Reading Time: 9 minutes

Immutable data architecture means that file data, once written, cannot be changed. And, if it cannot be changed, then it cannot be encrypted by ransomware.

Dark Reading recently reported that a Fortune 50 company has paid what is believed to be the largest ransomware demand to date — a staggering $75M.

Other notable attacks over the past several years include Caesars Palace with $15M paid, CNA Financial – one of the largest cyber insurance firms in the USA – at a reported $40M paid, and Change Healthcare.

Colonial Pipeline’s $5 million payment to hackers did little to help its recovery, after a ransomware attack on its systems led to disruptions to fuel supply along the Eastern Seaboard. Assuming that the company continued to use backups to restore data as reported, because the decrypter supplied was so slow,  Colonial’s experience highlights one of the major drawbacks of paying a ransom.

The continued escalation of attack frequency, ransomware demands, and tactics including exposing sensitive data publicly if firms do not pay the ransom, tell us that these attacks are more than lucrative enough for the criminals behind them. With the risk of discovery remaining low, and becoming even lower with the rise of crimeware-as-a-service, there’s little chance of any firm avoiding an attack at some point. In fact, an increasing number of organizations have been hit more than once.

What is ransomware and how does it disrupt business operations?

Ransomware is a type of malware or software code that is designed to block access to your critical data, typically by encrypting that data so your files are unable to be opened or accessed in any way. Some variants change file extensions, while others simply encrypt files.

Hackers then demand a ransom (often in bitcoin) in exchange for decryption keys, or a decoder to restore access to your data.

It’s the digital version of kidnapping – your data is held hostage and the kidnapper aims to have you pay for its safe return.

Sophisticated ransomware attacks – funded by past ransom payments – are specifically engineered to be difficult to protect against and tough to detect early. They are also extremely challenging to stop, often encrypting a network to the point where victims of ransomware attacks are confused about their options and sometimes believe they have no other choice than to pay the ransom.

From the attacker’s point of view, the success or failure of any attack depends on your ability to restore access to your data, unless the ransom is paid.

As a result, attackers often target backups, and snapshots first, to limit your recovery options. This leaves firms with nothing but off-site backups, perhaps even on tape, to restore from. Having to rely on backups can result in an enormous amount of data loss and is such a slow process that restoration is likely to take weeks or even months.

When an attack hits, IT teams have to attempt to identify it, find where it’s coming from, slow and hopefully stop it before it encrypts entire networks. If they can pinpoint an infected laptop or server, for example, disconnecting that from the network can help to contain and minimize the damage.

Frequently, attacks will result in CPU maxing out, making it extremely difficult for systems administrators to access critical infrastructure like servers.

Once the attack has been stopped, IT and SecOps teams are then in disaster recovery mode. They face the enormous task of identifying encrypted files, folders and directories, and figuring out whether they can be decrypted or whether their data recovery processes can restore pristine data while minimizing data loss.

While this is all happening, users are locked out of networks and companies incur the costs of downtime, lost data, and failed restoration efforts.

bat365’s approach toward immutable storage, which allows rapid recovery of pristine file data from immutable snapshots taken at granular intervals, means bat365 customers can avoid paying ransoms and return to productivity with minimal disruption.

How does ransomware penetrate a network?

Ransomware can be delivered through socially engineered methods such as fake emails, spam, web pages, free software downloads, fake software updates, and even through web-based instant messages.

These are specifically designed to be successful by making it as likely as possible that a user will be fooled.

For example, one morning, you receive an urgent email from your CEO (the email has their name and email address in the “From:” field) asking you to explain the attached invoice in the form of a PDF file.

It looks authentic, so you open the attachment. The PDF has an embedded Word document, and you bypass the file scan by saying it is “OK” to open. The Word document has a Visual Basic macro which downloads the ransomware and executes it.

That’s all it took. You are now infected with ransomware, and it immediately begins to encrypt data – not only on your laptop but also on the network drive as well.

