Ransomware

5 Reasons for Ransomware Recovery Failure

by

Ransomware attacks have evolved into one of the leading threats to a business that more often than not, comes with significant financial ramifications.

In fact, the average cost of an attack can reach into the millions of dollars, and according to Cybersecurity Ventures, the global annual cost of cybercrime is predicted to reach $8 trillion USD this year.

Compounding this is the rising cost of damages resulting from cybercrime, which is expected to reach $10.5 trillion by 2025. 

It takes an average of 277 days for security teams to identify and contain a data breach, according to “Cost of a Data Breach 2022,” a report released by IBM and Ponemon Institute. Cybercriminals are becoming more sophisticated in their methods and their effects, even targeting backup systems to prevent data restoration following an attack.

It’s crucial to recognize the significant financial impact that ransomware attacks can have on an organization, and to put in place tested cybersecurity strategies that can help prevent and mitigate these risks.

However, no matter what prevention strategies you have in place, sophisticated cyber thieves are continually proving to be able to get around those measures. 

So does that mean you should throw up your hands, and do nothing? 

Of course not. It means that you have to ensure that you can recover fully from any cyber attack. In this blog, we will show you the most common reasons why recovery efforts fail, and then give you some actionable solutions you can implement within your business.

Factors Contributing to Failed Ransomware Recovery

Recovery from ransomware can be a difficult and complex process, and unfortunately, there are several reasons why recovery efforts may fail. 

Here are the top reasons:

  1. No data back up or infrequent backups
  2. Incomplete or corrupted backups
  3. Insufficient testing of backup and restoration process
  4. Delayed response to an attack
  5. Inadequate cybersecurity measures

We’ll go into depth on these issues in this blog, but also checkout the webinar “How to Create a 360° Ransomware Recovery Plan” to understand more about why you this is a critical part of your data protection strategy.

You don’t have a data backup or backups are infrequent…

Ransomware typically encrypts a victim’s files, making them inaccessible. If there is no backup of the encrypted data, it can be difficult or impossible to recover the files. Having a comprehensive backup strategy to address this  is critical to ensure that data can be restored in the event of a ransomware attack.

How frequently do you run backups? If you were attacked at the very last moment before your next backup ran, could your business survive? 

If the answer to that is no, it is essential to increase the frequency of your backups. 

Luckily, modern backup software solutions now provide innovative technologies like block-level incremental (BLI) backups to enable backups throughout the day and reduce data transfer. However, keep in mind that even if your critical systems can be restored, non-mission-critical data may still be locked behind a ransom demand.

Increasing backup frequency and scope is an effective strategy, however keep in mind that it can put a strain on backup infrastructure. The random nature of frequent backups can be a challenge for backup storage hardware to keep up with. 

Here’s what you can do if this is your problem:

Now you know that you need to set up your backup strategy to be frequent enough to ensure your business will survive — but you also need to make sure that this will not place undue strain on the backup infrastructure

Here’s what you can do:

Incorporate the power of flash storage for high-speed backup and recovery operations and slower, denser storage for long-term data retention. Through the power of optimized data placement, you’ll be able to achieve the perfect balance of performance and cost-effectiveness for your organization’s specific data retention and recovery needs.

Incomplete or corrupted backups:

Although backups are an essential component of ransomware recovery, they may not always be sufficient. Incomplete or corrupted backups can make data restoration a challenging and time-consuming task. Cybercriminals understand this and may target backup data to disable the victim’s ability to recover data, effectively holding the data hostage until the ransom is paid.

The 3-2-1 data protection model is a widely recognized approach for securing and safeguarding data. 

This model says you should have 3 copies of data, stored on 2 different types of media, with 1 copy stored offsite. This ensures data redundancy, which can help prevent data loss in case of hardware failures or disasters.

While the 3-2-1 model is a solid starting point, it is not always sufficient to provide complete data protection. Cyberattacks such as ransomware can circumvent these safeguards by encrypting or destroying all available copies of data, including offsite backups. In these scenarios, organizations require more advanced data protection, including immutable backups that cannot be changed or deleted by ransomware, early detection mechanisms to detect threats before they cause damage, and rapid data recovery techniques that can help reduce downtime and minimize the impact of an attack.

Here’s what you can do if this is your problem:

Let’s take a look at Air-Gap BackupsAn air-gap backup is a backup method in which the backup data is physically isolated from the network or computer system being backed up. The term “air-gap” refers to the complete lack of connectivity between the backup data and the source system. 

