The "Golden" Ticket To Securing Your Organization Against Ransomware

By Steve Leeper, Datadobi

Ransomware is one of the most damaging and costly cyber threats that organizations must protect against today. And to add to it, the COVID-19 pandemic has sparked a 72 percent ransomware growth, leaving companies scrambling to protect themselves in the age of remote work. Traditional data protection strategies have typically been put into place to provide an organization with the ability to recover from software and hardware failures within data centers. However, these methods fail to defend against ransomware in particular. 

To understand how to protect against ransomware, it’s important to understand how the attack method works. The adversary begins by breaching the data center by using either malicious email attachments, unprotected smartphones, viruses, network intrusions, USBs containing malicious data, or just plain bribing of company personnel. After gaining access, the hacker might observe the infrastructure for weeks or months to gain a better understanding of its defenses. The goal is to determine the business-critical data to determine what can cause the most disruption and force the victim to meet the demands. 

As adversaries lurk in the network, they will attempt to make protection mechanisms unusable for data restoration. Next, they will encrypt all the important data. Only after, will they notify you to pay a ransom fee to get business operations back up. 

Below we discuss why traditional data protection alone is not enough to combat the ever-looming threat of ransomware, and the extra step organizations can take to protect themselves. 

Why Traditional Protection Strategies Aren’t Enough 

Historically, data protection involves many different technologies to create a layer of defense. For example, filesystem snapshots provide the ability to quickly recover any deleted or corrupted files. These systems backup to tape, VTLs (virtual tape libraries), or deduplication appliances provide longer retention and serve to keep a copy of the data separate from the original storage system, whether on-premises or not. With VTL or deduplication appliances, the backup data can then be replicated to an off-site location to protect against any catastrophe in the event the primary storage system goes down. 

The downfall to this? Traditional data protection was conceived to protect against hardware and software failures and accidents - not for ransomware. 

With ransomware, snapshots are negatively impacted because the adversary can typically delete them. During the attack, snapshots grow very quickly; a highly utilized array will likely become inoperable due to capacity being consumed. With the time of the infection unknown, this makes it unlikely for recovery since long-term retention is not the intended design. Replication alone is not enough because it simply propagates the ransomware and replaces data with encrypted content. Highly sophisticated ransomware also will attack backup systems by destroying backups, backup catalogs, or backup configuration. 

Taking The Extra Step

In addition to the traditional data protection strategies, organizations might consider the notion of maintaining a “golden copy” of their data. The golden copy involves creating an additional copy of business-critical data. This copy serves as an insurance policy should any malware infect systems and corrupt both the primary and secondary systems and their data. A golden copy should be storage-agnostic, meaning it can be restored or recalled to any system while maintaining the original full directory structures, metadata, and permissions. 

Additional protection offered by the golden copy is created by leveraging an air-gapped environment. The term air gap refers to limited network connectivity between the source and the target sites. Rather than constant network connectivity being available, the connection is only periodically activated to pull incremental updates from the source since the previous transfer session was initiated. After any incremental updates have been transmitted and verified, the network connection is then terminated leaving the golden copy fully isolated from the rest of the organization’s networks and applications. Access to the golden copy should be limited to network administrators and other senior executives who can activate the air gap if needed in an emergency such as a ransomware attack. 

The threat of ransomware is likely not going away anytime soon. Organizations need to arm themselves with a “golden” strategy to protect themselves. While traditional data protection strategies are still important to incorporate, taking the extra step of creating a golden copy can enable business operations to continue in the event of a ransomware attack. 

About The Author 

Steve Leeper currently serves in the office of the CTO at Datadobi. In his role, Leeper is responsible for analyzing emerging technologies and market applicability for future products and services. Leeper also is responsible for guiding new products through the Technology Adoption Life Cycle.