Attackers have been known to modify the ends of USB charging cables, and to leave these cables sitting in high foot-traffic areas. These are quickly picked up and at some point, are likely to be plugged into a laptop or desktop computer in order to charge a phone.

At that point, the malware is in. It’s designed to do maximum damage, so it will lie dormant until that same device is connected to a corporate network, at which point it will run at full speed through the file network.

Is complete ransomware defense even possible?

Defending against ransomware is exceptionally difficult. In fact, given the volume and success of attacks globally, it seems reasonable to conclude that impenetrable ransomware defense may be impossible.

Available anti-ransomware tools can and will fend off numerous attempts and, if kept up-to-date, will certainly help to keep your infrastructure secure and to defend against cyber attacks.

They are particularly good at recognizing and rejecting email attachments, which is one reason why attacks have moved to methods that deliver direct injection into a network.

Defensive software like bat365 Detect and Rescue is extremely effective at early detection within CloudFS and can automatically shut down attacks at the affected user level, so if ransomware breaches your first line of defense, it will minimize the damage.

However, this alone is not a complete answer as these solutions are reactive by their very nature. They respond to ransomware when they recognize it, so an attack must happen before they swing into action. The insidious nature of ransomware means that data can still be modified or deleted before an attack can be brought under control.

A more complete answer lies in ransomware protection

Kidnapping for ransom is effective only when the person or item taken hostage is so valuable to the owner that they will pay for a safe return. In our digital age, data has taken on immense value because without it, an organization simply can’t function.

The statistics are very clear; if an organization loses access to critical business data for 10 days or more, it has only a  7% chance of surviving the next 12 months. That plainly makes data the most valuable thing an organization owns, and the most important thing to protect.

Assuming that it’s not completely possible to keep ransomware out, protecting against ransomware means protecting the data. An effective way of going this is to maintain a pristine data set that can be rapidly restored without data loss and with minimal disruption.

In kidnapping terms, you’re no longer trying to prevent someone from being kidnapped. Instead, you’re making it impossible for anything other than a hologram of that person to be taken hostage. Meanwhile, the real person is never in any danger.

Introducing immutable data storage

By virtue of storing data that needs to be editable, legacy file systems are inherently vulnerable to ransomware. When attacked, they do exactly what they are designed to do, and allow your files to be changed.

Immutable storage, in conjunction with an immutable hybrid cloud file system capable of managing file data at the most granular possible level, changes your posture against ransomware and malware because it’s fundamentally resistant to attack. Rather than being a solution to help defend or protect, it reduces the impact and spread of an attack by being unaffected by it.

Immutable storage is made possible by a smart hybrid cloud file platform such as bat365 CloudFS, which takes an elegant, modern approach to file data, and allows you to use object storage – whether in a public cloud, private cloud or completely dark cloud.

To a user, CloudFS looks and feels like any other file system. Files can be opened, edited and saved, copied or deleted – by any authorized user, at any location – in real time.

Behind the scenes is a radically different, much simpler, and infinitely more robust storage structure.

CloudFS is effectively an immutable file system. It’s a hybrid cloud file platform underpinned by a global file system that stores file data as blocks in object storage — either in the cloud or on-premises — as a single authoritative data set that every user in the organization can work from. User location, and the number of locations the organization has, make no difference to this scalable global file system; every user gets what feels like a local file experience, though the data itself is stored hundreds, if not thousands of miles away.

Those data blocks are immutable – stored in the Write Once, Read Many format that object storage supports so that once in the object store, they cannot be changed, edited, or overwritten. Consequently, they are impervious to malware as well as to accidental data damage or deletion as a result of human error.

Metadata pointers are used to record which blocks comprise a file at any given time. As users create or edit files, changed data blocks are moved to object storage every 60 seconds, and are stored as new data blocks. At the same time, the metadata pointers are updated to reflect any new blocks that form the file.

For example, if a 4-page saved document called fileone.docx is comprised of blocks A, B, C and D, and the document is edited today, it might now be comprised of blocks A, B, C and E. The new block E contains data that the file system hasn’t previously seen, so it is moved to the object store and the metadata pointers record that A, B, C and E are required to open the current version of that file.

