As 2020 starts, ransomware is one of the top threats facing organizations. An organization is significantly more likely to suffer a ransomware attack than the disasters they typically plan for like earthquakes, hurricanes, fires, and floods. Ransomware, unlike traditional disasters, can impact any organization, any place, and at any time. Also, unlike conventional disasters, ransomware specifically targets the data protection process and tries to avoid detection.
A review of the top attacks of 2019, the ones made public, shows that many organizations pay the ransom because they are unable to recover all the encrypted data or at least do so promptly.
Recent ransomware incarnations work their way through any accessible file system and encrypt files as they encounter them. Our Storage Resource Management as a Service (SRMaaS) solution, Visual Storage Intelligence (VSI), can alert administrators if a process or user is modifying a higher number of files than usual. Ransomware authors, however, are getting smarter. Now they avoid detection by encrypting data slowly so that monitoring software does not detect an unusual change rate. Also, the malware may start by only encrypting the oldest files first before making its way to newer files. Encrypting older, infrequently accessed data first also enables them to avoid the other most common form of detection, user access.
A successful ransomware attack starts by gradually encrypting files that the organization is not using. Before the organization detects any encryption, 80% or more of their data is encrypted. Most ransomware strains will go into a fast encryption mode after running quietly for a specified time, in an attempt to encrypt the rest of the organization’s data before the attack is detected.
A typical ransomware attack can be in progress for weeks before detection. The slow encryption rate means that multiple backup copies have encrypted data and that the ransomware trigger file is also on every backup copy. Recovery from the attack is a long and arduous process.
Ransomware is hard to keep out of the organization. Some security experts believe it is impossible. Recovery from ransomware, because of the random spread of infected data, is also arduous. As a result, many organizations end up paying the ransom.
How to Stop Ransomware with SRM
Ransomware thrives on the fact that most organizations keep all their data on production storage even if no user or application is accessing it. Almost every time we at VSI do a storage assessment, we find that 80% of an organization’s data has not been accessed in the last year. Yet these organizations pay thousands of dollars to free that data from a ransomware’s encryption scheme.
VSI can alert an organization to an attack that is underway, but as stated earlier it is becoming increasingly hard to detect those attacks. However, VSI can deliver something far more valuable than detection. It can safeguard the bulk of the data set from the attack in the first place.
What if that 80% of data that users and applications are not accessing is archived, without links, to a secondary storage device like a high capacity NAS, Object Storage system, or Public Cloud Storage? All three of these platforms are low cost and provide immutable (read-only) protection so that even if the ransomware attack finds its way to secondary storage, it still can’t alter the data.
How Does it Work?
VSI is not an archiving solution. We identify the files that the organization is not accessing, and an administrator then moves them. It is a simple process and saves you from having to pay the high cost of archiving software, which only combines the two steps. Some archive solutions do provide additional indexing and search functions beyond what can be done with a simple metadata search from the file system. Again, if the primary motivation is to isolate old data from a Ransomware attack and to reduce the cost of primary storage, the right SRM solution can provide the information you need and save the organization a lot of money. We do a deeper comparison between SRM and archiving software in our entry, “Why SRM is Better than Data Management.”
A Ransomware Attack After SRM
With an SRM solution in place and the aggressive moving of old data off of primary storage, the ransomware program can’t linger around encrypting old data. It has to attack frequently accessed data so the chances of detection increase significantly. As a side note, if IT moves 80% of the organization’s data to secondary storage, it is unlikely that it will need to buy additional primary storage for a year or two. More savings! Also, with an 80% reduction in primary storage, the data protection process becomes completely seamless and less prone to error. The data protection process is also faster, since there is less data to back up, and requires less backup storage.
Where to Start?
Moving 80% of your data to secondary storage seems like a big task. It is OK to start slow. Maybe move the oldest 20% of data first and gradually increase the amount of data you are moving over the next several months. An alternative is to commit to buying no more storage in 2020. As the organization needs more capacity, move that amount of data to a secondary storage system. A key is to make sure IT is moving the data to secondary storage that is immutable.
How VSI Can Help
VSI is SRM as a service, so with a simple three-step process, the organization can have a complete visual representation of its storage infrastructure. We can almost immediately let you know which data is active and which is not. We can also alert you of anomalies, like high data change rates. Protection from ransomware is just the start. We can lower costs, help you maintain performance commitments, and confirm data protection readiness.