Aside from the pandemic, ransomware has become one of the gravest threats to the global economy. It is no longer a matter of “if” an organization is going to be attacked but “when,” according to Gartner.
The research firm predicts that 75% of organizations will face one or more attacks by 2025. National Security Institute found the average ransomware payout was $200,000 in 2020, up from just $5,000 two years ago as ransomware gangs resort to more aggressive tactics to get what they want.
Large-scale attacks on enterprises—the latest being one against Accenture—are creating regular headlines. The U.S. is the largest region for such attacks, and ransomware accounted for 30% of all U.S.-based cyberattacks in 2020, more than double the rate globally.
Why is ransomware worse now?
The word among security experts is that the Covid-19 pandemic, with its resulting lockdowns and work-from-home mandates, created an enticing new opportunity for hackers.
Employees sometimes use insecure personal devices and networks, accessing desktops over the easily-compromised Remote Desktop Protocol (RDP) software and connected by VPNs which aren’t always configured or secured properly. This has led to a perfect storm of vulnerability at even the largest corporations with massive IT budgets and large teams in place. Ransomware attacks are also becoming more sophisticated.
Ransomware software is now attacking in multiple stages, from penetrating the network, to stealing credentials, to attacking the backup systems. Over this entire time period, which can take weeks to months, companies typically don’t know they are under attack until finally someone suddenly notices files becoming encrypted and unusable.
How does this affect data storage?
Ransomware players are attacking all IT infrastructure, not just servers and applications. In 2021, the network attached storage (NAS) appliance maker QNAP alerted its customers that eCh0raix ransomware was attacking its NAS devices, especially those with weak passwords, as reported in this ransomware paper by ESET.
This is a disastrous prospect, since data growth is exploding and 80% of the data in organizations is now unstructured file data sitting either in NAS storage or in the cloud.
The ransomware challenge of unstructured file data
Protecting file data is tricky because of its sheer volume, variety and fast pace of growth. IT organizations must create a layered strategy – meaning that in addition to keeping local backup copies, they must also keep an extra copy isolated in a different place such as the cloud that cannot be infected.
But now we’re talking major sticker shock. Many organizations have petabytes of file data and a petabyte can easily be a few billion files. Companies are already struggling to backup all this data. Adding another copy can give the CFO a serious migraine.
The good news is that it’s possible to create a cost-effective layered strategy. Here’s how:
1. Prioritize visibility and audits
Early detection of ransomware by monitoring activity and identifying threats and unusual activity across networks and infrastructure is a great goal. Analytics on data usage by unstructured data management tools can show suspicious activity on files, such as an abnormal amount of reads and writes. While early detection is the ideal line of defense, it is not foolproof as ransomware attacks are constantly evolving. Storage managers should have analytics dashboards showing key metrics on all data usage across on-premises and cloud locations. Most (80%) of file data is typically cold and has not been used in a year or more. Knowing what data is hot and actively used, and what is not is key to creating a cost-efficient multi-layered defense.
2. Create a multi-layered data management defense
- Snapshots and Backups for Hot Data. Snapshots and backups keep track of changes to data as they get updated. They are needed on hot, active data to protect from user or system failures. But they can get attacked by ransomware, and if it is undetected for days, they may “protect” corrupted data. Ransomware protection needs an additional copy of this data in storage that is immutable (meaning it cannot be rewritten), in a separate physical location such as the cloud. This can all get expensive, which is why you want to use backups on hot, active data, which is typically 20% of the footprint.
- Cloud Tiering and Immutable Storage for Cold Data. A mantra of modern data management is that all data should not be treated the same. It’s not a democracy. By tiering cold data off top-grade NAS to an object-lock storage in the cloud, you get an immutable copy of cold file data at a fraction of the cost. Ransomware software cannot rewrite it. Moving cold data to object storage also reduces your backup footprint—which serves as another defense against ransomware while reducing backup license costs. Yes, you can also create a DR copy of data on tape, but recovery times will be significantly longer and physical backup solutions have become less appealing in the cloud age.
3. Have a plan – and validate it
With these components in place your team should have actionable plans in place to respond to attack scenarios. The time to realize if your plans can be executed is not when the hackers have succeeded and are chuckling behind their screens. Plans must be documented and tested to ensure data is protected with rapid restoration and alternative methods of data access so you can keep the business running without disruption—or large ransom payments.
Beyond Security Teams
The fight against ransomware is extending beyond the security team into all aspects of enterprise IT, including data storage. With unstructured data management, storage professionals can complement the efforts of their security colleagues by adopting a multilayered defense strategy that begins with real-time visibility across all storage, and incorporates snapshots, backups, and object-locked cloud storage. Your cybersecurity team will thank you.
As cybercriminals get more creative and aggressive, data management professionals will need to up their game with a more nuanced approach to the disaster recovery plan.
About the author:
Kumar Goswami is CEO and Co-Founder of Komprise.