Detect ransomware in storage to act before it spreads
Anomaly detection and immutable copies can be frontline tools against ransomware – we look at the role storage can play against the latest techniques employed by ransomware gangs
Ransomware attacks have become ever more sophisticated. Attackers no longer just encrypt data – they threaten to expose sensitive data, though double extortion and triple extortion attacks. And ransomware attacks increasingly target backups as well as operational data.
From an attacker’s point of view, to target backups makes sense. Organisations that can restore from backups are less likely to pay a ransom. So now, attackers look to identify and disable or delete backup volumes.
To counter this, suppliers have built ransomware protection into backup and storage. By working at the storage layer, security teams receive early warning of ransomware attacks and can prevent them. But this functionality is still quite new. So, should it be part of an enterprise anti-ransomware strategy?
Ransomware virus backups
Early ransomware attacks infiltrated networks and encrypted data, then demanded a ransom in exchange for decryption keys.
But businesses have strengthened their backup procedures. And backup and recovery suppliers have added anti-ransomware features. These include anomaly detection, immutable snapshots, and ensuring backups are air-gapped from production systems.
As a result, attackers now go after backups too. This includes deleting backup files, or encrypting them, or attacking the backup software’s application programming interfaces (APIs).
Backups work to a schedule, copying data every few hours or overnight, for example. This gives attackers a window of opportunity to infect systems or initiate encryption en masse before a backup runs
Ransomware groups also exploit features of the way backup tools work.
Backups work to a schedule, copying data every few hours or overnight, for example. This gives attackers a window of opportunity to infect systems or initiate encryption en masse before a backup runs.
The result is that the enterprise takes a backup of data that has already been encrypted or which contains malicious code. Hacking groups can then activate these malware “timebombs” later on – or even worse, when the business tries to restore from an infected backup.
To close this gap, a growing number of suppliers now offer ransomware detection in the storage layer. If the system detects signs of an attack, such as a mass encryption event, it triggers a new immutable snapshot of the data and alerts IT or security teams before the malware takes hold.
“If you can get closer to the production environment for detection and begin that immutable snapshot workflow, you will have a faster response and a more limited ‘blast radius’,” says Brent Ellis, senior analyst at Forrester, who leads on technology resilience, backup and storage research.
Supplier anti-ransomware approaches
For storage suppliers, the main protection against ransomware is through immutable backups, usually snapshots. Storage arrays can be set up to keep snapshots locally, at an offsite location – such as a second datacentre – or in the public cloud.
As snapshots are usually immutable, firms can set up quite sophisticated routines to copy them. These include the use of multiple cloud availability zones, or multiple cloud providers if budget and security requirements demand it.
The issue is that snapshots take up more space than conventional data-only backups. And they are no use if the data is already infected before the snapshot is taken.
To counter this, suppliers have moved to add detection to their systems. Systems aim to detect a mass encryption event, other suspicious behaviour such as a large number of changes to files in a system, or increased levels of randomness in file names and content. These are early signs that malware has started to encrypt data.
Storage systems alone cannot provide all the protection against ransomware. Firms also need strong endpoint protection, anti-phishing tools, robust backup tools, and an effective and rehearsed backup and recovery strategy
Backup suppliers already have ransomware detection functionality that scans files as they are copied or ingested into the backup system. Putting this into the storage layer aims to speed up this process.
“The problem is, maybe your backups run every half hour, every hour, every four hours,” says Forrester’s Ellis. “There’s a lag time in detection where the scope of the problem can increase. So, detection has moved into primary storage environments where they have an ongoing process to detect malicious file types if it’s file-based storage, or detect anomalies or entropy errors in block-based storage.”
A mass encryption event registers a high rate of change on a storage volume, he says. This allows storage arrays to detect foul play. But the key point is that detection should trigger “granular” snapshots to maximise the chances of salvaging data, and generate alerts so that security teams can act to contain the problem.
A number of storage suppliers now offer these tools, often using artificial intelligence (AI) to detect anomalies.
Suppliers with anti-ransomware functionality include NetApp, Pure Storage, Dell EMC (in its PowerStore range) and IBM.
Dell EMC, for example, uses PowerStore’s Data at Rest Encryption as well as snapshots to protect against ransomware. IBM Storage FlashSystem, part of IBM Storage Virtualize, creates snapshots that are automatically separated from production environments.
Pure’s Safemode snapshots are built into all the supplier’s products and managed though Pure1. The supplier supports multifactor authentication and “four eyes” access control (two people are needed to authorise backup deletion). NetApp, meanwhile, claims to be the first supplier to have AI-powered malware detection at the storage layer, and offers immutable and indelible backups.
These tools can be used alongside ransomware prevention measures in backup and recovery tools from suppliers that include Veeam, Rubrik, Cohesity and Commvault. It is worth noting that some software suppliers, such as MongoDB, also offer immutable snapshots. This provides additional protection for their layer of the stack.
Storage as an anti-ransomware strategy
Storage systems alone, however, cannot provide all the protection against ransomware. Firms also need strong endpoint protection and anti-phishing tools to reduce the chances of ransomware infecting the organisation. They also need robust backup tools, and an effective and rehearsed backup and recovery strategy.
Storage-level ransomware protection offers the benefit of speed, and because scans run constantly on production data, they reduce the risk present in the gap between backups.
But there are also limitations, not least because of the limited processing power available in storage arrays. Backup tools can use more advanced analytics, as they have access to server computer processing units and can look at data over time. This allows them to build up a picture of normal behaviour for that data, and to block future attacks.
Ideally, CIOs will use anti-ransomware tools in storage and backup. “One tool is not going to be enough,” warns Ellis. “The next line of defence is in your production environment, and that’s at your storage system.”