This method is considered one of the most secure forms of backup as it is extremely difficult for malware or cybercriminals to access or manipulate the data.

There are different types of air gap backups, including:

  1. Offline backups: This involves storing backup data on physical media, such as tapes, which are then physically disconnected from the network or computer system.
  2. Offline and offsite backups: This involves creating offline backups and then storing them offsite in a secure location.
  3. Immutable backups: This type of backup uses write-once-read-many (WORM) media or data storage systems that prevent any further changes or modifications to the data once it has been written. This can also be achieved with immutable snapshots where the data is written and once the snapshot occurs the data that the snapshot is protecting can not be modified. With StorONE the snapshot can not be mounted and the data can not be modified. Restoration from the snapshot is performed in minutes then the restored data can be mounted and used while keeping the snapshot immutable. 

We like the 3-2-1 data protection model paired with immutable, air-gapped backups, and early detection mechanisms. This is a comprehensive strategy to significantly reduce the threat of increasingly sophisticated cyberattacks.

Insufficient testing of backup and restoration processes:

Want to ensure your organization can recover from a ransomware attack and avoid falling victim to extortion demands? Then, testing specific to a ransomware attack is critical. 

In a natural disaster, for example, the primary data center is usually offline or destroyed, but the DR site has a clean copy of data that can be leveraged to restore operations. However, ransomware attacks can be much more insidious. The data center may still appear to be functional, but the data has been corrupted, and the backup copies at the DR site may also be unusable. To make matters worse, the attack may still be underway, adding pressure to the restoration process. End-users are typically waiting impatiently to regain access to their applications, so time is of the essence, and the temptation to pay the ransom can be overwhelming.

This is why testing for ransomware attack scenarios is so important. By simulating a ransomware attack, organizations can identify potential weaknesses in their recovery strategy and ensure they can quickly restore operations and avoid paying ransoms. 

Some victims of ransomware choose to pay the ransom to obtain the decryption key. However, there is no guarantee that the attacker will provide the decryption key, and paying the ransom may encourage further attacks.

Even during recovery, malware-trigger files may still be present on production storage, poised to re-infect any recovery efforts. Unfortunately, many organizations lack a solution to this problem, and industry analysts have questioned the cost-effectiveness of implementing an isolated recovery environment. For most organizations, it may not be practical to have a system sitting idle in the data center solely for ransomware recovery purposes.

If you haven’t tested for a ransomware attack… here’s what to do:

Look for a backup storage target that can build on the instant recovery performance described above to deliver standby storage. A backup storage target with this capability is highly available and has enterprise storage features like snapshots and replications. There are reasons beyond ransomware recovery for standby storage, but its ability to see an organization through an attack is invaluable. Most importantly, the standby storage capability requires only a minimal addition in backup storage costs.

Test, Test, Test

Here are a few examples of how to test ransomware recovery scenarios.

  • Conduct tabletop exercises: A tabletop exercise is a simulation that tests the effectiveness of a ransomware recovery plan. During the exercise, team members can role-play different scenarios to identify potential gaps in the plan.
  • Run a virtual recovery test: A virtual recovery test is a test that simulates a ransomware attack in a virtual environment. The virtual environment can help identify any potential issues with the recovery process, such as the time it takes to restore data or potential conflicts between different systems.
  • Test backups: It’s essential to test backups regularly to ensure they can be restored in case of a ransomware attack. Testing backups can help identify any issues with the backup process, such as data corruption or incomplete backups.
  • Test your security controls: To prevent a ransomware attack from happening in the first place, it’s important to test your security controls regularly. Penetration testing and vulnerability assessments can help identify any weaknesses in your security controls that could be exploited by attackers.

By conducting these types of tests, organizations can identify any gaps in their ransomware recovery strategy and take the necessary steps to improve their readiness for a potential attack.

Delayed Response to a Ransomware Attack:

Delaying the response to a ransomware attack can make it more difficult to recover data. Ransomware often spreads quickly and can infect multiple systems, so a prompt response is essential to contain the attack and minimize the damage.

The impact of a ransomware attack can be severe, with an average downtime of 21 days. Even if you choose to pay the ransom, it could still take several additional days to receive the decryption key and undo the damage caused by the encryption. Furthermore, the data decryption process can take several days to weeks, and inspecting the data for any lingering malware that could re-infect the system can also take several days. It’s clear that recovering from a ransomware attack is a complex and time-consuming process that requires careful planning and execution.

