Ransomware Defense: The File Data Factor
Ransomware is no longer just targeting low-hanging fruit, nor can good backups alone protect you. IT organizations need to create a multilayered defense that goes beyond cybersecurity to incorporate modern data management strategies, particularly for unstructured file data.
Aside from the pandemic, ransomware has become one of the gravest threats to the global economy. It is no longer a matter of ‘if’ an organization is going to be attacked but ‘when,’ according to Gartner. The research firm predicts that 75% of organizations will face one or more attacks by 2025. The National Security Institute found the average ransomware payout was $200,000 in 2020, up from just $5,000 two years ago as ransomware gangs resorted to more aggressive tactics to get what they want. Large-scale attacks on enterprises—the latest being against Accenture—are regularly in the headlines. The U.S. is the largest region for such attacks, and ransomware accounted for 30% of all U.S.-based cyberattacks in 2020, more than double the rate globally.
Why is Ransomware Worse Now?
The word among security experts is that the COVID-19 pandemic, with its resulting lockdowns and work-from-home mandates, created an enticing new opportunity for hackers. Employees working remotely sometimes use insecure personal devices and vulnerable networks to access their work applications and information over easily-compromised remote desktop protocol (RDP) software and connected by VPNs which aren’t always configured or secured properly. This has led to a perfect storm of vulnerability at even the largest corporations with massive IT budgets and large teams in place. Ransomware attacks are also becoming more sophisticated. Ransomware attacks are often happening in multiple stages; first penetrating the network, then stealing credentials and attacking backup systems. This can occur over weeks or months, and often companies don’t know they are under attack until files become encrypted and unusable.
The Impact on Data Storage
Ransomware gangs are also branching out—attacking all IT infrastructure, not just servers and applications. In 2021, the network-attached storage (NAS) appliance maker QNAP alerted its customers that eCh0raix ransomware was attacking its NAS devices, especially those with weak passwords, as reported in this ransomware paper by ESET.
This is a troubling, since data growth is exploding and 80% of the data in organizations is now unstructured file data sitting either in NAS storage or in the cloud.
The Ransomware Challenge of Unstructured File Data
Protecting file data is tricky because of its sheer volume, variety and fast pace of growth. IT organizations must create a layered strategy–meaning that in addition to keeping local backup copies, they must also keep an extra external copy that cannot be infected.
But that quickly gets expensive—we’re talking major sticker shock. Many organizations have petabytes of file data; a petabyte can easily be a few billion files. Companies are already struggling to backup all this data. Adding another copy can give the CFO a serious migraine. The good news is that it’s possible to create a cost-effective layered strategy. Here’s how:
Prioritize Visibility and Audits
Early detection of ransomware by monitoring activity and identifying threats and anomalies across networks and infrastructure is a great goal. Analytics on data usage by unstructured data management tools can show suspicious activity on files, such as an abnormal amount of reads and writes. While early detection is the ideal first line of defense, it is not foolproof as ransomware attacks are constantly evolving. Storage managers should have analytics dashboards showing key metrics on all data usage across on-premises and cloud locations. Most (80%) of file data is typically cold and has not been used in a year or more. Knowing what data is hot and actively used and what is not is key to creating a cost-efficient multi-layered defense.
Create a Multi-Layered Data Management Defense
- Snapshots and Backups for Hot Data. Snapshots and backups keep track of changes to data as it gets updated. They are needed on hot, active data to protect from user or system failures, but they also can get attacked by ransomware and, if it goes undetected for days, these may “protect” corrupted data. Ransomware protection requires an additional copy of this data in storage that is immutable (meaning it cannot be rewritten) and located in a separate physical location such as the cloud. This can all get expensive, which is why you want to use backups only on hot, active data, which is typically 20% of the footprint.
- Cloud Tiering and Immutable Storage for Cold Data. A mantra of modern data management is that all data should not be treated the same way. By tiering cold data from top-grade NAS to object-lock storage in the cloud, you get an immutable copy of cold file data at a fraction of the cost. Ransomware software cannot rewrite it. Moving cold data to object storage also reduces your backup footprint—which serves as another defense against ransomware while reducing backup license costs. Yes, you can also create a disaster recovery (DR) copy of data on tape, but recovery times will be significantly longer and physical backup solutions have become less appealing in the cloud age.
Have a Plan and Validate It
With these components in place, your team should also have actionable plans to respond to various attack scenarios. The time to realize if your plans can be executed is not when the hackers have succeeded and are chuckling behind their screens. Plans must be documented and tested to ensure data is protected with rapid restoration and alternative methods of data access so you can keep the business running without disruption—and without large ransom payments.
The fight against ransomware is extending beyond the security team into all aspects of enterprise IT, including data storage. With unstructured data management, storage professionals can complement the efforts of their security colleagues by adopting a multilayered defense strategy that begins with real-time visibility across all storage and incorporates snapshots, backups and object-locked cloud storage. Your cybersecurity team will thank you. As cybercriminals get more creative and aggressive, data management professionals will need to up their game with a more nuanced approach to the disaster recovery plan.
