Storage technology explained: Ransomware and storage and backup

How can storage and backup protect against ransomware?

Effective ransomware protection starts with not letting malware into IT systems in the first place. In backup and storage systems, it centres on effective data protection, with additional solutions available in the form of artificial intelligence (AI)-based anomaly detection.

Key to recovery from a ransomware attack is to regularly make effective backups. That’s because if you are hit by ransomware, you need a clean copy of your data to roll back to.

Bear in mind that backups are likely to be the most reliable backstop because they usually date back the furthest of all data protection copies and are therefore more likely to provide a clean copy from before ransomware infiltrated systems.

Snapshots are another popular method of data protection, but are more likely to be compromised by being taken during ransomware dwell periods as they generally don’t date back as far as backups.

Putting an air gap between backups and production systems is another key method of ensuring ransomware cannot affect backup copies.

Storage suppliers also build in ransomware protection such as anomaly detection that looks for malware as it acts on data, while some suppliers also offer guarantees to customers hit by ransomware attacks.

Why is backup important in case of ransomware attack?

The best way for an organisation to avoid paying a ransom is to try to recover from its most recent good copies of data.

That means it is vital for organisations to make effective backups, to keep immutable copies of backups, and to test regularly that they can recover from them.

But backups have their limits, and other data protection methods such as snapshots have their flaws, too.

Backups, for example, are only good to restore from as long as they are clean. That is, they are uninfected by ransomware files, including those that have remained inactive but undetected.

Snapshots, likewise, are only good as long as they are unaffected by the presence of ransomware files. A key limitation of snapshots is that they can be sizeable, and often for that reason, fewer of them – with a shorter roll-back duration – are kept.

Ransomware gangs often target an organisation’s backup files to make it difficult or impossible to restore to a clean point-in-time.

How can an air gap protect backups against ransomware?

One way to protect backups against ransomware infection is to retain them on the other side of an air gap.

Air-gapping is the safest option, especially if backups are stored off-site, on write-once, read many (WORM) media like optical storage or tape.

The disadvantage of off-site physical air gaps is the time it takes to restore data from backups held that way. Recovery time might be too long to meet business continuity targets, especially if IT teams have to search numerous backups to find ransomware-free copies. Suppliers have met this challenge with virtual air-gapped technology.

How can network segmentation protect backups against ransomware?

While physical air gaps can be the most secure, they also bring drawbacks in terms of recovery time.

A solution is to strictly segment backups from production environments so that uninfected copies can be used to recover from.

Approaches here include use of a discrete network segment with “deny all” firewall rules to protect it. This can be on-site or in a secondary datacentre. Rules can be relaxed when data is needed or for replication, and multiple admins and authentication are required to access backups.

A variant on this that uses public cloud storage as off-site capacity can be used also.

What are immutable snapshots?

Immutable snapshots are snapshots that cannot be changed once they have been written.

Snapshots are always immutable, but storage suppliers have taken additional measures to prevent them being accessible via ransomware.

This can mean access to snapshots is protected by multiple PINs or is time-locked.  

The downside of snapshots is that they create a large volume of data. For performance reasons, they are often written to tier one storage, and this makes them expensive, especially if organisations need to retain multiple days or weeks’ worth as protection against ransomware.

How can AI and anomaly detection protect against ransomware?

When ransomware goes to work it will give off signs that can be spotted.

These might include abnormally large numbers of changes to files in a dataset, or increased randomness in filenames or content, which could occur as ransomware starts to encrypt data.

Suppliers have added such functionality at storage device and network level to help spot ransomware infections early. AI tools can help spot anomalies across vast quantities of data and at speed that hopefully prevents malware from spreading, encrypting or deleting data.

Suppliers that offer anomaly detection include Cohesity, NetApp and Pure Storage. Commvault also has early warning features in its technology.

What financial guarantees do suppliers offer against ransomware?

Some storage and backup suppliers have taken the step of offering financial guarantees in case a customer suffers from a ransomware attack.

Veeam and NetApp offer ransomware warranties, while Pure Storage has a ransomware recovery service-level agreement that includes hardware and technical support to recover data.

But suppliers will ensure warranty agreements are very tightly written. And cash will only go so far to help an organisation if data has been put beyond reach.

What anti-ransomware functionality is offered by storage and backup vendors?

Storage suppliers’ main protection against ransomware is immutable backups, usually snapshots. Arrays can keep snapshots locally, at an offsite location or in the public cloud.

The key drawback with snapshots is that they take up more space than conventional backups. And, they are no use if data is infected before the snapshot was taken.

So, suppliers added ways to detect ransomware. A mass encryption event will show as a large number of changes to files or increased levels of randomness in file names, for example. Meanwhile, some backup suppliers scan files as they are ingested into the backup system.

Look out for products where detection triggers “granular” snapshots to maximise the chances of salvaging data.

A number of storage suppliers now offer tools that use AI to detect anomalies.

Dell uses PowerStore’s Data at Rest Encryption as well as snapshots to protect against ransomware. IBM Storage FlashSystem creates snapshots that are automatically separated from production environments.

NetApp claims to be the first supplier to have AI-powered malware detection at the storage layer, and offers immutable and indelible backups. Meanwhile, Pure’s Safemode snapshots are built into all the supplier’s products and managed though Pure1 with multifactor authentication and “four eyes” access control (two people need to authorise backup deletion).

Ransomware prevention measures in backup and recovery tools come from suppliers that include Veeam, Rubrik, Cohesity and Commvault while some software suppliers, such as MongoDB, also offer immutable snapshots.