One of the biggest obstacles that can lead organizations to abandon their ransomware recovery efforts is the time it takes to restore data. Whether it’s identifying a known good copy of the data or instantiating it for user access, this process can take significant time. According to Sophos’ “The State of Ransomware 2023” survey, average recovery time for a ransomware attack is over a month. While paying the ransom may seem like an appealing option for quick data recovery, only 4% of organizations that paid the ransom were able to recover all of their data. Although modern backup applications offer features like instant recovery to speed up recovery time, if your applications require all-flash or hybrid performance, instant recovery to a hard-drive-only backup storage target may not be well received due to performance degradation caused by additional overhead.

How can you act quickly?

When searching for a backup storage solution, prioritize finding one that can provide production-class performance. By intelligently leveraging the flash tier, as previously mentioned, a backup storage target can reallocate capacity to ensure that instantly recovered data performs on par with production.

Inadequate Cybersecurity Measures:

Inadequate cybersecurity measures, such as outdated software, weak passwords, and lack of employee training, lack of Endpoint Detection and Response (EDR) tools, can make an organization more vulnerable to ransomware attacks. Without effective cybersecurity measures in place, recovery efforts may fail.

Prevention is key in the fight against ransomware. The human element poses the greatest threat vector, accounting for 82% of data breaches. Human error, particularly in the form of phishing attacks and stolen credentials, is a primary driver of these breaches. Phishing attacks, usually executed via email, lure unsuspecting users into clicking on a link or sharing information that can then be exploited by malicious actors. By following these best practices, you can help to protect your business from ransomware attacks and minimize the impact of a potential breach.

Tips to follow best practices:

  • Keep remote desktop services like RDP off public networks, and if necessary, use robust passwords to secure them.
  • Always install available patches for commercial VPN solutions that provide access for remote employees and gateways on your network.
  • Prioritize lateral movement and data exfiltration detection in your defense strategy. Monitor outgoing traffic for any signs of cybercriminal activity.
  • Make data backup a routine practice and ensure quick access to backups in emergency situations.
  • Consider using advanced security solutions like CrowdStrike, SentinelOne, and Microsoft Defender service to detect and stop ransomware attacks before they reach their final goal.
  • Stay informed of the latest Threat Intelligence information to stay on top of the actual TTPs used by threat actors.
  • Immutability in snapshots is crucial to prevent accidental or deliberate deletion. An override may be necessary in case of snapshot growth risks, but it should require additional validation and authorization through a trusted route that involves IT team members in contact with the vendor to prevent any spoofing attempts by a hacker

Overcoming MSP Storage Challenges

by

To increase their monthly recurring revenue (MRR), Managed Service Providers (MSPs), must focus on overcoming MSP storage challenges. These organizations typically start with a particular area of specialization, such as backup, or virtual desktop infrastructure (VDI), and then try to increase their MRR by offering additional services to those customers while also continuing to onboard new customers. The problem is that each new service offering often requires a storage system different than the original.

MSPs deal with potentially the worst case of storage sprawl. Not only are they managing five to six different storage systems, but each customer is also using some or all these systems. Overcoming MSP Storage challenges require that they follow a unique set of guidelines.

Register for Our Live Webinar

MSPs Must Consolidate Storage

Storage Sprawl tops the list of MSP storage challenges. Adding a storage system for each new service offering cuts into its potential profitability and may even add so much operational overhead that it makes other service offerings less profitable. To overcome sprawl, MSPs must look for a storage system that can support multiple workloads and consolidate the infrastructure into a single storage solution. Today’s storage hardware (controllers and media) can support multiple use cases simultaneously. The problem is that the traditional storage software, common in today’s storage systems, is not optimized to use high-performance flash drives or high-density hard disk drives efficiently. StorONE’s architecture rethinks storage I/O for maximum hardware efficiency and utilization. Where other vendors throw hardware at the problem, StorONE throws efficiency. The results are lower costs and reduced data center footprint requirements.

However, the variety of MSP use cases is extreme, ranging from backup to virtualization to databases. An MSP storage solution must not only be able to support this range of I/O profiles but also ensure that one workload does not starve another for resources. StorONE’s Virtual Storage Containers (VSC) enable MSPs to create storage tenants per service or clients within the service. Each VSC can have a unique performance profile, drive redundancy setting, and data protection configuration. VSCs can be templated, dramatically reducing management overhead, provisioning time, and eliminating configuration mistakes.

MSP Storage Must Be Ransomware Resilient

Ransomware is a problem for every data center, but the problem is magnified in the MSP data center. A breach means that dozens, maybe even hundreds of businesses are now at risk. MSPs are becoming high-profile targets. MSPs have the added challenge of customer mistakes leading to a breach, even if the MSP has followed all the best practices. Customers will still expect the MSP to recover their data.

