Global ransomware is expected to reach $20 billion in damages by 2021. In the first half of 2020 alone, mitigation cost US businesses, governments, and universities more than $144 million. How can you defend your vital business data against the devastation produced by ransomware? We reached out to Andrew Miller, Principle Systems Engineer at Pure Storage®, a modern data storage service that protects against ransomware, to explore this topic.
The impact of ransomware
Interviewer: First, what is ransomware?
Andrew: Ransomware is a type of malicious software designed to block access to computer data until a sum of money is paid. A cyberattack encrypts the data, and only the attacker knows the encryption key. The terms: send the ransom payment ASAP to receive the key to unlock the data. If the attacker also stole data prior to encrypting it, failure to pay can also result in public disclosure of sensitive data.
From a data storage perspective, ransomware is a problem requiring an unplanned restore of massive amounts of data from storage products not designed for the purpose. And that is the catch. Most businesses are not prepared to restore the data fast enough to be useful.
Interviewer: Why is ransomware so prevalent?
Andrew: Good question. We’ve had malware worms and viruses for a long time, so why ransomware, why now? There are four main factors, starting with how easy it is for attackers to get employee credentials through phishing attacks. That is a big part of it—the asymmetry of attack costs for the victim versus the value extracted by the attacker. There are real economic factors at play. For someone at a lower cost of living, a $17,000 ransom is a year’s salary.
Next is the complexity of the modern IT stack—so many assets to keep updated, patched, and hardened. Servers, storage, networking, legacy apps, cloud applications, multicloud computing, policies, procedures, and human factors. Ask a data center engineer or architect, is everything in your environment up to date and patched? It is not. There is too much to do, budget limitations, and so many attack vectors.
Third, cryptocurrencies make ransomware payments easy, reliable, and relatively anonymous. An attacker in one country can easily transact Bitcoin with a victim in the US.
And the fourth factor: Ransomware-as-a-Service kits are available for attackers on the dark web. These kits are created by “vendors” with feature sets and different levels of technical capability needed by the user. They have channel partners, including hosting services and solutions providers—an ecosystem for criminals with technical skills.
As a result of these factors, attackers have a lot of options, and defenders at the data center are stuck.
Proactive ransomware protection to secure data
Interviewer: What can businesses do as proactive defense measures before a ransomware attack?
Andrew: This is scary stuff for worried boards of directors, but it is far better to be scared now than at two in the morning when you learn that your company’s data is locked by ransomware. Of course, there’s training: Do not click on that link. Macros can deliver malware. And if you get an email from an executive who you don’t work with regularly and they are asking for sensitive information, stop.
Technical solutions need to be in place before an attack. Antivirus, patching, firewalls, IDS/IPS, and more. This is why managed security services from service providers like TierPoint are so relevant—IT managers need help navigating the thousand-plus vendors in this space.
And a big part of the technical challenge is managing the risk of high operational overhead overtaking the benefits of the products you implement. False positives can overwhelm IT teams—I call it the barking chihuahua analogy—eventually you tune out the alerts, even the important ones. Pure Storage helps with this with solutions, like Pure Storage FlashBlade® – which crunches through massive amounts of data after an attack to help sort out the signal from the noise.
And then from a financial standpoint, there are cybersecurity insurance policies.
I’d rather mitigate the need for claims with data protection and fast restoration that match the customer’s recovery point objectives (RPOs) and recovery time objectives (RTOs)—what they need for business continuity.
Interviewer: Why aren’t businesses better prepared to mitigate ransomware?
Andrew: IT departments are busy, and it is not uncommon for backups to be incomplete—it is a daily frustration. Plus, backups need to be protected from malicious deletion or encryption. Having gained access, attackers often spend months on reconnaissance and planning before triggering the ransomware. Do you have backups to service your replicated storage? Those backups may be encrypted by ransomware, too. It can even jump a replication boundary, crossing domains. The attacker may take your disaster recovery system offline.
And then there is the issue of speed of recovery. What is the cost of downtime? How much data can the business afford to lose? How far back in time do you need to go? How long does it take? What we see with ransomware is massive amounts of data locked up that all needs to be restored quickly—without a fast-to-recover data storage system, it could take months.
Interviewer: So, what can IT leaders do to provide business continuity in the face of ransomware? Tell us a bit about Pure’s solution.
Andrew: To effectively recover from ransomware, the system put in place before the attack needs to be simple because IT departments are busy and any technology that requires care and feeding but isn’t top of mind every day will be overlooked. It needs to be immutable because attackers are motivated to disable your protection—they can charge a bigger ransom. And recovery needs to be fast—even for massive amounts of data—because your business can’t operate without data and waiting months for recovery is like the backup does not exist.
Pure Storage focuses on all three requirements—simplicity, immutability, and speed of recovery. Our solution is simple enough that it will be there when you need it, without daily care. And Pure Storage keeps data safe even if an admin is compromised, from FlashBlade credentials all the way down to the backup target where the data is sent, as well as the backup server itself.
Pure Storage provides inbuilt security specifically designed to counter ransomware threats. We developed SafeMode™ snapshots with the purpose of protecting backup data and metadata and minimizing loss of data. Ransomware can’t eradicate (delete), modify, or encrypt SafeMode snapshots. The result: Your backups stay safe. Plus, FlashBlade is a throughput beast when you need to recover. For one customer, our solution is 76 times faster than their previous recovery solution.
How vulnerable is your business to ransomware?
Managed services providers, like TierPoint and Pure Storage, will work with you to look at your IT environment and identify areas that need better security and disaster recovery to protect against data loss. Contact us today to learn more.