Storage Decision Tool

A Ransomware Protection Guide for Your NAS

A Ransomware Protection Guide for Your NAS
July 20, 2021 Rohit Varu
NAS Ransomware Protection Guide - StorageDNA

Ransomware is Real

 

Ransomware is a growing threat to businesses of all sizes. Over the past few years, ransomware attacks have steadily increased. It is further proven that paying the ransom does not guarantee that all your data will be restored. In light of this growing threat, protecting your data should be a high priority for every business no matter the size.

150% increase in ransomware attacks in 2020 from 2019

More people are paying for data to be returned (Up 32% in 2021 from 20% 2020)

Ransomware remediation costs have more than doubled from 2020 ($0.76 million) to 2021 ($1.85 million)

Types of Ransomware

Locker vs Encrypting

Firstly, let’s understand the types of ransomware that can affect your organization. Ransomware attacks can be categorized into groups:

Locker ransomware: In this type of attack, the malicious software attempts to lock the user out of their system or desktop while leaving only parts of the system usable so that the user can interact with the ransomware window. This type of attack, while disruptive, does not result in a complete loss or access to important files and data. A re-installation of the affected systems will remedy this situation. 

Encrypting/Cryptographic ransomware: Encryption or cryptographic attacks (not to be confused with crypto currency) are designed to block access to your data and files by encrypting files in place. Once the ransom is paid, files are decrypted. However, it must be noted that numerous reports exist where only a percentage of files are recovered. This type of ransomware is most likely to affect your NAS or shared storage.

NAS and Ransomware Attacks

All types of NAS storage systems are susceptible to encryption based ransomware attacks. Ensuring your NAs is backed up, software is updated and passwords are secured can protect you against a ransomware attack.

 

Your NAS or shared storage is vulnerable to ransomware. This includes consumer and prosumer NAS storage (QNAP, Synology) to enterprise NAS and shared storage (e.g. Avid Nexis, Isilon, Qumulo, SNS, Editshare, Quantum etc.).  

Since NAS storage is the de facto storage for most, if not all of an organization’s data, ransomware attacks are often focused on the NAS. Ransomware attacks on NASs are largely focused on encrypting data by accessing mounting storage volumes. Once the data is encrypted, users are unable to access their data.

 

But My Cloud Data Is Safe - Right??

Ransomware can affect any mounted file-system – this includes file-systems like Dropbox, Google Drive and other cloud based storage. However, you can protect your data if you take the right steps.

 

There is a common belief that cloud storage e.g. Dropbox, Google Drive and other cloud based storage cannot be affected by ransomware. While this is mostly true, ransomware affects any mounted file-system. It does not matter if the mounted file-system stores data locally on disk or in the cloud. Cloud based file systems ranging from consumer storages like Dropbox, Google Drive or enterprise cloud file-systems like AWS Gateway, Panzura, Ctera, LucidLink etc are all prone to ransomware encryption attacks. However, we explain in the next section (Step 3: Select the correct backup target) how most cloud file-systems support snapshots thus assist in ready recovery.

 

Steps to Protect Your NAS from Ransomware

 

Step 1: Keep your NAS updated while enforcing secure passwords


  • All ransomware attacks are built on targeting vulnerabilities. Hence, ensure your NAS is up to date with the latest security patches recommended by the vendor.
  • Ensure you employ strong passwords for your NAS.

Step 2: Backup your NAS with an app built for ransomware recovery


All backup software solutions are not equal and all solutions may not be able to help you recover from ransomware effectively. A key challenge backup applications face with ransomware is that the backup application can end up “backing up” encrypted files as well. And often the backups are performed over multiple runs essentially meaning that users cannot rollback to a specific point of time when their data was unaffected. Rather, different points of time may contain portions of the backup that are good. 

Faced with the ransomware’s “pay” or “lose your data” countdown, users are often forced to pay the ransom since most backup applications cannot provide users with  a “good” point in time to restore to.