Overcoming MSP Storage Challenges requires ransomware resiliency.

Protection against an attack is an excellent first step, but eventually, an attack will work through its defenses, and MSPs will need a ransomware recovery strategy. That strategy must include frequent data protection captures, immutable storage of protected data, and an isolated recovery environment. With these components in place, the MSP can return its customers to a safe and fully operating environment within minutes.

StorONE offers its 360° Data Protection capability, which enables organizations to continuously protect data and store the protected copies in a space-efficient, immutable state. If a ransomware attack hits a customer’s VSC, the MSP can use the immutable copies to return the customer to production within minutes of the attack.

MSP Storage Must Be Flexible

MSP growth is hard to predict; it can come in spurts as the MSP launches new services or slow and steady as it adds new customers. MSPs need the flexibility to accommodate these conflicting growth patterns. They need to be able to granularly add capacity and performance in response to growth. The storage solution should not force them into using a specific media manufacturer, type, or capacity. It should also not force the MSP to add entire shelves or nodes. MSPs require the flexibility to meet today’s needs today, and the scalability to meet tomorrow’s needs tomorrow.

With StorONE, MSPs can add flash or hard disk drives from various manufacturers and of different densities. The MSP can add as few of these drives as the storage enclosure allows. Even though the drives are mixed, the MSP enjoys the full performance and capacity of those drives. StorONE’s VSCs extract the drive hardware from the MSP service or customer use case.

MSP Storage Must Be Future-Proof

Migrating data from an old storage system to a new one is challenging for any organization. The storage migration challenge for MSPs, again is magnified because they are not only moving data but also moving customers’ data. One mistake can cost them. The best migration is no migration; the storage solution should adapt and evolve, eliminating storage refreshes and migrations.

MSP Storage must be Future-Proof

StorONE’s ability to use VSCs to abstract storage hardware from the applications it services enables MSPs to add new hardware gradually. Administrators can add newer, higher-density, or higher-performing drives as they become available. If a drive reaches the end of life, remove it, and StorONE’s vRAID technology will automatically rebuild the new drive in record time (minutes for flash drives and a few hours for hard disk drives).

StorONE’s efficiency delivers massive performance and scalability from mid-range servers, which we turn into storage controllers. Those controllers will age out, and you may need more motherboard bandwidth in the future. With StorONE, MSPs can non-disruptively replace storage controllers and seamlessly move to next-generation PCIe buses.

Conclusion

Overcoming MSP Storage challenges is possible with StorONE. An MSP adopts a storage strategy built on a modern single storage engine. This engine can provide a broad portfolio of solutions supporting a wide range of workloads that can increase MRR without reducing profit margins. At the same time, they can improve their ransomware resiliency to the point that it can become an additional service offering within the MSP.

To learn more, register for our webinar “Increase MRR by Reducing Storage Complexity”, live on September 29th at 1:00 PM ET / 10:00 am CT.

Optimizing Veeam Backup Storage

by

With innovations like change block tracked backup, a scalable repository, and instant recovery, IT professionals should prioritize optimizing Veeam backup storage. Without proper optimization of the backup architecture, IT can’t realize the full potential of Veeam’s innovations.

Veeam Backup Storage Needs Flash

The granular data movement capabilities of Veeam’s change block tracking (CBT) backups enable customers to increase backup frequency which should improve recovery point objectives (RPO). The problem is that while CBT backups are easy on the network, they require a lot of random IO performance from the backup target.

The IO profile of CBT IO profile is highly randomized and needs a storage system to respond to that randomization. Hard disk technology can’t keep pace with dozens or even hundreds of simultaneous backup jobs landing on the backup storage target every hour. Flash storage, however, can handle these high-frequency backups, and it should be a component of every backup storage target.

Veeam Backup Storage Needs Hard Disks

While flash storage is critical to improving RPO, we are not at a point where an all-flash backup storage target makes sense. Flash is still too expensive to compete with hard disk drives. An 18TB hard disk drive is 1/10th the price of a 15TB flash drive.

Most legacy vendors shy away from using high-density hard disk drives for fear of customers’ slow recovery from drive failure complaints. We repeatedly speak to IT professionals that tell us they are experiencing RAID rebuild times over three days with 8TB drives, let alone 18TB drives, which will take even longer.

