concept w -

Storage technology explained: Ransomware and storage and backup

We look at ransomware attacks, and the importance of good backup practice as well as immutable snapshots, air-gapping, network segmentation, AI anomaly detection and supplier warranties

Ransomware attacks take place via malware that infects IT systems with the aim of disabling access to data or exfiltrating it.

Malware usually enters an organisation through phishing, infected documents, or compromised or malicious websites. Malware often sits inside systems while searching horizontally for key vulnerabilities in the organisation’s data, such as the location of backups.

This dwell time is the period between intrusion and when the ransomware software acts to encrypt and/or exfiltrate data. Then the attackers demand a ransom for the decryption key or return of the data.

How can storage and backup protect against ransomware?

Effective ransomware protection starts with not letting malware into IT systems in the first place. In backup and storage systems, it centres on effective data protection, with additional solutions available in the form of artificial intelligence (AI)-based anomaly detection.

Key to recovery from a ransomware attack is to regularly make effective backups. That’s because if you are hit by ransomware, you need a clean copy of your data to roll back to.

Bear in mind that backups are likely to be the most reliable backstop because they usually date back the furthest of all data protection copies and are therefore more likely to provide a clean copy from before ransomware infiltrated systems.

Snapshots are another popular method of data protection, but are more likely to be compromised by being taken during ransomware dwell periods as they generally don’t date back as far as backups.

Putting an air gap between backups and production systems is another key method of ensuring ransomware cannot affect backup copies.

Storage suppliers also build in ransomware protection such as anomaly detection that looks for malware as it acts on data, while some suppliers also offer guarantees to customers hit by ransomware attacks.

Why is backup important in case of ransomware attack?

The best way for an organisation to avoid paying a ransom is to try to recover from its most recent good copies of data.

That means it is vital for organisations to make effective backups, to keep immutable copies of backups, and to test regularly that they can recover from them.

But backups have their limits, and other data protection methods such as snapshots have their flaws, too.

Backups, for example, are only good to restore from as long as they are clean. That is, they are uninfected by ransomware files, including those that have remained inactive but undetected.

Snapshots, likewise, are only good as long as they are unaffected by the presence of ransomware files. A key limitation of snapshots is that they can be sizeable, and often for that reason, fewer of them – with a shorter roll-back duration – are kept.

Ransomware gangs often target an organisation’s backup files to make it difficult or impossible to restore to a clean point-in-time.

How can an air gap protect backups against ransomware?

One way to protect backups against ransomware infection is to retain them on the other side of an air gap.

Air-gapping is the safest option, especially if backups are stored off-site, on write-once, read many (WORM) media like optical storage or tape.

The disadvantage of off-site physical air gaps is the time it takes to restore data from backups held that way. Recovery time might be too long to meet business continuity targets, especially if IT teams have to search numerous backups to find ransomware-free copies. Suppliers have met this challenge with virtual air-gapped technology.

How can network segmentation protect backups against ransomware?

While physical air gaps can be the most secure, they also bring drawbacks in terms of recovery time.

A solution is to strictly segment backups from production environments so that uninfected copies can be used to recover from.

Approaches here include use of a discrete network segment with “deny all” firewall rules to protect it. This can be on-site or in a secondary datacentre. Rules can be relaxed when data is needed or for replication, and multiple admins and authentication are required to access backups.

A variant on this that uses public cloud storage as off-site capacity can be used also.

What are immutable snapshots?

Immutable snapshots are snapshots that cannot be changed once they have been written.

Snapshots are always immutable, but storage suppliers have taken additional measures to prevent them being accessible via ransomware.

This can mean access to snapshots is protected by multiple PINs or is time-locked.  

The downside of snapshots is that they create a large volume of data. For performance reasons, they are often written to tier one storage, and this makes them expensive, especially if organisations need to retain multiple days or weeks’ worth as protection against ransomware.

How can AI and anomaly detection protect against ransomware?

When ransomware goes to work it will give off signs that can be spotted.

These might include abnormally large numbers of changes to files in a dataset, or increased randomness in filenames or content, which could occur as ransomware starts to encrypt data.

Suppliers have added such functionality at storage device and network level to help spot ransomware infections early. AI tools can help spot anomalies across vast quantities of data and at speed that hopefully prevents malware from spreading, encrypting or deleting data.

Suppliers that offer anomaly detection include Cohesity, NetApp and Pure Storage. Commvault also has early warning features in its technology.

What financial guarantees do suppliers offer against ransomware?

Some storage and backup suppliers have taken the step of offering financial guarantees in case a customer suffers from a ransomware attack.

Veeam and NetApp offer ransomware warranties, while Pure Storage has a ransomware recovery service-level agreement that includes hardware and technical support to recover data.

But suppliers will ensure warranty agreements are very tightly written. And cash will only go so far to help an organisation if data has been put beyond reach.

Read more about ransomware and storage

Read more on Data centre hardware

Data Center
Data Management