Why organizations end up paying a ransom despite having a backup?

However, selecting the correct backup solution that has the following key capabilities can dramatically reduce the risk of losing your data or having to pay a ransom:

Key features of a backup app designed for ransomware prevention:

Whitelisting

Locking ransomware works by encrypting your files to a new file-extension. A backup application that supports ransomware whitelists ensures that only those file types that need to be backed up are protected. For example, if your job is backing up image files, then having a whitelist of image files (e.g. *.jpg, *.jpeg, *.bmp etc.) ensures that only those files will be picked for backup. Thus, if you get hit by ransomware, the encrypted files will not be picked up ensuring you have clean backups with ready restore points.

Snapshots

Snapshots are also critical to recovering from a ransomware attack. Snapshots can be enabled via backup apps or via the backup target. Ensure your backup application can roll back individual files and more importantly entire volumes to a previous point in time.

Change Detection

  • Backup applications work by performing an initial full sync and then incremental backups after that. Incremental backups tend to be consistent in terms of change percentages. For example, it can be expected that after the first full backup, incremental changes will be in the 10%-15% range.
  • However, when ransomware strikes, there will be a spike as a large number of files will be encrypted and get picked up for backup. This can serve as an early warning sign of an attack.
  • Backup applications that allow for a “percentage change threshold” will not perform the backup if the incremental change is greater than the threshold. This can be invaluable in detecting that a ransomware attack is in progress.

Multi-Target Backup Support

Much like any data loss scenario, ransomware affects primary data copies. Having a backup application make multiple secondary copies is essential in guaranteeing that recovery is possible. It is a good idea to have a copy on an “air gapped” medium e.g. LTO in addition to object storage which allows for multi-location replication.

High Performance Backups

With growing amounts of data, it is important to employ a backup application that can regularly finish backups in the desired window. A high performance backup application paired with a high performance backup target (e.g. Object storage) can ensure that your backups complete on time.

Step 3: Select the correct backup target 


Beyond selecting an app built for ransomware, selecting a backup target is equally important.

A backup target should be selected on the following key attributes:

Immutability or Object Locking: “Immutability” or “Object Locking” is the inability to change data written to a backup target. This provides a strong defense against ransomware attacks as the backup copy cannot be altered.

Vendors that support object locking

Object locking is supported across numerous public and private storage solutions.
Examples include AWS, Azure, Google, Lyve Cloud, Wasabi, Quantum

AWS - multi-service cloud providers - StorageDNA   Azure - multi-service cloud providers - StorageDNA   

Wasabi - storage only cloud providers - StorageDNA   

Air-gapping: Air-gapping is a term made popular recently referring to disconnected or on-the-shelf media that cannot be altered by malicious software like ransomware. While air-gapping is an important capability, it also implies that in case of an attack, the backup data is more difficult to verify.

Backup & Retrieve Performance: The ability to support high-performance backups ensures that backup windows are met and data is properly backed up. If backup targets cannot support parallelization (multi-streaming, multi-threading), backup performance can be impacted thus leaving data vulnerable.

Rapid access: In case of a ransomware attack, the ability to quickly access and verify that the backup copy is complete and accessible is essential to determining if the ransom demand should be paid. Hence, the backup target must allow for direct access to the backup copy without lengthy wait times for restores.

Multiple Copies or snapshots: While backup apps can make multiple copies, certain backup targets have a built-in ability to replicate data. This form of maintaining multiple copies is often more efficient than backup app-based multi-copy creation. Snapshots are also a key feature enabling “rollbacks” to a good restore point in case of a ransomware attack.

Geo-Spreading: In addition to making multiple copies, certain backup targets can manage multiple copies across multiple geo-spread locations. This enables a stronger level of protection against multi-location attacks.

