Even more than in recent years, ransomware is one of the top threats facing organizations. An organization is significantly more likely to suffer a ransomware attack than the natural disasters they typically plan for like earthquakes, hurricanes, fires, and floods. Ransomware, unlike traditional disasters, can impact any organization, any place, and at any time. More troublingly, it specifically targets the data protection process and tries to avoid detection.
A successful ransomware attack starts by gradually encrypting files that the organization is not using. Before the organization detects any encryption, 80% or more of their data is encrypted. Most ransomware strains will go into a fast encryption mode after running quietly for a specified time, in an attempt to encrypt the rest of the organization’s data before the attack is detected.
A typical ransomware attack can be in progress for weeks before detection. The slow encryption rate means that multiple backup copies have encrypted data and that the ransomware trigger file is also on every backup copy. Recovery from the attack is a long and arduous process.
Ransomware is hard to keep out of an organization. Some security experts believe it is impossible. And recovery from ransomware, because of the random spread of infected data, is too long (and expensive) for most organizations to tolerate. As a result, many organizations end up paying the ransom.
How to Stop Ransomware through Storage Resource Management
Ransomware thrives on the fact that most organizations keep all their data on production storage even if no user or application is accessing it. To avoid detection, ransomware authors encrypt the oldest files first before making their way to newer files. Data from Visual Storage Intelligence’s (VSI) storage assessments typically indicates that around 80% of an organization’s data has not been accessed in the last year. Encrypting older, infrequently accessed data first enables them to avoid one of the most common forms of detection – user access.
Storage Resource Management as a Service (SRMaaS), like VSI, can alert an organization that an attack is underway. For example, VSI warns administrators if a process or user is modifying a higher number of files than usual.
Still, savvy ransomware authors try to avoid detection by encrypting data slowly so that monitoring software does not detect an unusual change rate. It is increasingly difficult to detect those attacks. However, an SRMaaS like VSI can deliver something far more valuable than detection. It can aid in safeguarding the bulk of the data set from the attack in the first place.
How Does it Work?
What if that 80% of data that users and applications are not accessing is archived, without links, to a secondary storage device like a high capacity NAS, Object Storage system, or Public Cloud Storage? All three of these platforms are low cost and provide immutable (read-only) protection so that even if the ransomware attack finds its way to secondary storage, it still can’t alter the data.
As an SRMaaS, VSI is not an archiving solution. Rather, VSI identifies the files that an organization is not accessing so that an administrator can efficiently move them elsewhere. It is a simple process, and it saves you from having to pay the high cost of an archiving software.
It’s true that archive solutions provide additional indexing and search functions beyond what a simple metadata search from the file system can accomplish. However, if your primary goal is to isolate old data and reduce the cost of primary storage, VSI can provide the information you need and save money in the process.
Where to Start?
With an SRMaaS solution in place and old data moved off of primary storage, ransomware programs can’t linger around encrypting old data. They have to attack frequently accessed data, making the chances of detection through your SRMaaS increase significantly.
Moving 80% of your data to secondary storage seems like a big task. It is OK to start slow. Consider moving the oldest 20% of data first and gradually increase the amount of data you are moving over the next several months.
Moving 80% of your data to secondary storage makes it unlikely you will need to buy additional primary storage for a year or two. Your organization could commit to buying no more storage in 2021. As the organization needs more capacity, move that amount of data to a secondary storage system (just make sure it is immutable).
With an 80% reduction in primary storage, the data protection process should become seamless and less prone to error. The data protection process should also be faster, since there is less data to back up and less backup storage required.
How VSI Can Help
VSI provides organizations with a complete visual representation of its storage infrastructure. Our single-pane-of-glass design shows on-demand which data is active and which data is inactive. We also alert organizations of anomalies like high data change rates.
We can lower costs, help you maintain performance commitments, confirm data protection readiness – and even help identify and guard against ransomware threats.