Every vendor in the NAS storage and data management space is offering up solutions to combat ransomware. As a result there is a lot of information available on how to protect yourself and recover from ransomware incase of an attack. However, along with useful information, there is an over-exaggerate of the benefits of adopting some of this new technology. In this writeup, we attempt to highlight not just the benefits but also the limitations of some of these features.
Top 5 NAS Ransomware Data Recovery Myths
Myth #1: Traditional backups enable a solid ransomware recovery plan
Numerous organizations have used traditional backup techniques for years. This includes periodic backups to tape or disk. These backup processes are considered “good enough” for most disaster scenarios which are not time-critical e.g. hardware failures, accidental or malicious file deletions, etc.
However, these techniques are inadequate for time-critical ransomware attacks. In most ransomware attacks, users end up paying the ransom despite having a backup. This is largely due to the “time to recover” challenge. When faced with a limited window of recovery, traditional backups often fail to provide an organization with the confidence to refuse the ransom. As a consequence, the ransom is paid despite having a backup.
While traditional backups do provide a level of protection, they may be ineffectual in a ransomware recovery scenario.
Myth #2: Snapshots provides rapid recovery in case of ransomware
Snapshots are promised as a modern day panacea against ransomware attacks. In fact, most present day ransomware recovery strategies are built on the backbone of a snapshot capability. But before we determine how effective snapshots are, let’s dive into what exactly are snapshots? Numerous organizations have used traditional backup techniques for years. This includes periodic backups to tape or disk. These backup processes are considered “good enough” for most disaster scenarios which are not time-critical e.g. hardware failures, accidental or malicious file deletions, etc.
However, these techniques are inadequate for time-critical ransomware attacks. In most ransomware attacks, users end up paying the ransom despite having a backup. This is largely due to the “time to recover” challenge. When faced with a limited window of recovery, traditional backups often fail to provide an organization with the confidence to refuse the ransom. As a consequence, the ransom is paid despite having a backup.
What are snapshots?
Snapshots are point-in-time versions of your data that you can go back to instantaneously or near instantaneously. The idea is that in case of a ransomware attack, you can simply roll back to a good point, refuse the ransom, and go about your business.
Ransomware can corrupt snapshots
To clarify, ransomware does not corrupt the snapshots per se, but silently encrypts the primary dataset. As a result, as ransomware silently encrypts, the active environments will have a mix of good files and encrypted files. Hence, when the ransomware is discovered, administrators find it difficult to roll back to a snapshot that will allow for full recovery (See diagram below).
Understanding Ransomware Corruption over Time
- At time T0, a snapshot is taken. This represents a clean point in time. At this moment, all data is unencrypted.
- At time T1, ransomware has begun to silently corrupt files while a number of files have been added or updated by users.
- At time T2, ransomware has encrypted more data while users continue to add and update content.
- At time T3, the ransomware is discovered but a majority of the data has already been encrypted.
So what is a good point in time snapshot to roll back to?
It becomes clear that rolling back to “Snapshot T3” while the most current, will result in largely encrypted data. Similarly, rolling back to T2 and T1 will reduce the amount of encrypted data but will result in the loss of multiple good files. T0 presents a good, clean time but at the expense of multiple lost updates.
As seen from the example above, while snapshots are a must for modern day ransomware protection, it alone cannot help you recover from ransomware.
Myth #3: Air gapped backup targets helps you recover from a ransomware attack
What is an Air Gap?
Air gapped mediums (LTO tape, removable hard drives etc.) are marketed as a clever way to keep ransomware from infecting your backup data. It simply refers to a physical, “air gap” between your storage and the network essentially meaning that your storage is disconnected from the network and hence cannot be corrupted by ransomware.
Air Gapped Copy Can Be Corrupted Too
While it is true that an air-gapped medium cannot itself be tampered with by the ransomware, it is possible that the ransomware was encrypting files when the backup application wrote a backup to a storage target which now sits “air gapped” on a shelf. Thus, when it is time to recover this data, the backup medium is not effective.