Veeam Backup Storage Needs Flexible Immutability

Veeam is doing an excellent job advancing state-of-the-art ransomware detection and protection. However, you can never have enough immutability. Protection from ransomware attacks requires instant immutability across all protocols without transferring to another storage silo. You also need to make sure any instantly recovered virtual machines or applications can be protected until you can ensure the environment is clear of any remnants of the malware.

You Need Production Class Recovery

Veeam’s instant recovery feature is a critical innovation that enables a virtual machine’s data to be instantiated on the backup storage target, eliminating network transfer time. The problem is that legacy backup storage devices don’t have the performance or availability to provide a production-class environment, forcing IT to move that VM into production quickly. Also, if the data center is experiencing a ransomware attack, instantly recovered VMs data is exposed to reinfection.

StorONE’s Backup is Optimized for Veeam

StorONE’s S1:Backup is optimized to elevate Veeam’s innovation. Its flash-first technology enables the rapid ingest of data. You can improve RPO by executing dozens of simultaneous backup jobs. However, StorONE’s S1:Backup is not flash-only. We intelligently integrate flash and hard disk drives to deliver performance and affordable long-term cost savings.

Optimizing Veeam Backup Storage
S1:Backup Optimized Veeam Backups

S1:Backup provides immutability within seconds of the completion of each backup job. There is no data transfer to an immutable secondary volume or a secondary storage system. While S1:Backup supports S3, you can also enjoy immutability across all block and file protocols.

Finally, S1:Backup provides a production class recovery environment within the same storage system. During a recovery, flash is dynamically reallocated so that capacity is available to host instantly recovered VMs and applications. The solution has built-in high availability and provides the same immutable protection of the instantly recovered VMs that it does for backup data.

StorONE, ONE backup solution for Veeam

StorONE rewrote the IO stack, and we own the entire IO path as data travels through our platform.

Optimizing Veeam Backup Storage with S1:Backup also provides 360° Ransomware Protection
S1:Backup Provides 360° Ransomware Protection

We also rewrote erasure coding to deliver the fastest recovery from drive failure. We even optimized tiering to accommodate the backup use case.

Combining these innovations means StorONE can deliver consistently high performance from a handful of flash drives, affordably meeting your RPO and RTO demands. It also means you can safely use high-density hard disk drives as our vRAID recovers from a drive failure of even the highest density hard disk drives in less than three hours. You can also seamlessly integrate new higher density drives without needing to create new volumes and reconfigure backup jobs. Optimizing Veeam Backup Storage with S1:Backup also provides 360° Ransomware Protection.

See You At VeeamON 2023!

Join StorONE at VeeamON May 22-24 in Miami. We’ll be at booth S2 and are pre-booking demos. Click here to reserve your 1 on 1 demo time.

You can also watch our webinar to learn more: “Four Ways to Optimize Veeam Backup and Recovery.”

What is 360° Ransomware Protection?

by

IT professionals need to look for 360° Ransomware Protection of their backup infrastructure. Bad actors know that the backup infrastructure is critical in recovering from their ransomware attacks and avoiding paying the ransom. As a result, they target backup data and metadata to make recovery impossible or slow the process down.  

As we will discuss in our upcoming webinar “Three NEW Ransomware Exploits – How to Close the Backdoor” 360° Ransomware Protection shuts the backdoor that legacy backup storage solutions leave open. 

360° Ransomware Protection Requirements:

  • Improve Protection of production data by increasing backup frequency and improving recovery point objectives (RPO).
  • Improve Protection of protected data by providing instant immutability across all protocols. 
  • Improve Protection of Backup indexes and configuration files by hosting them on the backup storage target, storing them immutably while not impacting performance. 
  • Improve the Recovery Environment with standby storage to deliver on-demand production class performance on the backup storage target. 

Improve Protection of Production Data

Ransomware’s primary goal is still to encrypt your production data. The number one responsibility of any backup infrastructure is to ensure that production data is protected. Improving protection means enabling more frequent data capture events in the ransomware era. Using change block tracking (CBT) or block-level incremental (BLI) backup, organizations should be able to backup every hour instead of once per day. The problem is legacy backup storage solutions can’t keep pace with the dozens of backup jobs per hour this schedule would create. 

Increasing backup frequency using CBT or BLI backups creates another challenge. Backup software can only support so many of these jobs before they must consolidate them and synthetically create a new full backup. While full-synthetic backups eliminate the need to perform full backups over the network, they are very IO intensive. Legacy backup solutions can’t handle the IO demands of synthetic fulls, and most customers find that an over-the-network full backup is faster than the synthetic process. 

