Around the Storage Block
cancel
Showing results for 
Search instead for 
Did you mean: 

How can you build the most secure last line of defense against ransomware?

According to leading research firm Cybersecurity Ventures, every 14 seconds another business will become a target for a ransomware attack. What’s the best way to ensure that business isn’t yours?

Last line of defence against ransomware_Blog_shutterstock_710136688.jpg

In the time it takes you to read this article, twenty businesses will have been targeted by ransomware. That’s a shocking measure of the risk now posed by this pervasive threat to business continuity.

It’s no surprise that in a new report published  in January 2020 by HPE and Enterprise Strategy Group (ESG), 60% of organizations report experiencing at least one attempted ransomware attack in the last 12 months.[i] This is making investments in security a top priority, as 62% of companies surveyed by ESG expect to increase cybersecurity spending in 2020.

Why does ransomware create risk?

Essentially, ransomware is a business-interruption event that hits data and application availability. The reason why these incidents cause such concern for business and IT executives is the real threat that mission critical data assets might be destroyed or damaged in such a way that they cannot be easily or economically recreated. 

What are the costs of a ransomware attack?

Statistics vary on the cost of ransomware depending on size and industry, but as a general average according to one Q4 2019 survey[ii], the cost of ransomware is estimated to be around $84,000. USD per attack. 

At the opposite end of the scale, the city of Baltimore, which suffered a crippling RobinHood cyberattack in May 2019, estimated the cost of dealing with the incident as being around $18 million[iii].  And Swedish shipping firm, A.P. Møller-Maersk reported estimated losses of $250-300 million following a NotPetya virus attack in June 2017.[iv]

In total, the combined potential 2019 cost of these unrelenting ransomware attacks has been estimated at $7.5 billion in the United States alone. The impacted organisations included 113 state and municipal governments and agencies, over 700 health care providers, and more than 1,200 schools[v].

An emerging cyber threat: criminals want your backups, too!

In many ways, ransomware attacks are akin to “logical data disasters,” or events in which data becomes corrupted, unusable, or lost. Reversing the effects of data loss is the traditional role of backup and recovery mechanisms.

It’s disturbing that one of the strategies now being adopted by criminals is to encrypt or erase your backup files to make it more difficult to sidestep the ransom demand.  In the HPE/ESG study, 60% of IT respondents reported concern that data protection copies could become infected or corrupted by cyber attack.

Cyberattacksand ransomware.png

And this is no idle threat. Cybercriminals have been known to corrupt hypervisors and encrypt backup data using stolen password credentials. It’s also crucial to recognize that even data stored in the cloud is vulnerable to authentication issues arising from unauthorized network access that can still lock you out of your data altogether. If the underlying hypervisor overseeing a cloud network is compromised, it’s likely that all systems being hosted on the network will be vulnerable to exploitation.  

In late 2019,  Virtual Care Provider Inc., which provides hosting and IT services to post-acute care facilities across the US, was hit by the Ryuk ransomware, subsequently locking access to patient data at 110 nursing homes.[vi]

In many ways, the cybercriminals’ most potent weapon in a cyber security attack is the network itself, which permits the encryption of files on network servers, even if they are stored offsite.  A report from security analysts, Vectra[vii], in August 2019 suggested the most significant ransomware threat is malicious targeting of cloud service providers’ shared network files.

Building the most secure defense against ransomware

The obvious conclusion from all of this is that in an era of profound interconnectedness, some things still need complete physical separation from the rest of the network – e.g. they must be offline. Data protection and archive assets fall into this category. To not be affected or infected by ransomware, truly “cyber-resilient” copy of data must meet much more stringent requirements. This is where “air gapping” and LTO tape technologies come into play.

Air gapping keeps an isolated copy of critical data off the network, with no direct network connection and ideally multiple recovery points. This guarantees that an uncompromised “golden copy” is always available for recovery. Isolating and segregating the infrastructure and the data is critical to optimizing incident response time and effectiveness. This is what defines “isolated recovery.”

LTO tape can be the ultimate longstop in your 3-2-1-1 backup plan – namely three copies of your data, backed up on two different types media, with at least one copy stored off-site and (crucial for building defenses against ransomware) one offline.

Conclusion

According to multiple analyst reports (IDC[viii], ESGi) LTO tape is the most cost-effective long-term solution for storage of cold data.  For example, an HPE StoreEver MSL340 tape library with 500 TB of LTO-8 capacity costs less than $30,000. But more pertinently, it’s the only LTO that truly isolates more strategically important production data from a ransomware attack.

