Ransomware is More Than a Cybersecurity Issue

Ransomware attacks are filling headlines. Now reaching unprecedented levels, the ransomware crescendo is part of the surge in cyber-attacks that became a side effect of the COVID-19 pandemic.

The rise of ransomware attacks has understandably been a cybersecurity challenge, and prevention is the current point of many conversations.

But there are operational disruptions to consider – especially as agencies rely on the integrity of files for big data analysis. Even with air gaps and secure networks, odds are increasing that a government agency will be hit at some point, necessitating a strategy to minimize disruption to data integrity while maintaining cyber resilience that will inevitably follow a successful attack.

There’s got to be a better way to minimize the impact of ransomware attacks, and object story technology is one way to consider.

Attack Anatomy: Timing is Crucial

In a ransomware attack, an executable script or program runs, encrypts your data, and a ransom is demanded for the encryption key.

There are two possible ways this happens: a user inside the network opens a bad file or link that immediately executes a harmful payload, or a malicious file that’s been lying in wait for months to bypass restore capabilities executes upon a trigger event. There are significantly different operational impacts resulting from each.

Although shocking and disruptive, the first situation often has limited impact that can be quickly remedied. Modern IT infrastructure is designed with lots of redundancies for just these kinds of events. A reliable backup scheme and disaster recovery program will allow data to be restored to a specific recovery point in time – for instance, if an attack hit on Tuesday at noon, you can restore the backup from 11:58 a.m. You may lose two minutes of work, but the event is essentially erased and the mission can move on.

The second situation poses a much more challenging predicament. Someone inside the firewall knowingly or unknowingly loads a trojan file that was improperly scanned or otherwise not detected. Later, a trigger event will cause that file to execute its payload, encrypting a larger block of files. The attacker then demands payment for the decryption key to unlock the data.

Triggers are usually timed to happen beyond the backup window, which is typically limited to three to six months given the costs of storing today’s massive datasets. Also, because of how backup management works, over that time the restore point expands (to an hour, to a week, to a month, etc.), limiting what is restorable to less and less finite options. By the end of the backup window, there is no restore capability at all because the data is simply gone.

That is a big reason why time-delayed ransomware is becoming more dominant. Skilled attackers – whether a disgruntled insider, an organized crime operation, or a nation-state level actor – understand the backup window vulnerability and manipulate it to their advantage. As we’ve seen, without restore points, the victim’s choice is to pay the ransom or lose their data for good. Their recourse has been to expand backup and restore capabilities to a bigger time window, and at greater expense. But adopting a different kind of technology can render this danger moot.

WORM: Effectively Manage the Data You Can’t Lose

WORM-based (write once read many) object storage technology has no executable files, prohibiting any corrupted files from executing while stored, and nullifying the triggers. All files are rendered immutable and cannot be modified. When a file is retrieved for use, it is accessed as read-only and transits a file share gateway to the user. In that process, should a corrupted file still manage to execute, the impact is limited to only that gateway point of access. Once in use, if the file is modified, it is stored as a new file version and in turn becomes immutable.

Object store’s file level deduplication capabilities also help contain data growth. For instance, if an email attachment is sent to fifteen recipients, in object storage only one copy is kept. That helps with the management of long-term data preservation, particularly valuable in an era where users love holding onto their files seemingly forever.

Large data lakes and Hadoop environments present prime opportunities for hiding time-delayed ransomware files. Because using object store internal services guarantees that files won’t get corrupted, integrity is guaranteed, and files remain usable for big data analysis and other operational purposes.

Preserving Data Preserves Mission Viability

Object store technology has come a long way from its traditional roots. Significant technological advances have transformed object store into a high performance alternative to Network Attached Storage (NAS), and one that is far more secure.

Given the proliferation of ransomware and other cyber threats, it is not a question of if, but when, an agency will be hit. Rendering stored files immutable and inoperative will provide agencies with a unique and valuable option to securely manage their data – the lifeblood of their mission – stemming the operational disruption of a cyberattack for as long as that data is needed.

Learn more about ransomware disruption prevention.

About Dave McCarty
Dave McCarty is the data intelligence business lead at Hitachi Vantara Federal, where he serves as the resident subject matter expert on Object Storage and On-Premise Cloud solutions and collaborates with federal partners to bring these technologies to the United States federal government.