360° Ransomware Protection Improves RPO

The 360° Ransomware Protection capabilities of S1:Backup enable customers to take full advantage of CBT/BLI capabilities. They can execute backups every 30 minutes or less. The high-performance flash tier of S1:Backup can easily handle the dozens, even hundreds, of simultaneous data capture jobs this design can create. While an All-Flash Backup is not necessary, StorONE can provide a cost-effective, high-capacity flash tier sufficient to store an entire full backup + incremental jobs. When it is time to create a new synthetic full, StorONE’s ability to keep these most recent jobs on the flash tier means that the consolidation effort occurs in record time. 

Improve Protection of Protected Data

The copies of production data that the backup infrastructure stores are critical to a successful ransomware recovery. Protecting that data from being encrypted is now a new responsibility of backup storage targets. The backup storage target must provide immutability and it must provide some form of a physical or virtual air gap. 

ransomware protection

Most legacy backup storage targets don’t provide either of these capabilities. To compensate, many backup software vendors add another storage silo to their backup infrastructure to provide these capabilities. The addition of even more storage silos leads to further complexities and costs. First, additional jobs must be created to move the data from the primary backup storage target to the immutable storage target, which adds to operational overhead. Second, a data transfer needs to occur when moving data from the primary backup storage device back across the network to the immutable storage device, which takes time and may require additional networking. Third, most of these immutable systems force customers to learn a new storage protocol like S3/Object, again adding to operational costs. 

While storing protected data immutably is essential, the cost of that process can’t be so expensive that only a few organizations can afford it. The practice also can’t be so complicated that most organizations can’t consistently apply it. 

360° Ransomware Protection Provides Instant Immutability

S1:Backup’s 360° Ransomware Protection capabilities include making an immutable copy of every backup job less than 30 seconds after it completes, regardless of what protocol the backup infrastructure uses to transfer data. It does not require a separate storage silo or the scheduling and maintaining of additional backup jobs. The copies are capacity efficient and can be retained for months, creating a virtual airgap. S1:Backup’s immutability is simple, consistent, and transparent. S1:Backup can even alert you of a potential attack, so you can stop it early. 

Improve Protection of Backup Metadata

Recent attacks like the one that impacted Kronus, show that immutability by itself does not beat ransomware. Bad Actors also target backup metadata, the indexes, and configuration files that backup software creates. Without this data, the backup software does not know what production data it protected or where it stored it. Backup metadata is usually stored directly on the server that hosts the backup application, making it vulnerable to failures beyond ransomware. 

While most backup applications can recreate this data from manually scanning the files that store production copies, the process can take weeks to complete in some cases. Until the process is complete, you can’t recover data. 

360° Ransomware Protection Protects Backup Metadata

The 360° Ransomware Protection built-in to StorONE’s S1:Backup also protects backup metadata. It does this not by forcing you to create a separate task to copy the metadata. Instead, the performance of S1:Backup enables you to directly host backup metadata on our solution and apply the same immutable policies to it that you apply to protected data. If the ransomware attack gets to your backup metadata, you are less than 30 seconds away from a known good copy. Most customers will find that operations like searching for a file version will execute faster, making the backup application more responsive. Only StorONE’s S1:Backup can host backup metadata on the same system as the protected data and provide instant immutability to both. 

Improve Recovery Performance

The first three steps provide a quality data capture infrastructure and data resiliency, but a ransomware attack brings new recovery challenges. There is more pressure to recover quickly after a ransomware attack because your data center is physically intact, the lights are blinking, and users can’t figure out why it is taking you so long! There is the added pressure of paying the ransom, which may seem like the easy way out. 

Another challenge is you need time to disinfect your production storage properly. As the attack on Kronus proves, it can take months to disinfect your environment correctly and confirm which data sets were infected. This challenge conflicts directly with the need to recover quickly. 

360° Ransomware Protection Provides Sterile Standby Storage

For years, backup software solutions could instantiate virtual machines and applications on the backup storage target. The problem is the performance of these targets is disappointing in the production use case. In addition, the protocols supported are minimal, usually just one. Finally, they don’t have the high availability that organizations require of production systems. 

StorONE’s S1:Backup is the first backup solution to provide these instantiated VMs and applications with performance similar to production. For a prolonged outage, as Kronus experienced, a native restoration provides even better performance. It also provides full protocol support and complete enterprise-class availability.

