By Russ Kennedy, Nasuni
Ransomware attacks are climbing at an alarming rate and there’s no end in sight. In 2021, there were more than 600 million attacks globally, according to SonicWall — a 105% increase over 2020 and triple the number seen in 2019. All predictions point to a continued upsurge in these crimes, with a growing focus on vulnerabilities in the supply chain.
Many of the enterprises targeted are choosing to pay up when cybercriminals encrypt their data. Colonial Pipeline is a highly publicized case in point. Last year, the oil and gas giant forked over $4.4 million when a ransomware attack paralyzed its pipeline, which provides nearly half of the East Coast’s fuel supply. Even after paying the ransom, it took the company almost a week to restart operations.
Some might question why any large enterprise would pay an outrageous ransom rather than use backups to recover critical data. In an interview with NPR, Colonial Pipeline CEO Joe Blount said the company concluded that paying for the decryption key was the fastest route to recovery. Though they hated to give in “to these contemptible criminals,” they recognized that it would have taken far longer to fully restore compromised data from backups. The delay in getting fuel flowing again would have harmed the American public, Blount said.
Therein lies the problem with relying on backup software as the primary, or sole, defense against ransomware attacks: Recovery can be a slow, painful process, and it can take months to resume full operation. Such extensive delays take a huge toll on a business’s bottom line, its reputation, and its customers. Clearly, backup systems are no longer an adequate defense.
No Company Is Immune
This isn’t a theoretical problem. At some point, most businesses will be hit by ransomware. All it takes is one employee falling for a phishing scheme and downloading malware. The breach doesn’t even have to occur within a company. A vulnerability in a supplier or customer can give cyber criminals access to everyone in the supply chain, so even large, well-protected enterprises can fall victim.
Once downloaded, the malicious software will stealthily work its way throughout the network, encrypting files and volumes as it spreads, then locking users out. It takes about 10 days, on average, until IT learns of the breach, and by then the damage is done.
Obviously, the best defense is to prevent infiltration in the first place. But if, or when, an attack inevitably succeeds, the focus must switch to recovery. IT teams generally turn to their backup systems, but they’re hardly a panacea. The whole file system must be rolled back to a point before infiltration, meaning all data produced since the breach is lost, whether it was infected or not. Copying over clean files to a restored server to move them back into production is laborious and time-consuming, and rebuilding a file server housing many terabytes of data can take weeks, even with the fastest data transfer speeds. And if malware infected the backup files before the breach was found, even the restored files are useless.
There is an alternative to traditional file backup — file system versioning. But it, too, has shortcomings. Block-based versioned storage area networks (SANs) can keep only a certain number of versions or snapshots, so they’re effective only if the infiltration took place just a few days earlier. With most attacks undetected for a week or more, many companies have no option but their backup systems.
A Cloud-Based Solution
Better options do exist, however. Cloud-based versioned file systems have no limit to the number of versions they can store, so it doesn’t matter how long ago a breach occurred. These systems also offer superior security, because backups can be stored as immutable objects that can’t be encrypted by malware. Though file data might not seem compatible with object storage, sophisticated software and storage snapshot technology make it possible to give an object-based cloud-native file system the look and feel of a traditional file share.
Recoverability is enhanced as well. Data doesn’t move around, so it can be recovered immediately, without recopying files and repopulating file servers. Additionally, IT doesn’t have to roll back the entire system to a point before the attack. Instead, they can revert each system only as far as needed. While systems hit first by the malware may lose a full week of work, those affected later may be rolled back far less, saving a lot of healthy data. Thus, the recovery process can be completed in a matter of hours, rather than weeks, and the amount of clean data lost can be dramatically reduced.
Hybrid infrastructure is usually required to eliminate latency and ensure performance with a cloud-based system for production files. But protection against attacks is strong. Local devices need only a copy of the working set that is synchronized with the gold copy in the cloud. So, if one appliance is hit with ransomware, IT simply points it back to the most recent clean version of the file system.
With a cloud-based file versioning system, businesses can quickly recover from ransomware attacks or other disasters, whether manmade or natural, often in a matter of minutes or hours. That’s something traditional backup simply can’t offer. Given the likelihood that ransomware isn’t going away anytime soon, enterprises must rethink their strategies and update their defenses.
About The Author
Russ Kennedy is chief product officer at Nasuni, which provides a file services platform built for the cloud. Before Nasuni, Kennedy directed product strategy at Cleversafe through its $1.3 billion acquisition by IBM. Earlier in his career, Russ served in a variety of product management and development roles, most notably at StorageTek (acquired by Sun Microsystems), where he brought several industry-leading products to market.
An avid cyclist and hiker, Kennedy resides in Boulder, Colorado with his family. He has a BS degree in Computer Science from Colorado State University and an MBA degree from the University of Colorado.