Two-Pronged Approach Offers Best Data Protection Against Ransomware
By Linus Chang, Founder and CEO At BackupAssist,
One of the biggest challenges that small and medium-sized businesses (SMBs) face is protecting their critical data in an era of increasing cybercrime. While it’s often the Fortune 500 companies that make the headlines when data-related disasters strike, ransomware attacks present a serious problem to all businesses worldwide, regardless of size. Smaller firms must face the real threat of a ransomware attack just like larger firms, since SMBs and small and medium enterprises (SMEs) are being targeted alongside larger companies.
In fact, businesses big and small have more to worry about than ever: 2017 data from Kasperksy Lab found signs of a dangerous emerging trend. There are now more targeted ransomware attacks against businesses of all sizes, as cybercriminals turn their attention away from private users to focus on potentially more lucrative victims. What’s more, the 2017 Annual Threat Report from SonicWall reveals that the threat to businesses is continuing to increase exponentially. In 2016, more than 638 million ransomware attacks occurred—a meteoric increase from the year prior, which saw fewer than 3.8 million attacks.
Businesses also face deeper repercussions from ransomware attacks than individuals do because of a phenomenon that I call “infection magnification.” I refer to this effect as “triple the pain,” because it only takes one infected computer to cause corruption across a trio of storage locations: primary storage, distributed storage (often via cloud sync programs), and backup storage. Yes, you read that right: this means that even if you have backups, these can get corrupted by ransomware, too—if you don’t have the right solution in place.
What does infection magnification look like in action? Once a ransomware attack has infected a single computer, the malware scans for network shares and begins corrupting files on your file server, NAS, or other primary storage. This also affects cloud sync and replication since files that have been corrupted on your local machine can be synced to the cloud via cloud storage services like DropBox, Google Drive, Microsoft OneDrive, and others. These corrupted files get synced across to other computers and users.
Finally, there are your backups and archives—while you may think of these as your go-to recovery files, even these aren’t safe unless you’ve taken the correct precautions. Ransomware causes corrupted files to get backed up, replacing the legitimate versions of your files – which is corruption inside the backup. Depending on how many historical restore points you have, you may find that all of your backups become useless. That’s many backup products automatically delete the oldest backups as the backup device fills up. Because ransomware performs large scale changes at once, this results in a huge incremental backup that often overwrites historical backups.
And worse still, we’ve seen cases of corruption of the backup itself from the “outside”. This happens when a USB or NAS backup is connected to a computer infected with ransomware.
We’ve even received calls for help when the administrator connected the backup device to do a restore on a machine that hadn’t been properly cleaned of malware! The backup itself was destroyed as ransomware proceeded to encrypt the backup files.
Therefore, while in theory your backups should save the day, in practice there are many cases where you can still be left high and dry. Unfortunately, many people only find out too late.
The Confusion With SME Data Protection
Despite the severity of these problems and the clear need for companies to take action, it’s not easy for SMBs to know how to sufficiently safeguard their valuable data. The problem is largely due to confusion and industry direction. It’s no wonder, because there’s a huge amount of jargon and different technologies that have developed in the last 20 years. There are so many options to choose from, and not every option will provide protection against ransomware.
Two decades ago, things were simpler and there was only one mainstream type of data protection – the humble tape backup. Over time, as that technology became dated, it was replaced with a myriad of new technologies: drive imaging, backup to the cloud, snapshots, instant virtualized disaster recovery, and real-time replication just to name a few. Each technology protects against different things in different ways, and comes with its own sets of pros and cons. However, the common element is that the focus has shifted away from “backup” onto “business continuity”, and as part of that shift, certain advantages that old-school tape backups had have been lost in the process.
While I’m not advocating going in a time machine and resurrecting your tape backups, we can learn a lot by analyzing how the older technology would have fared against ransomware attack. Then we can take those lessons and apply it to current backup technologies to get the best of both worlds.
So how would old tape backups have fared against ransomware? Most people are surprised to learn they would have held up very well, and sometimes a lot better than solutions used today. I see several reasons why:
- Not a file system.Ransomware corrupts files that are available on a file system. Therefore, “disk-to-disk” backups stored on a USB Hard Drive or NAS are vulnerable to attack. Ransomware can’t (yet) attack something that’s not stored on a file system. In contrast, tape backups use a custom data format and are accessed via a different set of APIs.
- Enforced air gap. Thanks to the old practice of tape rotation (where an organization may have 10 or more tapes, swapped daily), all except one tape was completely disconnected from the server. Ransomware can’t infect a tape that’s sitting on a shelf or in a fireproof safe.
- No single point of failure. As another byproduct of tape rotation, there was no single point of (total) failure – if one tape became lost or damaged, you could restore from another one.
- Immutable point-in-time snapshots. Each tape was a point-in-time snapshot of data at the date of the backup, and it could not be changed unless it was overwritten. In contrast, live-running snapshots like VSS snapshots can be deleted by ransomware, or backup files can be attacked and modified.
