Ransomware is a big threat to organisations of all sizes. According to one piece of research, around two-thirds of disaster recovery incidents are a result of ransomware. Meanwhile, firms take an average of 21 days to recover to normal operations.
The growth of ransomware has put data storage and backup on the front line of cyber defences, and as firms have bolstered their anti-ransomware measures, attackers have become more sophisticated and dangerous.
Attackers have moved from encrypting production data to targeting backups and backup systems. Their goal is to make it harder for organisations to recover, and so more likely they will pay a ransom. Also, double- and triple-extortion attacks – where criminal groups threaten to expose sensitive data, or even use it to target individuals – have raised the stakes still further.
In response, chief information security officers (CISOs) and chief information officers (CIOs) have looked to harden systems against ransomware attack, with use of immutable snapshots, air-gapped backups and artificial intelligence (AI)-based threat detection. Suppliers have also bolstered anti-ransomware tools. Some are even offering ransomware recovery guarantees that offer financial compensation if an attack does happen.
Ransomware attacks work by spreading malware that disables access to data. The malware usually enters the organisation through phishing, infected documents, or compromised or malicious websites. It acts to encrypt data, then attackers demand a ransom for the decryption key.
The first line of defence is to detect and block phishing attacks, through antivirus and malware detection on client devices and on the network, and through user awareness and training.
Much of this is standard cyber hygiene. Most methods that work against malware and phishing will work equally against ransomware. Security researchers point out that the malware component of ransomware attacks is often not very sophisticated.
However, although cyber hygiene measures will reduce risks, they are not fool-proof. Therefore, firms also look at deeper levels of data protection against encryption, as well as detecting and blocking suspicious activity on the network.
Good backups remain an important defence against ransomware. If a firm can recover its data from a clean backup, they have a good chance of returning to normal operations without the need to pay a ransom. And, as security advisors such as the UK’s NCSC point out, paying the ransom is no guarantee of being able to recover data.
Off-site backup, or data that is “air gapped” and separated either physically or logically from production systems, provide a good level of protection, but recovery from off-site backups can be slow.
A clean recovery also requires users to spot an attack early enough to prevent backups being infected by malware. Also, attackers now actively target backup systems, with a view to disabling them or corrupting backup files.
This has led storage suppliers to build additional levels of ransomware protection into storage and backup technologies to provide additional layers of defence.
Vendors to the rescue?
One of the most common measures deployed by suppliers to counter ransomware is immutable backups. Often these are snapshots, which are usually immutable anyway. Snapshots have the added advantage of quick restore times, and they can be stored locally, offsite or in the public cloud. Their disadvantage is that the capacity they occupy can rapidly grow, so often snapshot retention periods are quite low.
A wide range of suppliers now offer immutable data copies, either in backup or directly on production storage.
Examples include Wasabi’s Object Lock immutability feature, for object storage, and Pure’s SafeMode snapshots on its FlashBlade and FlashArray systems, as well as object locking in PortWorx.
Vast Data is another supplier that provides immutable backups, using a feature it calls Indestructibility. Firms that use Amazon S3 can also apply Object Lock to buckets. A further approach is to harden the operating system; this is what Scality has done with Linux on its Artesca appliances. By hardening the OS, the supplier restricts admin tools an attacker could use to destroy or encrypt data.
There are, however, different levels of immutability. As James Watts, managing director at Databarracks, points out, the effectiveness of immutability depends on how systems are configured. A tool set for immutability at the backup level will not, for example, prevent an attacker from deleting underlying storage volumes. For ultimate protection, he recommends even backup copies and the storage target should be kept “off domain”.
The majority of backup suppliers now support air-gapped copies of data, and a growing number will work directly with public cloud storage to make it easier and less capital-intensive to store immutable backups offsite.
Chief information officers and data storage managers should check the capabilities of their backup and recovery tools, such as whether they can upload copies to the cloud or be used to create air-gapped datasets.
Ransomware detectives, and warranties
Immutable backups are not, however, foolproof. They will not protect an organisation if malware infects the snapshot.
This has prompted suppliers to add anomaly detection at the storage device and network level to help spot ransomware infections before they are triggered. Suppliers have increasingly made use of AI tools to spot anomalies across vast quantities of data, at speeds that are – hopefully – fast enough to prevent malware from spreading, and from encrypting or deleting data.
Such anomalies might include recognising abnormally large numbers of changes to files in a dataset, or increased levels of randomness in filenames or content, both of which could occur as ransomware begins to encrypt data.
Suppliers that offer this type of detection include Cohesity and NetApp, while Pure has AIOps-based anomaly detection in its Pure1 management platform. Commvault also has early warning features in its technology. Firms have in addition built ransomware detection into production data storage, not just backups, as they try to stay ahead of attacks.
Some suppliers have taken a further step by offering financial guarantees to support their data protection measures.
Veeam and NetApp are among the suppliers that offer ransomware warranties; Pure has a ransomware recovery service-level agreement which includes supplying hardware, and a technician, to recover data.
Firms should take their own steps to ensure any ransomware protection measures are suitable for their operations. Warranties, even those that offer seven- or eight-figure payouts, will only apply in tightly defined circumstances, and cash will only go so far to help an organisation if data has been put beyond reach. “There’s no blanket policy or simple answer for every organisation, these decisions all need to balance cost and risk for what works for you,” says Databarracks’ Watts.