Ransomware’s Backdoor

As IT professionals look to shore up their defenses against ransomware, they must understand ransomware’s backdoor. Ransomware’s frontal attack is well known. A compromised system or clicking the wrong email link can deposit a ransomware trigger file. That trigger file replicates itself and, then as quickly as possible, starts encrypting production data. At that point, most IT professionals turn to their backup software and start recovering data. The problem is that while this attack is going on, or increasingly before the frontal assault begins, ransomware is using the back door which your backup storage vendors have left open, making recovery much more difficult. Ransomware uses the Backdoor to:

• Encrypt Backup Data

• Encrypt Backup Metadata

• Slow down attempts to recover data

If the Ransomware attack is successful at any of these three backdoor entry points, you may be forced to pay the ransom even though you have a solid backup strategy. It is time to close the back door! In our upcoming webinar, “Three NEW Ransomware Exploits – How to Close the Backdoor,” we will detail these new exploits and provide ways that you can prepare for them and beat them. 

Ransomware Backdoor # 1: Encrypting Backup Data

The first ransomware backdoor exploit is backup data, the copy of production data that the backup architecture is storing. Even unsophisticated ransomware attacks may see success in this effort by accidentally stumbling upon the backup mount point. However, ransomware is increasingly targeting the backup storage repositories first, then moving on to encrypt production data. If the attacker can encrypt your backups and production data, you will likely have to pay the ransom.  

ransomware backdoor

The answer is to make sure that all your backups are stored immutably. Most immutable solutions can’t perform well enough to be the first backup ingest point, and they can’t be deemed suitable for recovery. Organizations are forced to implement yet another storage system and learn another protocol. And as we discussed in our blog, “Does Immutability Beat Ransomware,” you need more than immutability to beat ransomware. 

Ransomware Backdoor # 2: Encrypt Backup Metadata

Another ransomware backdoor exploits encrypting the data that the backup-server software needs to operate, its indexes, and configuration files. Without access to these files, you can’t recover data, regardless of where you store it or whichever media format you choose. The good news is you may be able to rebuild this information; the problem is that rebuilding an index requires manually rescanning every single backup job (if they are not corrupted), which can take hours, if not days. 

Ransomware Exploit # 3: Slow Down the Recovery Process

The final ransomware backdoor is for the malware to slow down your recovery efforts. If it takes you days or weeks to recover, you may be tempted to pay the ransom. Encrypting backup metadata is an example of slowing down the recovery effort. Ransomware tries to replicate itself repeatedly, changing its file name to make it hard to detect. As a result, even after you have identified the attack and the source file, there may be dozens of copies of that file scattered throughout your data center’s storage environment. When you restore data into this infected environment, the ransomware works to encrypt the data a second time rapidly. 

Close The Backdoor with 360° Ransomware Protection

Closing the backdoor that Bad Actors are using to exploit your environment is critical to surviving the attack and not paying the ransom. It would be best if you built a wall of protection around your data to make sure that your recovery efforts are not only successful but happen quickly. StorONE’s S1:Backup provides 360° Ransomware Protection that closes the back door and reinforces the “front door.” S1:Backup’s 360° Ransomware Protection provides

• The total value out of block-level backup technologies to backup more frequently, lowering the recovery point objective. 

• The complete immutability of every backup job across any storage protocol, protecting data from a ransomware attack. 

• The performance backup software vendors need to host backup metadata from storage. Once actively used on S1:Backup, all backup metadata is also stored immutably. Most customers also see improved backup application operations like searching for file versions.   

• A Sterile Recovery Target that delivers production-class performance and features at backup storage prices. S1:Backup will dynamically reallocate its flash tier during recovery to deliver needed performance for these applications or data sets. IT can run S1:Backup as production for weeks while they take the time to complete the necessary forensic work to root out the ransomware trigger files. 

Learn More

Want More Content from StorONE?

Every day, we share unique content on our LinkedIn page including storage tips, industry updates, and new product announcements.

Posted in

George Crump

George has over 25 years of experience in the storage industry, holding executive sales and engineer positions. Before joining StorONE, he was the founder and lead analyst at Storage Switzerland.

What to Read Next

How to Bypass the Compromises of Legacy RAID Architectures

Traditional storage architectures force the IT professional to sacrifice either on cost or on performance, in order to obtain data protection services such as snapshots and erasure coding. This is no longer acceptable in a business environment that increasingly does not tolerate compromise on data integrity or on application performance, and that requires maximum levels of utilization of hardware resources. […]
Read More

Volume Level Erasure Coding to Avoid Storage Tradeoffs

We previously explored the tradeoffs that traditional storage snapshots require in terms of cost and performance, and how StorOne has written its snapshot algorithms to avoid forcing customers to choose between obtaining snapshots, or delivering on required levels of performance, and staying within the budget. In this blog, we will evaluate a similar problem that erasure coding […]
Read More

Rethinking Snapshots to Accelerate Performance

Previously, we discussed the challenges inherent in providing the strong levels of data protection that are required today. Specifically, outdated storage architectures require application performance to be sacrificed and budgets to be exceeded, in order to obtain acceptable levels of data protection and resiliency. Of data protection capabilities, snapshots are the most CPU and memory-intensive, […]
Read More

Learn More About the Hidden Cost of Dedupe

  • This field is for validation purposes and should be left unchanged.