How Immutable Storage Stops Costly Ransomware Attacks

How immutable data lets enterprises shrug off ransomware like it never happened
Share on linkedin
Share on twitter
Share on facebook
Share on email

Immutable data architecture means that data, once written, cannot be changed. And, if it cannot be changed, then it cannot be encrypted by ransomware.

What is ransomware, and what does it do?

Ransomware is a type of malware or software code that is designed to block access to your data, typically by encrypting that data so your files are unable to be opened or accessed in any way. Some variants change file extensions, while others simply encrypt files.

Hackers then demand a ransom (often in bitcoin) in exchange for decryption keys, or a decoder to restore access to your data.

It’s the digital version of kidnapping – your data is held hostage unless, and until you pay for its safe return.

Sophisticated ransomware attacks – funded by past ransom payments – are specifically engineered to be difficult to protect against and tough to detect early. They are also extremely challenging to stop, often encrypting a network to the point where victims of ransomware attacks are confused about their options and sometimes believe they have no other choice than to pay the ransom.

From the attacker’s point of view, the success or failure of any attack depends on your ability to restore access to your data, unless the ransom is paid.

As a result, attackers often target backups, and snapshots first, to limit your recovery options. This leaves firms with nothing but off-site backups, perhaps even on tape, to restore from. Having to rely on backups can result in an enormous amount of data loss, and is such a slow process that restoration is likely to take weeks or even months.

When an attack hits, IT teams have to attempt to identify it, find where it’s coming from, slow and hopefully stop it before it encrypts entire networks. If they can pinpoint an infected laptop or server, for example, disconnecting that from the network can help to contain and minimize the damage.

Frequently, attacks will result in CPU maxing out, making it extremely difficult for systems administrators to access critical infrastructure like servers.

Once the attack has ended, the enormous task of identifying encrypted files, folders and directories begins, along with figuring out whether they can be decrypted.

While this is all happening, users are locked out of networks and companies incur the costs of downtime, lost data and failed restoration efforts. In reality, Panzura’s approach toward immutable storage, and the ability of our hybrid-cloud solution to encrypt data and render it useless to attackers, means Panzura customers can avoid paying ransoms altogether.

How does ransomware penetrate a network?

Ransomware can be delivered through socially engineered methods such as fake emails, spam, web pages, free software downloads, fake software updates, and even through web-based instant messages.

These are specifically designed to be successful, by making it as likely as possible that a user will be fooled.

For example, one morning, you receive an urgent email from your CEO (the email has their name and email address in the “From:” field) asking you to explain the attached invoice in the form of a PDF file.

It looks authentic, so you open the attachment. The PDF has an embedded Word document, and you bypass the file scan by saying it is “OK” to open. The Word document has a Visual Basic macro which downloads the ransomware and executes it.

That’s all it took. You are now infected with ransomware, and it immediately begins to encrypt data – not only on your laptop but also on the network drive as well.

More recently, attackers have been known to modify the ends of USB charging cables, and to leave these cables sitting in high foot-traffic areas. These are quickly picked up and at some point, are likely to be plugged into a laptop or desktop computer in order to charge a phone.

At that point, the malware is in. It’s designed to do maximum damage, so it will lie dormant until that same device is connected to a corporate network, at which point it will run at full speed through the file network.

Is complete ransomware defense even possible?

A more complete answer lies in ransomware protection

In kidnapping terms, you’re no longer trying to prevent someone from being kidnapped. Instead, you’re making it impossible for anything other than a hologram of that person to be taken hostage. Meanwhile, the real person is never in any danger.

Introducing immutable data storage

Behind the scenes is a radically different, much simpler, and infinitely more robust storage structure.

CloudFS is a global cloud file system that stores file data as blocks in cloud object storage, as a single authoritative data set that every user in the organization works from. User location, and the number of locations the organization has, make no difference to this scalable system; every user gets what feels like a local file experience, though the data itself is stored hundreds, if not thousands of miles away.

Those data blocks are immutable – stored in a Write Once, Read Many form so that once stored, they cannot be changed, edited, or overwritten. Consequently, they are impervious to all forms of malware.

Metadata pointers are used to record which blocks comprise a file at any given time. As users create or edit files, changed data chunks are moved to object storage every 60 seconds, and are stored as new data blocks. At the same time, the metadata pointers are updated to reflect any new blocks that form the file.

For example, if a 4-page saved document called fileone.docx is comprised of blocks A, B, C and D, and the document is edited today, it might now be comprised of blocks A, B, C and E. The new block E is moved to the object store, and the pointers record that A, B, C and E are required to open the current version of that file.

These immutable data blocks are further protected by file system-wide read-only snapshots that are taken at configurable intervals, with the default being 60 minutes. Additionally, read-only snapshots are taken at the local filer level every 60 seconds, and these are used to transfer changed data to the object store.

Being read-only, these snapshots are also impervious to ransomware, and they effectively provide a granular way to restore data back to any previous version.

Let’s say that, having edited fileone.docx, you realize that you’ve accidentally deleted some text that was crucial.

Ordinarily, that data would be lost unless it was captured by a system backup, which typically runs just once a day. With Panzura CloudFS, you simply right-click on the document from Windows File Explorer, and restore it to the snapshot that was taken before you made your edits.

Immutable data shrugs off ransomware attacks

In the event of a ransomware attack, malicious code is inserted into your files, changing them. Panzura recognizes altered file data, and the resulting encrypted files are written to the object store as new data.

A legacy storage system allows a file to be edited as this code is inserted, changing the file itself. By contrast, when fileone.docx is infected by ransomware on CloudFS, it is now comprised of completely new blocks of data –  F, G, H and I, for example.

Since CloudFS preserves existing data as original objects in the object store, any file encrypted by the ransomware code can be immediately reverted back to its state prior to infection, using snapshots. This can be easily done for a single file, entire directories, or even the entire global file system.

With Panzura’s immutable data, your files aren’t encrypted at all. Instead, file pointers are now pointing to data blocks containing encryption. Reverting to the snapshot prior to the attack points back to clean data blocks … and your clean files are back.  Using our example of fileone.docx, you simply restore a snapshot where the file pointers record blocks A, B, C and E, and fileone.docx is back in operation.

This renders ransomware attacks harmless for your business, and futile for the attacker, as they depend on selling you the key to decrypt your data, so you can access your files again. When accessing your data is as easy as restoring it from a snapshot, you don’t need a decryption key.

Panzura's immutable data protects against ransomware

Guarding Against Data Exposure

Kidnappers have long been aware that their chances of being paid quickly are increased if they can prove that they are willing to harm their hostages.  The digital equivalent is publishing their victim’s data online – confidential patient or customer records, for example.

This threat exponentially increases the risk of not paying, as organizations may now also be liable for privacy breaches, not to mention the resulting lack of trust from those they serve.

The best modern file systems, including Panzura CloudFS, will use military-grade encryption for data at the edge, within the object store, and  in flight, as data is moved into and out of the store. So, in the event that it is compromised, that data cannot be deciphered.

As a result of being able to shrug off ransomware itself, and being able to encrypt data to make it illegible to unauthorized eyes, Panzura customers do not pay ransoms.