Wrapping it Up

360° Degree Ransomware protection enhances your current backup software application to provide a complete ransomware protection and recovery environment. It enables you to recover from an attack quickly without the expense of buying new software and the overhead of learning how to use it. Each element of the strategy is critical to closing the circle. If your current backup storage target can’t improve RPO, protect protected data from the backup metadata, and provide a sterile standby storage area, then you are exposed to a potential attack and should check out our webinar.

Ransomware’s Backdoor

by

As IT professionals look to shore up their defenses against ransomware, they must understand ransomware’s backdoor. Ransomware’s frontal attack is well known. A compromised system or clicking the wrong email link can deposit a ransomware trigger file. That trigger file replicates itself and, then as quickly as possible, starts encrypting production data. At that point, most IT professionals turn to their backup software and start recovering data. The problem is that while this attack is going on, or increasingly before the frontal assault begins, ransomware is using the back door which your backup storage vendors have left open, making recovery much more difficult. Ransomware uses the Backdoor to:

• Encrypt Backup Data

• Encrypt Backup Metadata

• Slow down attempts to recover data

If the Ransomware attack is successful at any of these three backdoor entry points, you may be forced to pay the ransom even though you have a solid backup strategy. It is time to close the back door! In our upcoming webinar, “Three NEW Ransomware Exploits – How to Close the Backdoor,” we will detail these new exploits and provide ways that you can prepare for them and beat them. 

Ransomware Backdoor # 1: Encrypting Backup Data

The first ransomware backdoor exploit is backup data, the copy of production data that the backup architecture is storing. Even unsophisticated ransomware attacks may see success in this effort by accidentally stumbling upon the backup mount point. However, ransomware is increasingly targeting the backup storage repositories first, then moving on to encrypt production data. If the attacker can encrypt your backups and production data, you will likely have to pay the ransom.  

ransomware backdoor

The answer is to make sure that all your backups are stored immutably. Most immutable solutions can’t perform well enough to be the first backup ingest point, and they can’t be deemed suitable for recovery. Organizations are forced to implement yet another storage system and learn another protocol. And as we discussed in our blog, “Does Immutability Beat Ransomware,” you need more than immutability to beat ransomware. 

Ransomware Backdoor # 2: Encrypt Backup Metadata

Another ransomware backdoor exploits encrypting the data that the backup-server software needs to operate, its indexes, and configuration files. Without access to these files, you can’t recover data, regardless of where you store it or whichever media format you choose. The good news is you may be able to rebuild this information; the problem is that rebuilding an index requires manually rescanning every single backup job (if they are not corrupted), which can take hours, if not days. 

Ransomware Exploit # 3: Slow Down the Recovery Process

The final ransomware backdoor is for the malware to slow down your recovery efforts. If it takes you days or weeks to recover, you may be tempted to pay the ransom. Encrypting backup metadata is an example of slowing down the recovery effort. Ransomware tries to replicate itself repeatedly, changing its file name to make it hard to detect. As a result, even after you have identified the attack and the source file, there may be dozens of copies of that file scattered throughout your data center’s storage environment. When you restore data into this infected environment, the ransomware works to encrypt the data a second time rapidly. 

Close The Backdoor with 360° Ransomware Protection

Closing the backdoor that Bad Actors are using to exploit your environment is critical to surviving the attack and not paying the ransom. It would be best if you built a wall of protection around your data to make sure that your recovery efforts are not only successful but happen quickly. StorONE’s S1:Backup provides 360° Ransomware Protection that closes the back door and reinforces the “front door.” S1:Backup’s 360° Ransomware Protection provides

• The total value out of block-level backup technologies to backup more frequently, lowering the recovery point objective. 

• The complete immutability of every backup job across any storage protocol, protecting data from a ransomware attack. 

• The performance backup software vendors need to host backup metadata from storage. Once actively used on S1:Backup, all backup metadata is also stored immutably. Most customers also see improved backup application operations like searching for file versions.   

• A Sterile Recovery Target that delivers production-class performance and features at backup storage prices. S1:Backup will dynamically reallocate its flash tier during recovery to deliver needed performance for these applications or data sets. IT can run S1:Backup as production for weeks while they take the time to complete the necessary forensic work to root out the ransomware trigger files. 

Learn More

A Complete Ransomware Recovery Strategy

by

One of the challenges IT faces when developing a complete ransomware recovery strategy is to think holistically about the process. Focusing on just one capability may expose the organization to ransomware damage in other areas. IT needs a 360° Ransomware Recovery Strategy that protects production data backup metadata and rapidly returns the organization to an operational state.

