Sidestep ransomware with immutable storage

Security tops the charts in terms of our customers concerns and is a major consideration for all of the IT industry. That’s not without cause – a failure in your cybersecurity is a major business risk, and as attacks get more and more common, you can no longer roll the dice to try and avoid being a target. Think of it this way: an attacker only needs to be successful once to compromise your system, but you need to be able to defend against them every time.

It’s not all doom and gloom, however. Security protections are getting smarter, recognising how cybercriminals operate and allowing you to sidestep attacks completely – immutable storage solutions are a key example of this. In this blog, we’ll take a look at why immutable storage is useful to ransomware protection, what it offers, and give you some useful tips for finding a solution that suits your needs.

The evolving threat of ransomware

Immutable storage is a solution which is perfect for mitigating the effects of ransomware attacks, so it’s important to understand the threat that ransomware poses – and that threat is undeniable. The number of ransomware attacks doubled between 2020 and 2021, the ransoms that attackers demand have increased, and attackers are getting access to new technologies all the time, making attacks increasingly more difficult to defend against. Ransomware has essentially gone through a process of natural selection – low impact, easily avoided ransomware attacks don’t catch on, but those that see success are quickly adopted by other cybercriminals. This trend is made all the more troubling by the rise of ransomware-as-a-service, which means attackers no longer need to develop their own tools before going on the offensive.

If you’re in the unfortunate position of being hit with a ransomware attack, you’re stuck in a difficult position. As mentioned earlier, the ransom an attacker will demand has increased over time – in 2021, the average payment was over £600,000 – and if you pay up, there’s no guarantee that attackers will honour their promises, as attackers may end up trying to extort you multiple times before decrypting your data, or may even disappear with the money and leave you with nothing. Paying up isn’t just expensive – as the UK National Cybersecurity Centre has warned, paying a ransom encourages attackers to keep up their attacks, and ask for more in the future. All told, when factoring in a ransom, the cost of investigation, regulatory fines, and the losses a ransomware attack can cause, an attack costs an average of £1 million – that’s not money any organisation can afford to lose.

To avoid being stuck in that bind, the solution is simple – ignore the attackers and restore your data from a backup. The “3-2-1” rule for backups is a central part of this – three copies of your data, saved on two different media, one of which is located in a different location – usually referred to as “air gapping”. Unfortunately, attackers have clocked on to that rule, and now actively look to infect backups in order to force their victims to pay up.

How can immutable storage help?

Rather than defending against ransomware attacks, immutable storage gives you assurance that you have accessible backups, so that after you’ve located and quarantined the threat, you can restore your data without needing to give in to an attacker’s demands.

Immutable storage stops attackers from being able to compromise your backups, storing data in a way that ransomware can’t encrypt or delete, giving you a strategy to avoid even the most sophisticated attacks. Files saved to immutable storage solutions are kept in write once, read many (WORM) formats – meaning that an attacker can’t edit or delete the files, giving you a reliable backup. Once you’ve quarantined the ransomware, these WORM files can be used to restore all the data you backed up, allowing you to go back to business as usual without the need to decrypt files. Of course, that first step is vital – often, attacks will compromise a “patient zero” – if the backup is restored without removing this patient zero from the system, then you’re simply starting the attack all over again. It’s also important to ensure that you aren’t restoring from a compromised backup – since the average attack is launched four months after an initial compromise, it’s usually a good idea to have at least 6 months of backup data to restore from.

So long as you can keep your immutable storage solution properly air gapped and maintained, and ensure backups are routinely saved to it, you’ll safeguard critical data at a fraction of the cost of paying a ransom. In this sense, we can think of immutable storage as allowing you to go further than the 3-2-1 rule to a 3-2-1+1 system – 3 copies of data, stored on 2 different media, one of which is stored in a different location, and secured using immutable storage. Immutability also provides a big benefit in compliance, as it gives you the ability to set up a reliable form of storage that can’t be edited or deleted, so you can guarantee the records you have are accurate.

Immutable storage comes in a wide range of different forms, but we can divide them into two broad categories – those which work in an on-premises or private cloud environment, and those which are hosted in the public cloud.

What should I look for in an immutable storage solution?

The first step in finding an immutable storage solution that works for you is to weigh up your options – both where the storage will be hosted, and what exactly the storage will look like. For public-cloud based solutions, a number of cloud providers offer immutable data storage, that stores data in a WORM format for a predefined length of time, such as the S3 object lock offered by AWS – these can be incredibly useful for ensuring you have accessible backups that aren’t kept on-premises but can also impose some limitations should you need to call on these backups. Since all your stored data needs to be redownloaded from the cloud, you might find your business being interrupted for a significant stretch of time when recovering from an attack.

If you do opt for the public cloud, it’s also important to make sure you aren’t keeping your immutable backup in the same cloud as your production data – it’s alarmingly common for organisations to have their backups stored in a different part of the same cloud they work in, meaning their backups are no longer air gapped – so if the cloud service suffers an attack, both data sets are going to be at risk.

If you’d rather employ immutable storage in your own environment, whether that’s on-premises or in a private cloud, you have a few options. The most straightforward of these are hardware solutions – these are storage devices which act in the same way as ordinary storage, but save data in a WORM format, ensuring that everything stored is protected. Hardware options also include storing data on tape – the original method for air gapping and protecting data. While it might sound outdated, tape is still incredibly useful to protect data in a WORM format and is usually less expensive than other immutable storage solutions. A number of data protection solutions support writing data to tape, meaning you won’t need to go hunting for some ancient hardware to use it effectively. Lastly, there are software solutions that work in your environment – these can either be vendor-specific immutable storage features, or third-party solutions which layer immutability on top of your existing storage solution.

Compared to cloud-based solutions, all of these solutions give you the ability to have readily accessible backups which you can put to use quickly, rather than needing to wait around for your backups to be downloaded from the cloud. You also don’t need to worry about being put at risk if you decide to move between cloud providers or establish a multi-cloud environment.

If you decide to utilise an on-premises solution, it’s important to make sure you find one that is complimentary to your existing backup system – many vendors look to sell immutable storage as part of an “all-in-one” solution, which may require you to rework your strategy, rather than simply being able to add immutable storage into your existing backup regime. Since no two environments are the same, it’s worth looking around to find a solution that gels with your existing infrastructure.

With all that established, it’s also worth bearing in mind a few best practices to make the most out of immutable storage and protect against ransomware:

• Avoid connecting your backup systems to your main domain so attackers can’t use compromised credentials to gain access.
• If you run a Windows environment, consider using Linux-based hardware or software for backups, so that attackers can’t rely on one vulnerability to compromise both your system and your backup.
• Develop a comprehensive recovery plan, and order systems by business importance and dependencies to help you recover from an attack faster.
  • If you do this, make sure you air gap your recovery documentation so you don’t lose access to it during an attack.
• Regularly test restoring your systems and data from a backup, so you’re prepared for the real thing.

What's next?

If you’re curious about what immutable storage options might be right for your business, or are simply interested in improving your organisation’s security, contact your Servium Account Manager to see how we can help.