Ransomware is a relatively new tool that is fast (and dangerously) becoming popular within cybercrime. Cybercrime specialist firm Stroz Friedberg said it was dealing with three to four ransomware attacks per week through the first quarter of 2016.
Not familiar with ransomware? We don’t blame you. It’s still new enough that most aren’t familiar with the threat. Here’s a quick primer and some thoughts on how storage can be one of many tools used to limit the impact of these attacks.
What is ransomware?
The high-level concept is that a piece of malware is installed onto unsuspecting hosts. While the method of infection is irrelevant, it does seem so far that this is often targeted, because the person doing the infecting needs to contact the infected afterwards. The ransomware is then deployed with the goal of encrypting valuable data using low-level encryption with keys that you do not possess. Once encrypted, the data is completely inaccessible without the keys and there are (at least in theory) certain checks and protection mechanisms in place to prevent the forceful decryption of the data. An invalid attempt to recover the data could trash the encryption keys, effectively destroying the data.
Earlier this year, the FBI stated that they’ve received over 2,400 complaints about ransomware in 2015; the victims of these breaches lost over $24 million in total. The magnitude of these losses can either leave a company significantly out of pocket or completely destroyed. Most organizations use complex disaster recovery and business continuity procedures to try and restore to a state prior to the ransomware infection. This threat has been particularly prevalent in hospitals, where one survey put the number of affected US hospitals as high as 75%. Most are unsuccessful, with only a handful of attacks, such as the one with MedStar, making national news.
Storage snapshots as a defense mechanism against ransomware
So how can the storage system compliment a defense strategy against ransomware?
Storage is one of the few underlying elements that should be fully isolated from any malware or would-be attacker. Access should be highly restricted and on isolated networks away from any sort of user or external application interaction. This means that the worst an attacker can do is affect the application (which is pretty bad!). The storage, network, SAN fabric, and even hypervisors should be a solid bastion of defense.
But there’s a catch. Modern storage platforms provide a guaranteed level of data protection, data integrity, and data availability. However, as soon as the ransomware attacker starts encrypting your data within your application, this very modern storage system will happily protect and ensure that the encrypted data is highly available!
But storage platforms have one particular capability that helps: snapshots.
Snapshots provide the ability to take a point-in-time slice of your data and preserve it. As such, you don’t need to immediately reach for the tapes to remove a ransomware attack. Tape restores can take hours, days, or even weeks, and should be the last resort. Snapshots provide the rapid restore and recovery of data with minimal impact to your applications.
That’s where software-defined storage (SDS) in particular comes in. Like all modern storage systems, SDS platforms like Hedvig provide unlimited and efficient snapshots with no impact on performance. Moreover, SDS is runs on commodity infrastructure, making it extremely cost effective to maintain an aggressive snapshotting strategy.
So, why not leverage snapshots at a high frequency? You could take snaps ever few minutes or hours depending on your risk tolerance. This reduces the impact of an attack and the time-to-recovery. You could have an entire data center restored in minutes (or less) with minimal data loss and no trace of a ransomware attack.
Combining cloning with snapshots for white hat analysis
So what if you want to analyze an attack and attempt to pick apart the encryption?
Let’s look at an analogy in the video game space. What you need is a a way to reset the timer, akin to an Action Replay or GameShark device that gives you unlimited extra lives and saved games. By taking snapshots after an infection, you have a similar “cheat device” that enables you to fully restore a dataset and still keep the encrypted data fully isolated and protected for analysis either by your local white hat team or by cybercrime authorities. You can then repeatedly clone an infected data set (again, a common feature in software-defined storage) as a way to continually reset the clock. This cloning of data should be done offline, in a protected and isolated network so that it cannot interact with other systems. With a programmable SDS system (using RESTful APIs for example), you could automate this process to further simplify your job in breaking the encryption and deciphering the attack.
Software-defined storage is just one tool in your ransomware toolbox
I’m not going to sit here and say that storage is the only defense against this sort of cybercrime. It should be a technique in your armory, one of many tools used to protect your critical data. You still need to protect your users, your data center perimeter, and have systems that can regularly audit and inspect the individual server components and data to avoid this sort of attack. With adequate security professionals, security software, and a solid storage system with automated snapshots and clones, you should be well equipped to defend (successfully) a ransomware attack without losing your data or having to pay a hefty ransom.
Although not related to ransomware in particular, here’s a technical whiteboard video that walks through how Hedvig does snapshots and clones for data protection.
Click below if you’d like to learn more or chat about how we can automate your data protection.