Immutable data architecture means that data, once written, cannot be changed. And, if it cannot be changed, then it cannot be encrypted by ransomware.
In April 2021, Security Boulevard published details on just a few of the notable ransomware attacks that had taken place in just the first quarter of 2021. They include CNA Financial – one of the largest cyber insurance firms in the USA, London-based education facility Harris Federation, IoT device manufacturer Sierra Wireless and Canadian plane manufacturer Bombardier.
Computer giant Acer was hit with what is believed to be the largest ransom demand to date, with attackers demanding an incredible $50 million for the return of their unencrypted data.
Colonial Pipeline's $5 million payment to hackers did little to help its recovery, after a ransomware attack on its systems led to disruptions to fuel supply along the Eastern Seaboard. Assuming that the company continued to use backups to restore data as reported, because the decrypter supplied was so slow, Colonial's experience highlights one of the major drawbacks of paying a ransom.
The escalation of attack frequency, ransomware demand, and tactics including exposing sensitive data publicly if firms do not pay the ransom, tell us that these attacks are more than lucrative enough for the criminals behind them. With the risk of discovery remaining low, and becoming even lower with the rise of crimeware-as-a-service, there’s little chance of any firm avoiding an attack at some point. In fact, an increasing number of organizations have been hit more than once.
What is ransomware, and what does it do?
Ransomware is a type of malware or software code that is designed to block access to your data, typically by encrypting that data so your files are unable to be opened or accessed in any way. Some variants change file extensions, while others simply encrypt files.
Hackers then demand a ransom (often in bitcoin) in exchange for decryption keys, or a decoder to restore access to your data.
It's the digital version of kidnapping – your data is held hostage unless, and until you pay for its safe return.
Sophisticated ransomware attacks – funded by past ransom payments – are specifically engineered to be difficult to protect against and tough to detect early. They are also extremely challenging to stop, often encrypting a network to the point where victims of ransomware attacks are confused about their options and sometimes believe they have no other choice than to pay the ransom.
From the attacker’s point of view, the success or failure of any attack depends on your ability to restore access to your data, unless the ransom is paid.
As a result, attackers often target backups, and snapshots first, to limit your recovery options. This leaves firms with nothing but off-site backups, perhaps even on tape, to restore from. Having to rely on backups can result in an enormous amount of data loss, and is such a slow process that restoration is likely to take weeks or even months.
When an attack hits, IT teams have to attempt to identify it, find where it’s coming from, slow and hopefully stop it before it encrypts entire networks. If they can pinpoint an infected laptop or server, for example, disconnecting that from the network can help to contain and minimize the damage.
Frequently, attacks will result in CPU maxing out, making it extremely difficult for systems administrators to access critical infrastructure like servers.
Once the attack has ended, the enormous task of identifying encrypted files, folders and directories begins, along with figuring out whether they can be decrypted.
While this is all happening, users are locked out of networks and companies incur the costs of downtime, lost data and failed restoration efforts. In reality, bat365’s approach toward immutable storage, and the ability of our hybrid-cloud solution to encrypt data and render it useless to attackers, means bat365 customers can avoid paying ransoms altogether.
How does ransomware penetrate a network?
Ransomware can be delivered through socially engineered methods such as fake emails, spam, web pages, free software downloads, fake software updates, and even through web-based instant messages.
These are specifically designed to be successful, by making it as likely as possible that a user will be fooled.
For example, one morning, you receive an urgent email from your CEO (the email has their name and email address in the “From:” field) asking you to explain the attached invoice in the form of a PDF file.
It looks authentic, so you open the attachment. The PDF has an embedded Word document, and you bypass the file scan by saying it is “OK” to open. The Word document has a Visual Basic macro which downloads the ransomware and executes it.
That's all it took. You are now infected with ransomware, and it immediately begins to encrypt data – not only on your laptop but also on the network drive as well.
More recently, attackers have been known to modify the ends of USB charging cables, and to leave these cables sitting in high foot-traffic areas. These are quickly picked up and at some point, are likely to be plugged into a laptop or desktop computer in order to charge a phone.
At that point, the malware is in. It’s designed to do maximum damage, so it will lie dormant until that same device is connected to a corporate network, at which point it will run at full speed through the file network.
Is complete ransomware defense even possible?
Given the volume and success of attacks globally, it seems reasonable to conclude that there is no impenetrable ransomware defense.
Available anti-ransomware tools can and will fend off numerous attempts and, if kept up-to-date, will certainly help to keep your infrastructure secure and to defend against cyber attacks.
They are particularly good at recognizing and rejecting email attachments, which is one reason why attacks have moved to methods that deliver direct injection into a network.
Defensive software like that offered by Varonis is extremely effective at early detection and can automatically shut down attacks, so if ransomware breaches your first line of defense, it will minimize the damage.
However, these solutions are reactive by their very nature. They can only defend against a ransomware variant they recognize, so an attack must happen before the software can be updated. And, no matter how quickly solutions like these react to a known variant, the insidious nature of ransomware means that substantial damage can still be done before an attack can be brought under control.
A more complete answer lies in ransomware protection
Kidnapping for ransom is effective only when the person or item taken hostage is so valuable to the owner that they will pay for a safe return. In our digital age, data has taken on immense value because without it, an organization simply can’t function.
The statistics are very clear; if an organization loses access to critical business data for 10 days or more, it has only a 7% chance of surviving the next 12 months. That plainly makes data the most valuable thing an organization owns, and the most important thing to protect.