The Elements of a Complete Ransomware Recovery Strategy

  • Frequent Backups
  • Immutable Storage
  • Rapid Recovery
  • A Sterile Recovery Environment
  • Affordability
a complete ransomware recovery strategy

Ransomware Recovery Requirement 1: Frequent Backups

For years (decades?), backup vendors have claimed: “it is all about recovery!” While recovery is a critical part of a ransomware recovery strategy, it is not all about recovery. If your architecture doesn’t enable you to execute fast, frequent backups, your recovery point objective (RPO) may lead to losing hours and even days’ worth of data. This delay may lead to a temptation to pay the ransom instead of completing the recovery process. A complete ransomware recovery strategy requires the frequent protection of production data. Also if that data isn’t written securely to persistent media, there may not be quality data for recovery.

Ransomware Recovery Requirement 2: Immutable Storage

Immutable storage is critical to your ransomware recovery strategy. Your backup storage target should store every backup in an immutable state and be able to retain that state for months without impacting performance. It should also store your backup software’s metadata in an immutable state, which means your backup storage target needs to deliver the performance your backup-server software requires to update these files quickly. If the ransomware attack encrypts either the backup data or the backup metadata, you might not be able to recover anything. A complete ransomware recovery strategy requires immutable storage of the protected data and the backup configuration files and indexes.

Ransomware Recovery Requirement 3: Rapid Recovery

Frequent backups and protected storage of that data set the stage for a successful recovery. However, these recoveries have to be some of the fastest IT has ever done since they are under pressure from users and application owners who want to get back to a productive state as quickly as possible. There is also pressure from the executive team, weighing the cost of paying the ransom versus the time it will take for IT to complete the recovery. Finally, there is the possibility that the “bad actors” have set a time limit for you to pay the ransom, or they will delete all your data. A complete ransomware recovery strategy requires that instant recoveries or even native recoveries occur quickly. Backup storage needs to provide the ability to host production data with a performance profile similar to that of the production environment.

Ransomware Recovery Requirement 4: A Sterile Recovery Environment

Unlike a natural disaster, the state of your production storage after a ransomware attack is at best “unknown.” Ransomware trigger files often make copies of themselves as they encrypt your environment. If IT doesn’t have the time to complete the forensic work, which can take hours, to ensure the removal of these files, then the likelihood of reinfection, with even less “pay the ransom” time, is very high.

A complete ransomware recovery strategy requires a sterile recovery environment. It buys IT time to remove the trigger files properly and potentially the infected data as well. The sterile recovery environment needs to deliver production-class performance and reliability to get the time IT needs to inspect the production environment thoroughly. The sterile environment also needs to protect itself with immutability. The need for a sterile recovery environment is new because of ransomware but is helpful for recovery from many other outages. To learn more, read our latest Whitepaper,” What is Standby Storage.”

Ransomware Recovery Requirement 5: Affordability

The ransomware recovery strategy has to be affordable. Part of a 360° Ransomware Recovery Strategy means that all applications and data are protected the same way. Today, IT has to piecemeal this type of strategy together using solutions from multiple vendors, which significantly raises the purchase, implementation, and operational costs. The fragmentation also forces IT to either pick which component of the strategy to implement, which leaves open attack vectors, or pick only a few data sets to protect, which means the rest of the environment is still exposed.

It should also intelligently leverage flash and high-density (20TB) hard disk drives to keep costs low. Using a hard disk tier means the solution needs to rapidly recover from a drive failure because RAID Rebuild times are more relevant than ever.

Delivering a 360° Ransomware Recovery Solution

Implementing a 360° Ransomware Recovery Strategy means IT needs to look for a single solution that can provide cost-effective backup storage while meeting the five previously listed requirements. The solution needs a small flash tier to handle the hourly ingest of backup data from dozens, if not hundreds of virtual machines, application servers, and NAS systems. The flash tier should be large enough to support recovery and enable customers to use backup-server applications with “instant recovery” features to exploit that capability fully.

A 360° Ransomware solution should also support the native restoration of data and become Standby Storage. It should provide native sterile volumes mountable via any storage protocol and enterprise-class performance and availability. Standby Storage is valuable for more than just ransomware recovery by also providing a recovery area during a storage controller failure or storage software failure.

Only StorONE’s S1:Backup delivers all of these capabilities in a single, cost-effective solution that is easy to implement and operate. To learn more, watch our on-demand webinar “Beat Ransomware with Standby Storage.”

Download Program Overview

Learn More About the Hidden Cost of Dedupe

  • This field is for validation purposes and should be left unchanged.