During the Easter holiday weekend of 2015, a “Dad’s Army” of criminals in their 60s and 70s netted an estimated £25 million in gold, jewels and cash when they burgled the Hatton Garden Safe Deposit Company in London. The gang chose Easter weekend because the public holiday gave them a four-day window in which to gain access, drill through walls and open safe deposit boxes.
I know what you’re thinking – what’s that got to do with ransomware?
The robbers had access to the building where the safe deposit box vault resided for four days, giving plenty of time to carry out their work. In a ransomware attack, this period is known as “dwell time” and understanding it is key to being able to recover from such an incident. Dwell time runs from the time the attacker first breaches the firewall to when they reveal themselves and demand ransom from the victim.
Ransomware attacks follow a well-known pattern
Initially there’s a campaign phase. Here employees are targeted with phishing emails that contain links to malware or attackers scan for vulnerabilities in internet-facing systems. Whatever the means employed, this phase is about finding a victim and establishing means of entry.
Intrusion is the aim here. Getting inside the firewall for ransomware attackers is what unlocks the rest of the process, and is when dwell time begins. Once inside the firewall, ransomware attackers gather credentials for deeper access and begin to move laterally around the victim’s systems, often using tools that rely on legitimate protocols such as RDP (remote desktop protocol) to work remotely and establish command and control. At this stage they identify sensitive data and start to deploy software payloads to carry out the execution phase in which encryption and exfiltration of data takes place.
If we assume it’s almost impossible to keep determined attackers out, the key to resisting a ransomware attack is the ability to restore to before dwell time started, and to be able to do so rapidly. This means using snapshots and backups for the ability to restore from them quickly.
Snapshots provide a record of the system state and data taken at frequent intervals during the working day, allowing a victim to restore to a previous configuration with a high degree of granularity. Snapshots are designed to be taken with minimal impact on production systems so are often stored on or close to primary storage. That means data can usually be restored from snapshots quickly too. An organisation may keep snapshots dating back a month or two.
Backups are usually retained for much longer periods and copies are made less frequently, usually during regular backup windows outside working hours. They are almost always staged off to secondary storage and can be more time-consuming to restore from.
If circumstances allow – and in particular the effects of dwell time – snapshots are the most effective way to recover from ransomware because they can be restored rapidly. That’s as long as they haven’t been sabotaged by the ransomware attackers.
Snapshots need to be immutable
As implemented traditionally, snapshots are read-only so are always immutable in one sense. Ransomware gangs know this, however, so will attempt to delete or move them. Customers, therefore, need to look for providers with snapshots that cannot be deleted and which an intruder cannot prevent from being moved elsewhere, for recovery, for example.
Further safeguards customers can specify are snapshots that use multi-factor, PIN-based authentication by multiple members of an IT team as well as the ability to set a snapshot retention policy and allowed destinations.
Snapshots are the go-to method of restoration if ransomware dwell times are relatively short. But they may not be. It’s possible for ransomware attackers to spend several months inside the firewall snooping around, installing malware, and corrupting files. If that’s the case it’s more likely you’ll need to restore from backups.
Whichever you need to restore from – snapshots or backups – a key requirement will be to recover your data quickly so that production can be resumed. The key here lies in the storage you use to retain your data protection copies. In other words, it needs to be able to handle rapid restore speeds.
So, what type of storage products are best suited to retaining snapshots and backups, and – crucially – are able to offer rapid restore performance? Firstly, customers need to look at those that offer solid state storage and can handle unstructured – file and object – data. That means not just any solid state storage.
The newest generations of NAND flash have powered the emergence of storage arrays that bring extremely high capacity and speed of access. That means storage arrays with TLC or QLC flash that offer high capacity at a cost per terabyte that gets close to that of spinning disk HDDs.
Secondly, customers need to check throughput performance. The highest-performing solid state storage arrays currently available will provide more than 270TB per hour throughput. That’s enough to get most organisations back online very rapidly, but not many storage suppliers can provide this level of throughput, so be sure to check spec sheets.
Combine immutable snapshots and regular backups with rapid restore for the ultimate ransomware defence
The best defence against ransomware centres on being able to turn back the clock to before dwell time commenced. And the best way to do that is with very high capacity storage that offers blistering throughput performance that you restore from quickly.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.