This post is also available in: עברית (Hebrew)
Ransomware has become a thriving business in recent years, with several states’ decision to arm themselves with it, whether for military or profit purposes. Every article dealing with the preparation for ransomware attacks determines two main ways action – first, to invest in employee awareness and in conducting infiltration tests, while second, to respond. Once the ransomware hacked into an organization, beginning to spread, the speed with which data systems teams respond will directly influence the ability to diminish damage done to the system.
Yet cyber criminals read these articles and improve their methods accordingly. One of their weapons is to wage an attack on backup systems and encrypting it so that it can’t be used, with some damage done to backup files. These backup files can be MAC’s Time Machine or Windows Volume Shadow.
How Should Organizations Prepare for an Attack?
Ransomware attacks can stay hidden for a long time in order to encrypt as much information possible before being detected. When encryption reaches a certain critical threshold it locks the user out and and asks for money (in cryptocurrency) as ransom in exchange for the safe return of the kidnaped data. This is a very efficient tactic, but it is also the ‘Achilles’ heal’ of the attack, for accumulated changes over time can be recognized if there is a mechanism following them. This mechanism comes without charge in modern storage solutions – snapshots.
Snapshots usually take on a minimal volume in storage systems. They will begin to grow due to changes and will consume a larger storage capacity. If a storage solution provides monitoring and alerts concerning capacity consumption, the storage team will easily recognize the inflation and will respond appropriately long before the hackers will.
Snapshots have an important role in identifying an active ransomware attack, but an even more important role in a fast recovery from an attack, without transferring terra beits of data back from your backup destinations. With that, if attackers are looking actively to harm your data, it is probable they are also looking for a way to erase your snapshots. We need to prepare proactively for that day, since no one would want to be the first to discover that their snapshots have been erased by a ransomware.
At this point many clients will ask why not rely on separate backups? Why risk online backup considering this scenario? Recovery time is the main motive here. A business that needs to retrieve large volumes of data from tape (physical or virtual) will need much more time, a factor that will influence directly on customers and sales.
There is also a question of possible recovery, for tape backups aren’t always retrievable. Some customers report that only 94% of their backups are retrievable in the day of backup, and that there is a clear decrease the ability to recover over time.
Can Online Backups be Protected from Ransomware?
The short answer is – yes! It takes a mechanism allowing to transform a snapshot to Write One Read Many (WORM), which you can’t change or erase until reaching a point in time defined in advance for the lock to expire.
At the same time, we want the snapshot to remain fully functional and keep all of its original abilities: retrievable, allowing for management of data copies, and for access to users.
WORM snapshots can serve further purposes. For example, protection against human error. Human behavior is the root of most data system failures. The adding of further protection is always a standard procedure. Snapshots can lock in order to prevent an accidental erasure of before the expiration of the retention policy (the time span in which all backup is saved prior to being erased). These snapshots also serve cases of info storage for legal purposes. In certain legal procedures, information must be kept available for a long time (Legal Hold) in order to protect relevant evidence, to allow for popular disclosure, etc. Locking the data copy is an excellent way of allowing access over time, and if needed, to extend it.
Anyone that have worked in the past with WORM solutions knows the story about the storage manager that locked a big snapshot for too long (I personally saw a data set that was locked for 70 years). This undoubtedly leads to great expenses for companies. The solution lies in the tools limiting the user with all that pertains to the duration of the lock, and in this way prevents human error. These have to be parameters that can be changed so they will provide for needs of different customers, since those in the financial sector might hold regulatory information for seven years, while hospitals for example can hold it up to 80 years (as long as the patient is alive and the information is relevant for the treatment).
Defining Snapshots in Storage Solutions
Advanced storage solutions include tools that allow storage managers to define the retention time for snapshots, and simultaneously to use it for the ongoing operation of information systems, retrievals, creating environmental checks, ets.
The approach to storage solution is through API which prevents any user from performing modifications (disregarding defined permissions). Even if the ransomware could endanger the storage manager’s passwords, it wouldn’t be able to corrupt or erase the backup. The meaning of this is that you can keep relying on them in order to retrieve the information in less than a second and go back to business activity quickly.
For the scenario of holding information for legal purposes, when looking at an expired WORM retention’ the administrator must be able to say if the info was saved as “true to the source” (without changing, even after the WORM has expired), or if users had gotten access to it and could have performed changes. New tools in storage solutions allow snapshots to go under one of three categories (locked, expired, or a state where the info was never locked or did lock but haven’t changed since). These new tools allow for storage managers to hold snapshots for a long time while feeling secure that the info they hold is credible and retrievable, whether for legal or other purposes.
Eran Braun, Vice President of EMEA Technologies at INFINIDAT