Ransomware attacks are dominating headlines. So far in 2018, high-profile attack victims have included the city of Atlanta, the city of Baltimore, Boeing and the Colorado Department of Transportation. In fact, the number of reported ransomware incidents spiked by nearly 90% in 2017, and it’s only expected to rise through this year.
What sets ransomware attacks apart from other threats? In a ransomware attack, an unauthorized party accesses all or some of a victim’s data and encrypts it, rendering the data inaccessible. To obtain the encryption key, the victim pays a ransom, often in a hard-to-trace crypto-currency such as Bitcoin.
These attacks have galvanized the industry, prompting multiple responses. On one hand, some vendors claim to have developed foolproof solutions for attack prevention. On the other hand, some observers believe that attacks are inevitable and that victims must be prepared to pay the price when hackers strike. Shockingly, a former law enforcement official turned security consultant recently recommended that companies set up Bitcoin accounts in advance of infection to facilitate quick ransom payment.
As with other types of malware attacks, there are two primary defenses: either prevent the attack outright or contain the attack’s impact. Of these, attack prevention has garnered the most press. Many security firms offer training programs for users, stating that ransomware is often placed in systems unknowingly by end users who respond to “phishing” attacks, such as emails whose senders pose as trusted sources. Once you open the email or click on a link, the ransomware payload is delivered to your system. This makes it particularly hard to stop, because it is essentially a “social engineering” attack strategy that can only be minimized with better user training.
Some vendors offer software to detect payloads on email for known malware signatures, or to monitor system activities to detect aberrant activities that could indicate the existence of malware. Others look to simply isolate critical systems behind additional layers of firewalls and password challenges to limit the access of users and programs.
However, preventive measures like these are only marginally effective. Users become inured to cautions about email hygiene, and technologies designed to block the inroads of malware are quickly rendered obsolete as signatures change rapidly. In addition, firewalls and similar barriers tend to frustrate users, who often end up circumventing their protection for convenience.
Protect Your Storage
If ransomware attacks cannot be stopped completely, a utilitarian approach is required to prevent harm in the event of a successful breach. Once you’ve been breached, your last line of defense is in the storage layer. Some storage vendors have started to market product features that they say will allow customers to recover from attacks. Four options here are data encryption, continuous data protection, WORM and data versioning.
Encryption: Encrypting data ahead of an attack is effective in the face of hacking threats where data is copied and shared with third parties or disclosed publicly. But it is largely useless against ransomware as ransomware simply re-encrypts data to lock its rightful owner out.
Continuous Data Protection: Here, an “incremental copy,” which is generally a snapshot of changed bits, is generated every time data is changed. Located on an alternative storage source, this gives organizations a snapshot function that ideally would let them rewind to a point before the ransomware attack occurred, thus reversing the effects. In reality, many additional features are needed, including independent infrastructure to store snapshots and a method to determine exactly when an infection begins (which is not always the same time as when the malware activates). If you’re lacking these precautions, you may face the same ransomware attack once the contaminated data is restored.
WORM: WORM (“write once, read many”) guarantees that data, once written, cannot be changed or deleted until a specified time has elapsed. Because the data cannot be altered, it cannot be encrypted by ransomware, thus rendering these attacks pointless. No one, including administrators, can alter the data until a preset time limit has expired. This prevents rogue employees from propagating an attack (which is more common than many realize).
WORM exists as a system-level function in many object storage systems. It can be deployed in conjunction with traditional data protection software, making it simple to integrate.
Data Versioning: Versioning produces a new copy of the data whenever it’s altered but retains the original copy for a specified time period. If a file is encrypted by ransomware, a copy of the unencrypted file will still exist. This is not a surefire safeguard, though, as it’s theoretically possible for ransomware to also delete the original, unencrypted data, though no known ransomware does this.
Like WORM, versioning is also a common feature of object storage technology. Unlike WORM, with versioning it is possible to erase old copies of data prior to their preset expiration date, potentially making it more space-efficient than WORM.
Both versioning and WORM protect data where it resides, at the backup target layer. Because this layer is at least one step removed from the application server (the application server usually communicates with a backup or media server, which then connects to the backup target), it presents a difficult destination for malware to reach.
This distance, plus the inherent robustness of WORM and versioning, make these two technologies hard to defeat. Plus, they’re both easy to deploy using object storage systems and common data protection software. Better data security is a key factor now making object storage more prominent among enterprise IT architects.
About the author: Michael Tso is the chief executive officer and co-founder of Cloudian, a developer of object data stores. Prior to Cloudian, he co-founded and led Gemini Mobile Technologies, a pioneer in wireless messaging, providing mission-critical infrastructure software that today powers services at some of the world’s largest telcos. At search engine pioneer Inktomi, Michael led engineering for an e-commerce search engine, and designed a network congestion control system for KDDI which later became an industry standard. At Intel, he led the development of web acceleration technology and collaborated with Nokia on NarrowBand Sockets, commonly known as SmartMessaging, which enabled the world’s first SMS ringtone download service. Michael holds 36 patents. He graduated from MIT with an MS in Computer Science and Electrical Engineering, BS in Computer Science, BS in Electrical Engineering, and a minor in Economics.