Air Gapped Medium Is Also More Time Consuming To Restore From
Since air gapped mediums are physically disconnected, it also makes it difficult to find and connect this medium when a restore is needed due to ransomware. This adds additional time to find and connect the medium thus contributing to the payment of the ransom.
Rather than a primary backup for ransomware, air gapped mediums are more effective as a secondary backup copy. Air gapped mediums present challenges as restores and data verification can be lengthy thus posing an issue during a ransomware attack.
Myth #4: Immutability on object storage ensures ransomware recovery
What is Object Immutability?
Object immutability is like a digital “air gap”. It is a feature often marketed with object storage as a key feature to prevent and recover from ransomware.
Object Immutable Storage Can Have Corrupted Data
Similar to air gapped backup targets, if a backup application backed up corrupted or encrypted files to immutable object storage, the backup copy would also be corrupted. While immutability does provide some level of protection against a direct corruption of data it can have corrupted data stored.
Object immutability is similar to air gap can protect your backup copy of data from a ransomware attack, it can hold corrupted data inadvertently backed up by an application.
Myth #5: Cloud backup provides an impenetrable safety net against ransomware
Cloud backups have emerged as a popular choice for backups. While cloud providers like AWS, Azure, Google spend billions of dollars on security, your cloud data can also be infected with ransomware.
Here are a few ways how it can happen:
Backup Applications Copy Infected Files to Cloud
Backup applications will copy updated and encrypted files to cloud targets during the backup process. Since ransomware silently corrupts data, these corrupted files get backed up to cloud. During restore, users find that their cloud backups are not “clean” and contain encrypted files.
Cloud Mounts Can Also Be Encrypted By Ransomware
Multiple cloud backup solutions (e.g. Dropbox, Box, Google Drive) and cloud NAS solutions (e.g. LucidLink, Panzura, Nasuni) present a mounted file-system to users while storing data in the cloud. Since these solutions present a file-system they are equally vulnerable to silent encryption by ransomware. While these solution present snapshots as a defense, as highlighted earlier, these snapshots are also prone to point in time views that could have a mix of good and encrypted files.
While cloud backups do provide a higher degree of security to ransomware and malware than on premise environments, cloud based backup are also vulnerable to silent attacks and corruption. Refer to the next section for essential features to protect cloud based backups.
Top 5 Ignored NAS Ransomware Data Recovery Best Practices
As discussed in Part 1 of this blog, even though a number of ransomware protection and recovery capabilities are being offered, they fall short in ensuring protection and recovery of data in case of a ransomware attack. In the second half of the blog we highlight Top 5 essential features to ransomware recovery that are often ignored.
Best Practice #1: Pre-emptive File Probing
Since ransomware silently corrupts and encrypts data, ransomware corruption is discovered after most of the damage is done. During this period, backup applications often backup corrupted files while end users continue to add and update content.
A key technology to combat this is to use an application that can perform a periodic scan and probe files. This probe however needs to be performed at a metadata level. As an example, if a file has a .mov extension, it must be verified by reading the metadata within the file to ensure its authenticity. Such an application can raise an early warning if it finds that files are being silently corrupted. This allows administrators to respond earlier and minimize the impact of a ransomware attack.
Since ransomware silently corrupts and encrypts data, ransomware corruption is discovered after most of the damage is done. During this period, backup applications often backup corrupted files while end users continue to add and update content.
A key technology to combat this is to use an application that can perform a periodic scan and probe files. This probe however needs to be performed at a metadata level. As an example, if a file has a .mov extension, it must be verified by reading the metadata within the file to ensure its authenticity. Such an application can raise an early warning if it finds that files are being silently corrupted. This allows administrators to respond earlier and minimize the impact of a ransomware attack.
DNAfabric Preemptive File Probing
DNAfabric v1.5 (*) allows for metadata probing and double checksum scans to run periodically on a subset or across the complete data set. It is equipped with a metadata probe that can verify the internal data structures of hundreds of file types including video, audio, images and ms office file types. By periodically scanning active data, DNAfabric can detect if files are being corrupted either by ransomware or via hardware (RAID or disk sector) failures.