- The time delay. A limitation of tape backups was that they took hours to complete, meaning they were generally only run overnight. Therefore, up to a day could pass between a file changing and when that file would be backed up. This delay (known as “recovery point objective”) was regarded as a negative in the context of business continuity – restoring from yesterday’s backup meant losing a whole day’s work – and the industry moved towards slashing this delay through near-continuous backup and real-time replication. However, ironically the tables are turned in the case of ransomware. The faster the backup or replication process is, the faster any corrupted files get copied into both replicas and backups.
However, even tape backups would not be infallible: if a ransomware infection occurred and was not manually detected, tape backups automatically backup those corrupted files, thereby overwriting existing “clean” backups.
So how does the average SME distinguish between data protection that will or will not protect them adequately against ransomware?
The most advanced backup software products available on the market are now actively aware of ransomware and will take proactive steps to protecting the backups from such attack.
Going back to our tape backup analysis, let’s see how we can “add back” the natural in-built protections it offers into today’s backup systems.
- Shield the backup from ransomware attack: the “not a file system” and “air gap” form a natural shield between the backups and ransomware. In today’s environments where the backups are connected via SATA or USB cable (disk-to-disk backups) or network cable (disk-to-NAS), the backups need to be shielded from unauthorized tampering. We certainly don’t want ransomware (or a hacker) corrupting or deleting the backups.
- Multiple backups: the “no single point of failure” nature of tapes gave you different places from which to restore. This is redundancy. A good, modern backup system can also offer this – not just multiple backup media (like drive images done to multiple hard disks swapped daily), but completely different styles of backup – like disk-to-cloud and disk-to-disk – each with redundancy.
- Point-in-time snapshots: tapes were good at this. However, common replication technologies are not. A proper backup system gives you a variety of snapshots that won’t automatically be overwritten as disk space runs out. An example of this is having an “end-of-quarter” backup on a hard disk that sits in a fireproof safe.
- Don’t backup corrupted files: This seems so obvious, but the vast majority of backup software available will mechanically back up whatever files and data are selected for backup. If your “D:\Company Documents” folder just got replaced with encrypted files, then most likely that will get copied straight to the backup. Therefore, your backup software should have intelligence and be aware of what it’s backing up.
By now, you probably see that in addition to scanning and detecting the effects of ransomware activities in the source files intended for backup, you need your backup and recovery solution to have protective features as well that can stop ransomware from infecting your backups. It’s also helpful to have a solution that responds instantly to a ransomware attack, ideally by alerting you to the compromise (for example, via email and SMS) and then preserving the last reliable backup by blocking future backup jobs from running.
Putting Things Together – Your Full Defense Ecosystem
I find it very useful to think of combating the ransomware threat through a full ecosystem of defenses. Just as sporting teams have a variety of players performing different roles, so too should your I.T. defense ecosystem.
You might think of this defense ecosystem as a two pronged approach of “active” and “reactive” measures. What I mean by this is that implementing front-end threat and intrusion protections simultaneous with back-end disaster recovery is like building out a complete sporting team with offense and defense.
Active, front-end protections can prevent a proportion of attacks. Educating staff about social engineering and phishing attacks can go a long way to prevent infections through clicking on suspect links. And it’s likely that SMEs will already have email filtering, firewalls, intrusion detection, and anti-virus/anti-malware on servers and workstations.
But even if you’ve taken these steps to try to circumvent the damage that cybercrime can cause, no single protection measure—from anti-malware to firewalls—is foolproof. Each has technical limitations and there are a plethora of attack vectors. Cyber criminals can always find ways to get in and hold your critical data hostage, demanding outrageous sums for its safe return. And as ransomware becomes increasingly sophisticated, it is foreseeable that these active defenses will be penetrated on an increasing basis.
Therefore, it’s necessary to pair active defenses with the reactive defenses: how you protect your data through various levels of backups, including in the cloud. Coupling with a backup and recovery solution that offers the features discussed in this article is the best way to shield files from permanent loss and corruption. Such a backup and recovery solution allows businesses to easily resurrect their data and recover all their files so that they can get back to business.
Why is it important to take this two-pronged approach to data protection from ransomware attacks? The answer lies in understanding the difference between active and reactive defense strategies. Active defenses like anti-virus and anti-malware are threat focused—they hone in on perimeter security to try to keep the threats out by detecting any virus or malware threats before they strike, and then cleaning up the infections that may have occurred during the attack. You can think of these defenses like a bouncer at a nightclub. They are trying to stop threats from getting in—and if threatening elements do manage to sneak in past security, then active defenses attempt to evict them.
Reactive defenses, on the other hand, are data focused rather than threat focused—these backend strategies zero in on protecting file contents by undoing any damage caused by successful malware attacks. Consider the analogy of an “undo” button that rolls back the damage caused by threats that manage to circumvent and infiltrate perimeter security, or even a time machine that allows you to go back in time and restore your data to a time before the infection occurred.
However, as we have discussed, for the backup and disaster recovery solution to be useful against ransomware attack, it has to have specific defenses itself: a first layer of defense like a shield that’s active 24/7 to block unauthorized processes from accessing a USB or network-connected backup, and a second layer that prevents crypto-corrupted files from being backed up. A third layer of immediately notifying the system administrator rounds out a good backup and disaster recovery solution.
By taking this active and reactive two-pronged approach to data protection, you can deliver an active and simple one-two punch against ransomware attacks.