Businesses that adopt a multi-layer data storage strategy, including LTO tape, will be best equipped to recover quickly -- not just from a ransomware attack, but from any action or event that puts the integrity of data at risk.

“Tape systems provide a great set of options to deliver isolated recovery capabilities at scale, and hyperscale, with a cost profile that cannot be matched by disk-based technologies.  With a very desirable cost profile, and virtually unlimited scale, tape is poised to continue its “rebirth.” Its inherent strengths become more vital in contemporary IT, rather than less.”  Leveraging tape to combat ransomware with HPE StoreEver, Enterprise Strategy Group, January 2020

For more information, please check out:

[i] Source: Enterprise Strategy Group, January 2020

[ii] Source: Coveware Ransomware Marketplace Report, Q4 2019

[iii] Source: City of Baltimore briefing, June 2019

[iv] Source: A.P. Møller-Maersk Annual Report, 2017

[v] Source: Emisoft, January 2020

[vi] Source: KrebsOnSecurity, November 2019

[vii] Source: Vectra, August 2019

[viii] Source: IDC “Tape and Cloud: Solving Storage Problems in the Zettabyte Era of Data”, June 2019


TOF36ddN_400x400.jpgMeet Around the Storage Block blogger Andrew Dodd, HPE Storage Media. 

You can follow him on Twitter @tapevine

 

 

 


Storage Experts
Hewlett Packard Enterprise

twitter.com/HPE_Storage
linkedin.com/showcase/hpestorage/
hpe.com/storage

0 Kudos
About the Author

StorageExperts

Our team of Hewlett Packard Enterprise storage experts helps you to dive deep into relevant infrastructure topics.

Comments

Not a bad article to begin your cyber recovery journey (3-2-1-1 rule. Mentioning of air gap, etc.) but not everyone has LTO-8 drives, and even if they do how do you rapidly recover 1000’s of physical servers with petabytes of data in a meaningless amount of time? A singe tape can run one restore job at a time, and it’s not common that firms have 100’s of tape drives, hence sole reliance on tape technology as cyber recovery platform is risky and is unlikely to provide timely reconstruction.

You're right - every part of the 3-2-1 rule has it's place. If your local snapshots have been hit with Ransomware, then your fastest recovery methodology doesn't do you much good. Typically, a Ransomeware attack doesn't affect everything so it's not like you have to recover thousands of VMs or servers. 

The fact remains that you can't target tapes sitting offsite with ransomware. BTW, another protection is using HPE StoreOnce with the StoreOnce Catalyst API. Since it's an HPE API, they haven't ever been able to get to StoreOnce Backup data when using Catalyst. 

So the right media for the right job, right?

It depends on the severity of the attack.  In the event of a disaster affecting thousands of hosts, similar to the kind of NotPetya incident that affected Maersk, the steps to fully recover the network would be both sophisticated and strategic.  In the case of Maersk, they nearly lost their domain controllers for the entire global network; only one copy remained in a branch office server in Ghana that had been knocked offline by a power failure prior to the attack.  Having comprehensive master copies of information on tape closer to the strategic centre of any ransomware recovery attempt would greatly assist IT organisations in rebuilding their infrastructure without having to contemplate paying a ransom.

But in reality, a typical ransomware attack affecting midsize corporations, or SMBs, is likely to be more localised and opportunistic.  A midrange tape library with just a handful of drives is still capable of extremely high data throughput in terms of helping to access the data needed to rebuild infected machines.  And again, having offline, uncorrupted, copies of data at hand will greatly assist IT teams tasked with restoring essential systems.  Increasingly, cyber criminals are targeting backup data by using stolen password credentials to access backup domains and encrypt storage files like VM snapshots and backups.  But an airgap thwarts this approach.

I am all in favour of a mixed approach to cybersecurity but to my mind, it's like a circular fort.  You need a ring of defences and have to assume that some or all of the outer ones may fall due to user mistake and/or criminal ingenuity.  Data stored offline on LTO tape (not just LTO-8, but cheaper versions LTO-5 thru' LTO-7 also) is a very effective last line of defence when all else fails.  Sadly, the prevalence of news stories describing how another victim paid a ransom to unlock their data, suggests this is all too common.

 

Events
Starting June 23
HPE Discover Virtual Experience
Joins us for HPE Discover Virtual Experience live and on-demand
Read more
Online Expert Days - 2020
Visit this forum and get the schedules for online Expert Days where you can talk to HPE product experts, R&D and support team members and get answers...
Read more
View all