The following is a comparison between recommended ransomware backup targets:

NOTE: (1: lowest score – 5: highest score)

 

Feature FS LTO Object
Examples NFS, SMB LTO-8/9 Public (AWS S3, Google Cloud, Azure Blob, Wasabi, Seagate LyveCloud etc.)
Immutability or Object Locking

1

While some file systems support immutability (e.g. ZFS), it is not a default feature in most file systems.

5

LTO is designed to be a “read only”, write once medium making it immutable. However, LTO immutability is less flexible than object storage.

5

While object storage is built on disk (++ some exceptions exist), most provide immutability or an “object locking” capability. It has an added advantage in that this immutability can be turned off if needed if backup copies need to be deleted.

Air-Gapping

1

File-systems are always online and do not provide any kind of air-gapping capabilities.

5

LTO is designed to be a “read only”, write once medium making it immutable.

3

Object stores are designed to be online and backed by disk, so they are not air-gapped. However, certain object stores may provide air gap capabilities (❖)

Performance

5

File-systems are the highest performance targets often designed purely for performance.

3

LTO storage, while capable of high single stream bandwidth, does not support multi-streaming which can impact backup windows and restore performance.

4

Object storage systems are capable of high performance especially across multiple parallel streams enabling fast backups and restores.

Quick Access

5

File-systems enable the quickest form of access as they are immediately accessible. However, this makes the backup copy on the file-system vulnerable to attack as well.

2

The key advantage of LTO tape (air gapping) is also its biggest disadvantage when it comes to quick access. It can be difficult to verify backups on tape during a ransomware attack. As a result, while LTO can serve as a copy, it is not recommended as a primary backup copy for ransomware.

4

Object storage systems designed for store and retrieve functions rather than direct access. However, for purposes of backup verification, object stores can be mounted enabling users to quickly determine if they have a good backup before denying the ransom payment.

Multiple Copies

2

File-systems employ protection schemes using RAID and Reed Solomon Coding (newer filesystems). However, these copies are also vulnerable to ransomware.

1

LTO tapes are designed to store a single copy of data. As a medium, it does not offer support for multiple copies.

5

Object storage systems are designed to store multiple copies using sophisticated algorithms (Reed Solomon Coding) enabling the highest levels of content protection.

Geo-Spreading

2

Some file systems employ content replication across multiple sites to enable multi-site protection. However, ransomware can affect secondary copies too.

1

LTO tapes lack an intrinsic ability for multi-site protection and must be manually duplicated and transported to another location.

5

Object storage systems have a built-in ability to geo replicate data. Paired with object locking, object storage system enable the highest levels of content protection

TOTAL 16 17 26

 

++ A new breed of object stores provide an S3 API to LTO tape. Examples include FujiFilm’s new object storage.
❖ A number of public cloud object stores e.g. AWS Glacier, AWS Glacier Deep, Azure Blob Archive have a “rehydration period”. This alludes to an offline/air-gapped medium. However, the type of storage is not revealed. Additionally, LTO backed object stores e.g. FujiFilm also provide air-gapped capabilities by virtue of data being stored on LTO.

 

Object storage is being recognized as a strong contender for protection against ransomware. Key features such as object-locking (thus preventing ransomware from altering backup copies), enabling instant access (via the ability to mount and test backed data) and high performance restores makes it a near perfect storage medium against ransomware attacks.

