong Kong) | For management. The endpoints are used to transfer control signals between the anti-ransomware agent and Cloud Backup. | 100.103.30.213 |
mqtt-cn-v0h1cmss401-internal.mqtt.aliyuncs.com | ||
For data transmission. The endpoints are used to transfer backup data. | *.oss-cn-hongkong-internal.aliyuncs.com | |
Singapore | For management. The endpoints are used to transfer control signals between the anti-ransomware agent and Cloud Backup. | 100.103.10.114 |
post-cn-4590unarx01-internal.mqtt.aliyuncs.com | ||
For data transmission. The endpoints are used to transfer backup data. | *.oss-ap-southeast-1-internal.aliyuncs.com | |
Malaysia (Kuala Lumpur) | For management. The endpoints are used to transfer control signals between the anti-ransomware agent and Cloud Backup. | 100.100.0.225 |
mqtt-cn-v0h1k5d7707-internal.mqtt.aliyuncs.com | ||
For data transmission. The endpoints are used to transfer backup data. | *.oss-ap-southeast-3-internal.aliyuncs.com |