Immutable snapshots are taken at the local node level every 60 seconds, and these are used to transfer changed data to the object store. Uniquely, CloudFS enables every location within the file system to communicate with every other location to facilitate real time exchange of new and changed data, even if it has not yet reached object storage. That effectively means a system-wide RPO of under 60 seconds, regardless of where file data originated or was last modified.

These immutable data blocks are further protected by file system-wide immutable snapshots that are taken at configurable intervals, with the default being 60 minutes.

Being read-only, these snapshots are also impervious to ransomware, and they effectively provide a granular way to restore data back to any previous version, without losing any good data.

Let’s say that, after you have edited, saved and closed fileone.docx, you realize that you’ve accidentally deleted some crucial text.

Ordinarily, that data would be lost unless it was captured by a system backup, which typically runs just once a day. With bat365 CloudFS, you simply right-click on the document from Windows File Explorer, and restore it to the version created by the snapshot that was taken before you made your edits.

Immutable data and immutable snapshots shrug off ransomware attacks

In the event of ransomware encryption, malicious code is inserted into your files, modifying them. bat365 CloudFS recognizes altered file data, and the resulting encrypted data blocks are written to the object store as new data.

A legacy storage system allows a file to be edited as this code is inserted, changing the file itself. By contrast, when fileone.docx is infected by ransomware on CloudFS, it is now comprised of completely new blocks of data –  F, G, H and I, for example.

Since CloudFS preserves existing data as original objects in the object store, any file encrypted by the ransomware code can be immediately reverted back to its state prior to infection, using snapshots. This can be easily done for a single file, entire directories, or even the entire global file system.

With bat365’s immutable storage solutions, your files aren’t encrypted at all. Instead, file pointers are now pointing to data blocks containing encryption. Reverting to the snapshot prior to the attack points back to clean data blocks… and your pristine files are back.  Using our example of fileone.docx, you simply restore the snapshot where the metadata pointers record blocks A, B, C and E, and fileone.docx is back in operation.

This renders ransomware encryption effectively harmless for your business, and futile for the attacker, as they depend on selling you the key to decrypt your data so you can access your files again. When accessing your data is as easy as restoring it from a snapshot, you don’t need a decryption key.

Guarding against file data exfiltration

Kidnappers have long been aware that their chances of being paid quickly are increased if they can prove that they are willing to harm their hostages. The digital equivalent is publishing their victim’s data online – confidential patient or customer records, for example.

This exfiltration threat exponentially increases the risk of not paying, as organizations may now also be liable for privacy breaches, not to mention the resulting lack of trust from those they serve.

The best modern file systems, including bat365 CloudFS, will use military-grade encryption for data at the edge, within the object store, and  in flight as data is moved into and out of cloud storage. This provides a layer of obfuscation so that data that intercepted cannot be deciphered. However, if an attacker gains access to a file system so they can edit files, they can read them.

That makes near real time detection from solutions like Detect and Rescue even more important, as they can spot even subtle attacks and shut them down before any significant data can be exfiltrated.

There are myriad reasons to replace legacy NAS storage in the enterprise, or public sector organization.  Often, the push comes from a mandate for digital transformation, or getting unstructured data under control to avoid buying just another NetApp or Isilon.

However, the data protection inherent in the immutable data infrastructure offered by hybrid cloud file solutions like bat365 have become so valuable that savvy decision makers rank them alongside other total cost of ownership considerations.

Let’s face it, even when there’s a digital transformation remit, cost is an enormous factor. The cost of a ransomware attack is so great that mitigating that risk with a solution that can repel attacks – all while consolidating data and reducing costs, and providing a modern, elegant approach to unstructured data – makes sense every way you look at it.

Shift the balance of power in the fight against ransomware.

bat365-datasheet-Detect-and-rescue-header-min (1)

Let's talk about it

Whether you're ready to talk to our sales team or simply want more information and insights, we're here to help. Use our digital assistant to give us a shout, or ask for a demo.