Feature FS LTO Object
Examples NFS, SMB LTO-8/9 Public (AWS S3, Google Cloud, Azure Blob, Wasabi, Seagate LyveCloud etc.)
Immutability or Object Locking 2
While some file systems support immutability (e.g. ZFS), it is not a default feature in most file systems.
4
LTO is designed to be a “read only”, write once medium making it immutable. However, LTO immutability is less flexible than object storage.
5
While object storage is built on disk (++ some exceptions exist), most provide immutability or an “object locking” capability. It has an added advantage in that this immutability can be turned off if needed if backup copies need to be deleted.
Air-Gapping 1
File-systems are always online and do not provide any kind of air-gapping capabilities.
5
LTO is designed to be a “read only”, write once medium making it immutable.
3
Object stores are designed to be online and backed by disk, so they are not air-gapped. However, certain object stores may provide air gap capabilities (❖)
Performance 5
File-systems are the highest performance targets often designed purely for performance.
2
LTO storage, while capable of high single stream bandwidth, does not support multi-streaming which can impact backup windows and restore performance.
4
Object storage systems are capable of high performance especially across multiple parallel streams enabling fast backups and restores.
Quick Access 5
File-systems enable the quickest form of access as they are immediately accessible. However, this makes the backup copy on the file-system vulnerable to attack as well.
1
The key advantage of LTO tape (air gapping) is also its biggest disadvantage when it comes to quick access. It can be difficult to verify backups on tape during a ransomware attack. As a result, while LTO can serve as a copy, it is not recommended as a primary backup copy for ransomware.
4
Object storage systems designed for store and retrieve functions rather than direct access. However, for purposes of backup verification, object stores can be mounted enabling users to quickly determine if they have a good backup before denying the ransom payment.
Multiple Copies 3
File-systems employ protection schemes using RAID and Reed Solomon Coding (newer filesystems). However, these copies are also vulnerable to ransomware.
1
LTO tapes are designed to store a single copy of data. As a medium, it does not offer support for multiple copies.
5
Object storage systems are designed to store multiple copies using sophisticated algorithms (Reed Solomon Coding) enabling the highest levels of content protection.
Geo-Spreading 3
Some file systems employ content replication across multiple sites to enable multi-site protection. However, ransomware can affect secondary copies too.
1

LTO tapes lack an intrinsic ability for multi-site protection and must be manually duplicated and transported to another location.

5
Object storage systems have a built-in ability to geo replicate data. Paired with object locking, object storage system enable the highest levels of content protection
TOTAL 19 14 26

 

++ A new breed of object stores provide an S3 API to LTO tape. Examples include FujiFilm’s new object storage (CXXX: Link).
❖ A number of public cloud object stores e.g. AWS Glacier, AWS Glacier Deep, Azure Blob Archive have a “rehydration period”. This alludes to an offline/air-gapped medium. However, the type of storage is not revealed. Additionally, LTO backed object stores e.g. FujiFilm also provide air-gapped capabilities by virtue of data being stored on LTO.

 

Step 4: Perform a ransomware recovery drill


Testing your infrastructure against a simulated ransomware attack is essential to recovering from a real ransomware attack. Follow these steps in simulating an attack:

 

Simulate the attack

  • Simulating a ransomware attack on your NAS can be simplified to unmounting NAS volumes. While this is a simplistic approach, it requires minimal effort and restoring access is as simple as remounting volumes. 
  • This allows your users to deal with their files going “offline” while allowing IT to test this scenario more often.

Perform a quick verification of the backup copy

Quickly testing your backup copy without having to restore all your data is a critical feature. In a real ransomware attack, knowing whether to pay the ransom or not is time critical. Oftentimes, waiting for a complete restore is not possible. Thus have a backup medium that allows for the backup data to be mounted and accessed directly allows for quick verification. Refer to the Backup Target comparison table for backup target options that allow for this.

Time a restore

While time to verify data determines whether the ransom should be paid, the time it takes to restore the data determines when your users can be up and running again. Hence it is important to time your restores. In this step, time restores to ensure that restore window times are met by both the backup app and backup target.

Test the restored data

To test the restored data, ensure the data is accessed by a qualified user with a native application. End user testing is the only way to guarantee that the restored data copy is truly “good”.

Conclusion

 

While ransomware attacks are continuing to grow, protecting yourself against such attacks is not impossible. A combination of best practices, backup software, backup targets and drills can all come together to provide a strong defense against such attacks.

 

 

0 Comments

Leave a Comment

Your email address will not be published. Required fields are marked *

*