Stopping Costly Ransomware Attacks with Immutable Data Architecture

Rich Weber

Chief Product Officer at Panzura
Rich Weber

Latest posts by Rich Weber (see all)


    One of the biggest ransomware attacks to hit the news in 2019 was the incident with the Baltimore City government, which took over a month to recover, with an estimated total cost impact of $18 million dollars. In August, a coordinated attack on 23 agencies paralyzed municipal services.

    Ransomware attacks are a frightening reality of the current digital times. So what is ransomware, what does it do, and why should you care?  Ransomware is a kind of malware or software code that is designed to block access to your data, typically by encrypting that data, Ransomware is typically delivered through socially engineered methods such as fake emails, spam, web pages, free software downloads, fake software updates, and even through web-based instant messages. Hackers then demand a ransom (in bitcoin or otherwise) in exchange for the keys that restore access to that data.

    Let’s consider an example. One morning, you receive an urgent email from your CEO (the email has their name and email address in the “From:” field) asking you to explain the attached invoice in the form of a PDF file. You immediately open the attachment, thinking it is from your CEO, to get to the bottom of the urgent issue. The PDF has an embedded Word document, and you bypass the file scan by saying it is “OK” to open. The Word document has a Visual Basic macro which downloads the ransomware and executes it. That’s it! You are now infected with ransomware which immediately begins to encrypt the data not only on your laptop but also on the network drive as well. Soon, you get a message on your screen indicating that your data is encrypted and that you must send funds using bitcoin in order to obtain the software keys that will decrypt and recover your precious data. Now, you realize that the email wasn’t from the CEO, but more likely from an extortion loving hacker. To make matters worse, there is a countdown timer – when the timer hits zero and payment isn’t received, that decryption key will be permanently deleted. Your day has really gotten off to a bad start now!

    The Rise of Cybercrime

    How often does this really happen anyway and what can it cost your business? Predictions vary, but global ransomware damages are predicted to increase to  making ransomware one of the fastest-growing cybercrimes. Ransomware saw a slight decline with the emergence of cryptojacking (unauthorized use of computers to mine cryptocurrencies) but is again on the rise since cryptojacking has been significantly thwarted. Ransomware infections saw an increase of 350 percent in 2018 with expectations that businesses and governments will be infected on average every 11 seconds by 2021. Local governments and businesses are among the largest targets, with many paying off the cyberattackers through cybercrimes insurance coverage. This is in large part due to the costly impact to business continuity and potential paralyzation of workflows due to critical loss of data availability. Every time these attackers are paid off, the victims are forcibly funding those very attackers to develop newer and more complicated variants that go undetected by antivirus solutions. Worse yet, there is no guarantee that all your data will be decrypted and unlocked – you are dealing with criminals after all.  More so, the very code delivered to free your data could infect other systems and trigger again in the future to hold you ransom yet again.

    Storage Solutions to the Rescue

    So, what can be done to protect yourself and your company?  There is, of course, the standard defense which includes user education on social engineering attacks, ignoring unknown attachments, and avoiding questionable sites. IT organizations can block bad sites, implement antivirus solutions, and proactively scan network storage devices. However, users will continue to make mistakes and new attacks will go undetected by antivirus solutions, ultimately leaving the risk of infection ever-present.  What we need are storage solutions that are fundamentally resistant to attacks while reducing the impact or spread of any undetected attack. Ideally, your storage solution would be based on immutable data architecture.

    The Power of Immutable Data Architecture

    What is an immutable data architecture and why is it powerful? Immutable data architecture means that data, once written, cannot be changed. If data cannot be changed, then it cannot be encrypted by ransomware. That sounds great, but data is dynamic and always changes, so how can it still be usable if it’s immutable?

    At Panzura, that’s just what we have done and, in fact, have always done. File services on the front end, or client-side, of a Panzura filer are serviced by either the SMB or NFS protocols. Files can be created, modified, or deleted as needed, providing users have the proper file permissions to do so. The Panzura Freedom filer writes all of the data of each file to a configured cloud such as AWS S3, Azure Blob storage, Google cloud storage, IBM cloud storage, Dell/EMC ECS object storage or any number of private or public object stores. While writing, that data is deduplicated, compressed and encrypted in real-time. The data architecture is immutable in the sense that a Freedom filer will never change any data that has been written to the object store, even though you can make changes to resulting files. When you save a file on the Freedom filer, it chunks that data into multiple objects and caches those blocks for fast access. When changes are made to a file, the Freedom filer will write those changed or new blocks to additional objects in the cloud. The Freedom filer will never modify an existing object in the cloud.  When a file is opened, the Freedom filer will decrypt and rehydrate the associated data blocks  (based on deduplication and compression) and deliver them to the client as a complete file. Synchronization events occur every 60 seconds on all Freedom filers. This effectively provides an RPO (recovery point objective) of 60 seconds for all your data.

    So, how does this protect you against ransomware? Remember, ransomware encrypts all of your data with a key that only the attacker has access to. This key is what you pay for. Now, if all the data that you write can never be modified, then you can’t be held ransom.

    With a Freedom filer, if ransomware encrypts your data, the resulting encrypted files are written as new data. Since existing data is preserved as original objects in the object store, any file encrypted by the ransomware code can be immediately reverted back to its last state prior to infection. This can be easily done for a single file, entire directories, or even the entire global file system. Wait a minute!!! If data on the Freedom filer is never modified, how do you ever delete it from the cloud? Rest assured, the Freedom filer takes care of that for you automatically. The Freedom filer keeps track of all the blocks and their dependencies on deduplication, snapshots, and the active filesystem. When a data block has no more dependencies, the Freedom filer will perform a garbage collection operation that cleans up and deletes data in the cloud that is no longer needed.

    Ransomware is a difficult and expensive problem that targets both an enterprise’s infrastructure and employees. As hackers continue their attempts to access your data, the systems that store your data have to stay one step ahead. Panzura’s immutable data architecture within Freedom filers has saved many of our customers from various ransomware attacks over many years and we hope will give them peace of mind for many more.