Best Practice #2: Whitelisting
A key challenge brought up in Part 1 of the blog was how backup applications and snapshots can both result in restore point in times that also contain corrupted files. This essentially results in organizations often having to pay the ransom despite having diligently performed backups.
This results as the backup application cannot differentiate good files from corrupted files. To combat this, a backup application must present a “whitelist”. For example, if you were backing up a workspace with video files containing mov and h264 files, it would be easy for the administrator to setup a whitelist for only .mov .mp4 file extensions. This prevents corrupted files (from ransomware) from being backed up resulting in clean recovery points.
DNAfabric Whitelisting
DNAfabric v1.5 (*) includes an advanced whitelisting capability. Users can create custom whitelists and apply it to any data sync job. With DNAfabric’s advanced ability to sync primary NAS to any secondary target (another NAS, on-premise object or public object) paired with whitelisting allows good data to be replicated while ignoring corrupted file extensions.
Best Practice #3: Rapid Damage Assessment
When ransomware strikes across your central NAS, a key question is “how bad are we hit?” While this seems like a basic question, most organizations are unable to answer this quickly. Assessing the scope of the damage quickly allows administrators to rapidly come up with a response plan, present options to key executives/decision makers and come to a decision on whether to pay the ransom or not. In the absence of this capability, most organizations end up paying the ransom.
DNAfabric Rapid Damage Assessment
DNAfabric v1.5 (*) includes a high-performance scanner and indexer with storage analytics capability. In case of a ransomware attack, the DNAfabric index and analyzer job can scan the affected storage and generate statistics across the NAS. This includes a breakdown of files by extension, age and size allowing administrators to present damage reports to executives for rapid decision making.
Best Practice #4: Live Mounting
The ability to quickly or instantly verify that your backup copy is “good” without performing a lengthy restore is at the heart of refusing a ransom payment in case of an attack. This can be achieved in the following ways.
Snapshot Rollback:
This ability to quickly ensure that your backup copy is good can be enabled by a snapshot rollback but must be combined with whitelisting to ensure that your snapshots are not corrupted with bad data. Being able to instantly mount a previous point in time snapshot that is clean allows an organization to refuse a ransom and restore from the snapshot.
Backup Application Based Mounting:
While snapshots are built-in to the storage platform, a backup application that can instantly mount the backup copy without performing a restore also provides the ability to refuse a ransom payment.
It is however important that the backup application supports whitelisting so corrupted files are not backed up as well.
NOTE: While both methods mentioned above provide quick access to a backup copy, the next best practice, “Application Verification” is critical to ensuring that the data is not corrupted
DNAfabric Live Mounting
DNAfabric v1.5 (*) allows for a backup copy written to any object storage to be live mounted. Beyond enabling a mount, DNAfabric tracks the original file and directory paths on the primary storage and mounts the backup copy from object storage in the exact same manner . This allows users to not only verify that data visually but also quickly load it in a relevant application e.g., Avid or Adobe (See next section)
Best Practice #5: Application Verification
While the ability to mount a backup copy is critical, this data must be verified by the application that the data is created and used for. This is critical since it is impossible for an administrator to visually verify if the backup data is “good”. However, a user trained in an application can load the data and determine if the backup copy is good or not.
Combining backup mounts (previous section) with application verification is a guaranteed way to ensure that all backed up content is useable before refusing a ransom.
DNAfabric Application Verification
A key challenge with mounting backup data is relinking the data in the application. If the backed-up data is not mounted with exactly the same file structure as the original, applications will display the data as “offline”. The data needs to be “relinked” which can be a long and painstaking process. During a ransomware attack, this can result in a decision to pay the ransom. Since DNAfabric preserves and tracks the original source path, it can mount the backup copy in exactly the same way ensuring that applications load up data quickly.
Conclusion
Ransomware attacks continue to target organizations and are becoming more sophisticated. Ensuring that your organization has a strong defense and counter-plan to such an attack is critical to the smooth functioning an organization