Rich Vining

Ransomware: Fending off the "DataNappers"

Blog Post created by Rich Vining on Jul 25, 2016

Original post: 25 July 2016

Updated: 16 May 2017

 

I am often amused by the 2 industry definitions of "data protection". I have been focused on the side that protects data from bad things by making a copy of the data and restoring it. Today, I'm pleased to jump the fence and talk a bit about the other side, protecting data from bad people through data and system security.

 

You arrive at the office in the morning, log in, and realize that something isn’t right. Your system is running, all of your programs are opening, but none of your data is there. Then a window pops up on your screen that says, “If you want your data back, you must pay us …”. You or one of your colleagues must have clicked on a bad Internet link that downloaded a malware virus into your environment. Overnight, this virus crawled through your network, encrypting any data files that it found, including your on-line backup files, and these files are now being held, still within your systems, for ransom. The offer is that once you pay the ransom, you receive the encryption key that unlocks your data.

 

Terror starts to set in. You don’t know how long this virus has been in your systems, how much of your data has been impacted, or how to get it out.

 

Obviously, losing access to your data would be a critical, or even terminal event for most organizations. But it can get really serious when the infected organization is a bank, a hospital or a government agency. In the case of the WannaCry (or WannaCrypt) virus that has infected hundreds of thousands of Windows systems in more than 150 countries, crippling the UK health system and FedEx.

 

Also known as a crypto-locking virus, this is a problem that is exploding around the globe. The ransom demand may be for thousands or even millions of US dollars and paid in Bitcoin, which makes tracking the transaction (and the perpetrators) impossible.

 

CNN recently ran an early story on this plague: http://money.cnn.com/2016/04/04/technology/ransomware-cybercrime/

 

Once your organization is infected by ransomware, you basically have 3 options:

  1. Pay the ransom and pray you receive the decryption key, and also pray that this never happens again
  2. Spend days or weeks restoring your data from off-line backups (if they exist), and then re-create any new data created since the last off-line backup was created (if that is possible)
  3. Simply give up and walk away

 

Per the CNN report, it is assumed that most organizations choose option 1, though they don’t announce this publicly for obvious reasons. However, in the case of WannaCry, there is no evidence that paying the ransom results in the unlocking of any data.

 

Prevention is the Best, but not the Only Option

 

Having a strong anti-virus capability, coupled with strong on-line behavioral procedures for employees, can be somewhat effective in avoiding being infected by ransomware. But these "datanappers" and other bad guys are continually developing new ways to fool the software and the humans, to help them gain access to your data. Going after widely documented “best practices” is their playbook.

 

A global registry of known crypto-locking viruses is maintained here: https://ransomwaretracker.abuse.ch/blocklist/

 

Some experts in the field recommend using an “air gap” approach, where the system that is holding the copy of the data is physically separated from the network. This makes sense, except that the protection system needs to be connected periodically to copy new data, which is time that it will be at risk of infection (and the bad guys are aware of this). Also, it may take days or even weeks to copy the data back to your production systems. The financial impact during this downtime is probably worse than paying the ransom.

 

So you also need a fast and effective recovery capability that does not include paying ransom. And you need one that protects a copy of your most recent data out of band from common application control, backup system control, and even protected from potentially rogue employees.

 

Customers of Hitachi Data Systems have had this capability, built right into the basic operating systems of their storage arrays, for many years. It is a microcode technology that allows any data volume on disk to be locked for a defined period of time. During this retention period, nobody can change or delete the data in the protected volume – not database administrators, storage administrators, backup administrators, or even Hitachi engineers. And certainly not the crypto-virus. You can read from the time-locked volume (a.k.a. recover from it), but you can’t change it.

 

(The only way to impact volumes that are protected with this solution is by physically damaging the storage system or its disk drives, but this implies a different type of security problem.)

 

It is not appropriate to apply this locking mechanism to your live production data – you wouldn’t be able to conduct new business this way. Instead, the solution is to apply the time lock to an array-based copy of the data volume, which is created using the array’s highly-efficient, scalable snapshot or cloning capabilities. If, or when, your data is encrypted by ransomware, you simply restore from the snapshot or clone back to the original volume, and you are back up-and-running within a few minutes regardless of the size of the data.

 

A Custom Solution Approach

 

The needs of each organization are different, and HDS provides the flexibility and the expertise to custom build and configure a solution for any situation, and preventing ransomware against various scenarios of infiltration. Large HDS customers, including financial and medical organizations, are using a fairly simple policy to protect against ransomware, and many other threats that could affect their data: create a time-locked snapshot once per week, with a lock period of 14 days. With this policy, they always have 2 copies of their data protected and available, and the worst-case recovery point is 7 days ago. These time settings can be adjusted as needed, depending on your individual tolerance to data loss.

 

Ransomware architecture.jpg

Multi-site Configurations

 

A large percentage of HDS storage customers leverage the built-in remote copy capabilities of Global-Active Device (active-active storage clustering), TrueCopy (synchronous replication) and Universal Replicator (asynchronous replication), to assure business continuity and disaster recovery. The HDS solution against ransomware, as discussed above, can also be implemented at these remote sites and systems, to provide not only logical but also physical separation of the protected data volumes. HDS supports 2- and 3-site replication configurations, with zero data loss, to provide customers with the ultimate in flexibility and protection of data against multiple scenarios of data corruption.

 

Additional Considerations

 

Different data types have different value to the organization, and should have different levels of protection. The technology described above is an excellent solution for the core applications and data that run the business. But what about historical data and user data? Hitachi Data Systems has  ransomware answers for them as well.

  • Hitachi Content Platform (HCP) is a highly-scalable object storage system that is often used for data archiving. It includes a true Write Once Read Many (WORM) mode that completely protects archived data from being changed or deleted for the policy-defined retention period. Moving static data to a WORM-based archive makes good business sense for many reasons, and protection against malware is one of them.
  • Another product which is part of the HCP portfolio is HCP Anywhere.  It is a secure, in-house, file sync and share solution that includes end-point protection capabilities. HDS customers have used HCP Anywhere to quickly restore employee workstations and laptops following a ransomware attack.

 

Conclusion

 

If your IT environment has any access to the Internet, you should be worried about ransomware. There is no way yet to stop it and it is next to impossible to catch the criminals that are perpetrating it. You can try to protect your company with the latest anti-virus software and through strong employee training, but you can’t stop the risk completely. The bad guys are always a step ahead, and finding new ways to get at your data is the business model for these ransomware criminals. But you can mitigate it with an ability to quickly and effectively recover when your systems are infected, through the hardened, proven, enterprise-class capabilities built into HDS storage arrays.

 

The ransomware solution that is built into HDS storage arrays:

  • Moves control away from the user of the technology to the protector of the data – a church versus state separation concept
  • Is part of our technology DNA; we did not build it as a reaction to current market needs
  • Is suited for the largest enterprises where the risks are enormous
  • Is a customized solution developed with select few people in your company, not a mass marketed approach

 

To learn more, please contact your local HDS sales office, Business Partner, or DP-Sales@hds.com

 

Rich Vining is a Sr. Product Marketing Manager for Data Protection at Hitachi Data Systems and has been publishing his thoughts on data storage and data management since the mid-1990s. The contents of this blog are his own.

Outcomes