Increase your ransomware resilience with NEC HYDRAstor

Increase your ransomware resilience with NEC HYDRAstor
16 December 2021 Comments Off on Increase your ransomware resilience with NEC HYDRAstor Information security Robert Warmoeskerken

Ransomware has been on the rise and is here to stay. Although it has existed since 1989, criminal organizations started developing and distributing ransomware as an attack vector since 2013. Over the years, these attacks have been perfected to target vulnerable sets of systems and protocols and the number of (successful) attacks is increasing. 

Since the beginning of the pandemic COVID-19, the threat landscape evolved for successfully depositing ransomware in networks. Changes in preventive and detective controls to accommodate flexible working practices as well as constraints on IT security teams during lockdowns have contributed to the vulnerability of the workplace.

Any company that has been impacted by malware should seriously consider the possibility that ransomware is also hidden within their environments. When it comes to ransomware, the primary weakness in any storage system is within the user authentication process. In short, we explain common authentication methods and how they are compromised, and which countermeasures can help protect your enterprise data from ransomware and other forms of malware.

Serious threats and risks

The use of ransomware attacks is more prevalent today simply because it is a relatively low-touch attack method for criminals, and it works. At least 130 different ransomware families were active in 2020 and the first half of 2021 — grouped by 30,000 clusters of malware that looked and operated in a similar fashion.

Due to COVID-19 pandemic, remote working has significantly increased and with that the risk of a successful ransomware attack due to a combination of weaker controls (or vulnerabilities) on home IT and a higher likelihood of users clicking on COVID-19-themed ransomware lure emails. 

Ransomware has real impact for victims who, if affected, will find themselves requiring data recovery, paying the ransom due to a lack of preparedness (or lack of secure backups), or accepting the loss of their data altogether. The cost for victims is obviously much greater than the ransom itself. 

There are significant costs associated with downtime, loss of productivity, and a potentially permanent loss of customers when they are not served appropriately. Furthermore, making significant changes to the enterprise infrastructure and processes to prevent future compromises can be costly considering the time, resources, knowledge, and money required.

Traditionally, organizations are leveraging a variety of methods to retain and make redundant copies of data. For example, snapshots and replication of network attached storage or data shares, are used to connect, map, and provide data services, all of which are susceptible to ransomware encryption malware.

Online and nearline file-based storage commonly leverages a cross-platform network protocol to map network drives and read/write remote files in Windows environments. This protocol (SMB) is widely adopted for general-purpose file storage. Although it functions very well for this purpose; it also carries inherent risk in the case of ransomware and should not be relied upon as a (mission-)critical data repository due to weaknesses in the authentication process. 

The same is true for storage devices. Storage devices with or without immutable technologies are susceptible to the same authentication issues. The immutable technology might be able to provide access to unaffected original block data even when most revised data is affected. However, the amount and the efficiency of data that can be recovered can be an arduous challenge especially for large enterprises.

After a storage system has been compromised, it is wide open to an attack that is difficult to identify because legitimate processes and credentials are used to take advantage of the compromised systems. Usually, the only way to recognize this means of attack is when things start to go wrong. Obviously, this is far too late. 

Countermeasures

Despite, there is a lot of free decryption software is available (see www. nomoreransom.org) it is not sure that this can help your organization out of the fire. Better safe than sorry! So, invest in preventive measures and make sure that those measures are functioning properly.

First, proper data classification and authentication policies are vital to protect your organization by minimizing the number of users with access to critical data. Do you know what your vital (data) assets are? Which risks are acceptable for your organization? Which measures should be in place to mitigate your remaining risks regarding e.g., loss of vital data and/or long-term business disruption?

Second, implement the required measures accordingly and test the operating effectiveness of the measures, i.e., recovery, on periodic basis. In case of protecting your vital data assets implement an adequate storage and back-up strategy by means of an adequate storage and back-up solution and related processes. This strategy must reduce the risk of e.g., loss or digital hostage of data in line with your risk appetite. In particular, a solution that has WORM[1] functionality and can isolate or hide data from being tampered with by ransomware. NEC HYDRAstor is such a storage and back-up solution that can be used to relieve your worries.

NEC HYDRAstor 

HYDRAstor is a modular scale-out grid storage platform with inline global deduplication and compression, delivering high performance, capacity-optimized and highly available storage solutions, for backup, archiving and disaster recovery solutions for customers from all sizes.

Data is isolated and protected

HYDRAstor purpose-built backup appliance brings a wealth of benefits to an organization in the way of space-efficient backup, deduplication, and data assurance. However, the single most important feature of HYDRAstor is its ability to completely isolate data from being tampered with unintentionally.

HYDRAstor is a purpose-built backup appliance, designed and built to leverage deduplication, compression, encryption, and data isolation for backup and archiving processes. The more advanced implementation of HYDRAstor will offer the feature of “file cloning”, which will copy and isolate the data and prevent ransomware having access to data. This feature can be applied for all data on HYDRAstor or only the mission critical files. HYDRAstor will effectively hide the cloned data for attackers and ransomware cannot encrypt what it cannot see, as shown in figure below. 

HYDRAlock 

HYDRAstor as a self-evolving, self-managing, self-tuning and self-healing system moves beyond “thin provisioning”, designed to address the range of corporate backup and archive needs including WORM functionality. 

Unlike alternatives that locate WORM functionality in individual storage devices or specialized appliances, HYDRAlock enables single deployment and centralized administration. This approach simplifies deployment and aligns security and storage management to maximize data integrity by preventing tampering with security settings.

NEC has enabled WORM function to be implemented on a per hybrid node basis. This allows the function to be implemented for only the datasets or applicable portions of the infrastructure that need it. This relieves users from having to pay for an entire storage system even when the functionality is only needed for specific file systems.

By deploying HYDRAlock, storage security can be consistently implemented and prevents accidental or intentional erasing or alteration of data (documents, emails, and other corporate records). Enabling WORM (HYDRAlock) will also prevent ransomware encrypting the data and is effectively protecting the data with no impact on operations (backup and/or archiving) proceeds. 

Wrap up

Data protection has slowly morphed into a never-ending series of disk-based replications and snapshots, which serve to recover specific files quickly. However, the move away from more redundant and secure methods such as tape and off-site archives has left a large security gap for cybercriminals to distribute ransomware. Many organizations can now unfortunately attest that simply backing up data by making copies is not sufficient. If an operating system or application can see or alternate your data, so can ransomware. 

The best method for protecting enterprise data is a combination of well documented and communicated policies, effective implementation of critical security controls (particularly access controls), and HYDRAstor, which is the critical data protection component in safeguarding data from ransomware in a backup or data archiving solution. HYDRAstor deployed as the backup target for mission-critical data ensures the ability to recover data from either a specific RTO or a configuration RPO. Most importantly, it shields data from ransomware and other forms of malware that target your valuable data. HYDRAstor stores and effectively isolate data and protect it from unintended manipulation and, in the case of ransomware specifically, encryption.

Need help

Would you like to increase your ransomware resilience? COMPOSIT cooperation U.A. can help you by identifying your vital data assets, i.e., your crown jewels, and related risks. Together with our partner NEC we can help you with implementing the required measures and/or implementing HYDRAstor to reduce the risk from being a victim of ransomware. COMPOSIT is gold partner of NEC. Feel free to contact us by phone (+31 085 2103013) or by e-mail (info@composit-services.com).


Related reads and documents

Click here for our solutions for business regarding digital resilience.


[1] WORM: Write-Once Read-Many

Tags
About the author