Ransomware has been 2021’s growth industry. The volume of attacks is in the tens of thousands, with thousands of victims and an average payout of $1.85m, according to Sophos.
We could dwell on the data – which sectors are most at risk and in which countries – but the key focus is the main way in which storage and backup suppliers are tackling the issue, namely via snapshots, which they are usually keen to call “immutable snapshots”.
But why immutable snapshots? Where do they fit as a response to the mechanism of a ransomware attack? Which suppliers provide this capability? And what are the benefits and potential drawbacks?
Ransomware attack phases and why snapshots fit
There are several key phases to a ransomware attack, namely the initial intrusion, a period of reconnaissance inside the victim’s systems, then the execution of encryption and exfiltration of data. Then come the ransom demands.
Snapshots provide customers the ability to roll back to uncorrupted copies of their data made before the execution of code introduced by the attacker. In theory, from here they can ignore ransom demands, purge their systems of the effects of intrusion and continue business as normal.
Snapshots are not backups, in that they are not just copies of data. They are a record of the state of and location of files and blocks that make up files at a specific time to which a customer can roll back. That record may comprise more than just a record of state, with metadata, deleted data, parent copies, and so on, all needing to be retained.
All snapshots are immutable: So what’s new?
Snapshots are immutable anyway, in that they are write-once read-many (Worm). What storage and backup suppliers have added are features such as encryption, mechanisms that lock snapshots from being moved or mounted externally, with multifactor authentication (MFA) required to manage them.
With no one – not even administrators, but certainly not ransomware software – having the ability to access snapshots or move or delete them, customers should always have access to clean copies of their data following a breach.
That’s the key benefit, with the added benefit over backups that snapshots are usually taken much more frequently than once a day.
Snapshots as a restore source: Pros and cons
But there are also potential drawbacks. Historically, snapshots have not been retained for long periods because they take up storage capacity. For this reason, retention periods for snapshots have often been short – around 48 hours.
With ransomware recovery the use case, the period customers need to retain immutable snapshots zooms up.
The time spent by attackers inside systems – “dwell time” – averages 11 days according to Sophos and 24 days according to Mandiant. During this period, they will be carrying out reconnaissance, moving laterally between different parts of the network, gathering credentials, identifying sensitive and lucrative data, exfiltrating data, and so on.
That means snapshot retention periods, and therefore the capacity required to store them, will creep up. Suppliers know this, and in some cases have targeted storage subsystems with bulk capacity at these use cases.
Snapshots and RPO
The question also has to be asked, what is the effect on recovery point objective (RPO)?
After all, if attackers have been inside systems for a week or two, data held on snapshots for that entire period may be compromised because it has been recorded with corruption intact. It may be possible to remove traces of the intruder, but the last completely clean copies may represent a recovery point some time in the past.
Anyway, don’t forget, all snapshots are immutable. What’s new is that suppliers are layering methods of making sure they cannot be exported or deleted so that customers’ last line of defence – or rather restore – is not compromised. Below is a selection of what suppliers are doing.
Cohesity SpanFS snapshots are retained in an immutable state and never made accessible to be mounted by an external system. Ransomware cannot affect the immutable snapshot. Cohesity allows for an air-gap in which customers can replicate data to an external cloud (see also its recent Fort Knox plan), another physical location or tape. Multifactor authentication is used to control access to protected copies.
IBM’s Safeguarded Copy is available in its all-flash storage arrays. It automatically creates immutable snapshots that are isolated and cannot be accessed or altered by unauthorised users. Safeguarded Copy keeps up to 15,000 immutable point-in-time copies that cannot be written to or read by an application and can’t be mapped to a host. Safeguarded Copy can be integrated with IBM Security QRadar, which monitors activities and looks for signs that an attack may be in progress.
Panzura is a little different, being a hybrid cloud or cloud gateway-focused operation, and its CloudFS takes a slightly different approach. It recognises altered file data and any resulting encrypted files are written to the object store as new data. So, if a file is encrypted by ransomware, users can recover to the state prior to infection by reference to the clean existing data with snapshots.
Pure Storage puts immutable snapshots in SafeMode, with Protection Groups that provide configurable snapshot policies covering frequency of snapshots, retention policy and ability to send snapshots to other destinations for recovery. Intruders can’t set retention periods to zero or eradicate snapshots. Retention can be increased, but can’t be decreased unless two authorised contacts with PINs contact Pure Support.
Rubrik’s snapshots and backups are also built as immutable so they can’t be encrypted or deleted by a ransomware attack. Impact Analysis is also possible via Rubrik, to identify what data was encrypted and sensitive data that may have been exposed, with multifactor authentication access to protected data.