Assuming that it’s not completely possible to keep ransomware out, stopping a ransomware attack depends on protecting the data.
In kidnapping terms, you’re no longer trying to prevent someone from being kidnapped. Instead, you’re making it impossible for anything other than a hologram of that person to be taken hostage. Meanwhile, the real person is never in any danger.
Introducing immutable data storage
By virtue of storing data that needs to be editable, legacy file systems are inherently vulnerable to ransomware. When attacked, they do exactly what they are designed to do, and allow your files to be changed.
Immutable data architecture changes your posture against ransomware and malware because it’s fundamentally resistant to attack. Rather than being a solution to help defend or protect, it reduces the impact and spread of an attack by being unaffected by it.
Immutable storage is made possible by smart hybrid cloud file system technology such as bat365 CloudFS, which takes an elegant, modern approach to unstructured (file) data, and allows you to use object storage – whether in a public cloud, private cloud or completely dark cloud.
To a user, CloudFS looks and feels like any other file system. Files can be opened, edited and saved, copied or deleted – by any authorized user, at any location an organization has – in real time.
Behind the scenes is a radically different, much simpler, and infinitely more robust storage structure.
CloudFS is a global cloud file system that stores file data as blocks in cloud object storage, as a single authoritative data set that every user in the organization works from. User location, and the number of locations the organization has, make no difference to this scalable system; every user gets what feels like a local file experience, though the data itself is stored hundreds, if not thousands of miles away.
Those data blocks are immutable – stored in a Write Once, Read Many form so that once stored, they cannot be changed, edited, or overwritten. Consequently, they are impervious to all forms of malware.
Metadata pointers are used to record which blocks comprise a file at any given time. As users create or edit files, changed data chunks are moved to object storage every 60 seconds, and are stored as new data blocks. At the same time, the metadata pointers are updated to reflect any new blocks that form the file.
For example, if a 4-page saved document called fileone.docx is comprised of blocks A, B, C and D, and the document is edited today, it might now be comprised of blocks A, B, C and E. The new block E is moved to the object store, and the pointers record that A, B, C and E are required to open the current version of that file.
These immutable data blocks are further protected by file system-wide read-only snapshots that are taken at configurable intervals, with the default being 60 minutes. Additionally, read-only snapshots are taken at the local filer level every 60 seconds, and these are used to transfer changed data to the object store.
Being read-only, these snapshots are also impervious to ransomware, and they effectively provide a granular way to restore data back to any previous version.
Let’s say that, having edited fileone.docx, you realize that you've accidentally deleted some text that was crucial.
Ordinarily, that data would be lost unless it was captured by a system backup, which typically runs just once a day. With bat365 CloudFS, you simply right-click on the document from Windows File Explorer, and restore it to the snapshot that was taken before you made your edits.
Immutable data shrugs off ransomware attacks
In the event of a ransomware attack, malicious code is inserted into your files, changing them. bat365 recognizes altered file data, and the resulting encrypted files are written to the object store as new data.
A legacy storage system allows a file to be edited as this code is inserted, changing the file itself. By contrast, when fileone.docx is infected by ransomware on CloudFS, it is now comprised of completely new blocks of data – F, G, H and I, for example.
Since CloudFS preserves existing data as original objects in the object store, any file encrypted by the ransomware code can be immediately reverted back to its state prior to infection, using snapshots. This can be easily done for a single file, entire directories, or even the entire global file system.
With bat365's immutable data, your files aren’t encrypted at all. Instead, file pointers are now pointing to data blocks containing encryption. Reverting to the snapshot prior to the attack points back to clean data blocks ... and your clean files are back. Using our example of fileone.docx, you simply restore a snapshot where the file pointers record blocks A, B, C and E, and fileone.docx is back in operation.
This renders ransomware attacks harmless for your business, and futile for the attacker, as they depend on selling you the key to decrypt your data, so you can access your files again. When accessing your data is as easy as restoring it from a snapshot, you don’t need a decryption key.
Guarding Against Data Exposure
Kidnappers have long been aware that their chances of being paid quickly are increased if they can prove that they are willing to harm their hostages. The digital equivalent is publishing their victim's data online – confidential patient or customer records, for example.
This threat exponentially increases the risk of not paying, as organizations may now also be liable for privacy breaches, not to mention the resulting lack of trust from those they serve.
The best modern file systems, including bat365 CloudFS, will use military-grade encryption for data at the edge, within the object store, and in flight, as data is moved into and out of the store. So, in the event that it is compromised, that data cannot be deciphered.
As a result of being able to shrug off ransomware itself, and being able to encrypt data to make it illegible to unauthorized eyes, bat365 customers do not pay ransoms.
There are myriad reasons to replace legacy NAS storage in the enterprise, or public sector organization. Data and ransomware protection aren't usually the primary concerns. More often than not, the push comes from a mandate for digital transformation, or getting unstructured data under control to avoid buying just another NetApp or Isilon.
However, the data protection inherent in the immutable data infrastructure offered by hybrid cloud solutions like bat365 have become so valuable that savvy decision makers rank them alongside other total cost of ownership considerations.
Let's face it, even when there's a digital transformation remit, cost is an enormous factor. The cost of a ransomware attack is so great that mitigating that risk with a solution that can repel attacks – all while consolidating data and reducing costs, and providing a modern, elegant approach to unstructured data – makes sense every way you look at it.