Reading Time: 5 minutes

Immutable data architecture and data resiliency mean that data, once written, cannot be changed. And, if it cannot be changed, then it cannot be encrypted by ransomware.

Ransomware’s escalating frequency, demands, and tactics—including exposing sensitive data publicly if firms do not pay the ransom—tell us that ransomware is more than lucrative enough for its perpetrators. Plus, with the negligible risk of perpetrator discovery becoming even more remote with the rise of crimeware-as-a-service, there’s little chance of well-known firms avoiding an attack. In fact, an increasing number of organizations have been hit more than once.

What Ransomware Does

Ransomware is a type of malware that is designed to block access to your data typically by encrypting it so your files can’t be opened or accessed. Some variants change file extensions, others simply encrypt files.

Hackers then demand a ransom (usually in bitcoin) in exchange for decryption keys or a decoder to restore access to your data. It’s the digital version of kidnapping, with your data held hostage until you pay.

Sophisticated ransomware attacks are engineered to be difficult to protect against and tough to detect early. They are also challenging to stop, often encrypting a network to the point where victims are confused about their options and sometimes believe they have no other choice than to pay the ransom.

From the attacker’s point of view, unless the ransom is paid, the success of any attack depends on your inability to restore access to your data. To limit your recovery options, attackers often target backups and snapshots first. This can leave affected organizations with nothing to restore except off-site backups, possibly on tape. Relying on backups is a slow restoration process that can take weeks or months and result in an enormous amount of data loss.

When an attack hits, IT teams have to detect it, find where it’s coming from, slow it, and hopefully stop it before it encrypts entire networks. If teams can pinpoint an infected laptop or server, disconnecting it from the network can help contain and minimize damage. But often attacks result in CPU overload that makes it extremely difficult for system administrators to access critical infrastructure like servers. Once the attack ends, the task of identifying encrypted files, folders, and directories begins, along with figuring out if they can be decrypted.

While this is all happening, users are locked out of networks. Those affected incur the costs of downtime, lost data, and failed restoration efforts. The Panzura approach to immutable storage and data resiliency—and the ability of our multi-cloud solution to encrypt data and make it useless to attackers—means Panzura customers can avoid paying ransoms altogether.

How Ransomware Penetrates a Network

Ransomware can be delivered through socially engineered methods such as fake emails, spam, web pages, free software downloads, fake software updates, and instant messages.

For example, one morning, you receive an urgent email from your CEO (the email has their name and email address in the “From:” field) asking you to explain the attached invoice, a PDF file. It looks authentic, so you open the attachment. The PDF has a Visual Basic macro that downloads and executes ransomware.

You are now infected, and ransomware begins to encrypt data, not only on your laptop but on the network drive, as well. It’s designed to do maximum damage, so it will lie dormant until connected to a corporate network, at which point it will run at full speed.

Complete Ransomware Defense Is Not Possible

Given the volume and success of attacks globally, it seems reasonable to conclude that there is no complete ransomware defense. Anti-ransomware tools can fend off attempts and help keep your infrastructure secure. Some are particularly good at recognizing and rejecting email attachments and at automatically shutting down attacks to minimize damage.

However, these solutions are reactive, not preventive. And no matter how quickly they react to a known variant, the insidious nature of ransomware means that substantial damage can still be done before an attack can be brought under control.

A More Complete Answer: Data Resiliency

In our digital age, data has immense value because without it, your organization simply can’t function.

Statistics are clear; if an organization loses access to critical business data for 10 days or more, it has only a 7% chance of surviving the next 12 months. That makes data the most valuable assetyouown.

If it’s not completely possible to keep ransomware out, stopping a ransomware attack depends on protecting data. That means, in kidnapping terms, you’re no longer trying to prevent someone from being kidnapped; you’re making it impossible for anything other than a hologram of that person to be taken hostage. Meanwhile, the real person is never in any danger.

Introducing Resilient Data Storage

By storing data in editable format, legacy file systems are inherently vulnerable to ransomware. When attacked, they allow your files to be changed. But resilient data architecture is fundamentally resistant to attack. Rather than defending or protecting, it reduces the impact and spread of an attack by being unaffected by it.

Data resilient storage is made possible by smart multi-cloud file system technology, such as the Panzura CloudFS global file system. It takes an elegant, modern approach to unstructured data stored as objects in a public, private, or completely dark cloud.

To a user, CloudFS looks and feels like any other file system. Files can be opened, edited, saved, copied, or removed by any authorized user, anywhere, and in real time. Behind the scenes, though, is a radically different, simpler, and infinitely more robust storage infrastructure.

CloudFS stores data as blocks in cloud object storage that supplies a single, authoritative dataset that every user works from. Stored in write-once-read-many form, data blocks are immutable. They cannot be changed, edited, or overwritten, and so, they are impervious to most all forms of malware.

The system’s metadata pointers record which blocks comprise a file at any given time. As users create or edit files, changed data chunks are moved to object storage every 60 seconds. At the same time, metadata describing all changes is stored on every node and in the object store.

For example, if a 4-page document called fileone.docx is made up of blocks A, B, C and D, and the document is edited today, it might now be made up of blocks A, B, C and E. The new block E is moved to the object store, and the pointers record that A, B, C and E are needed to open the current version of that file.

These immutable data blocks and the individual node content are further protected by systemwide read-only snapshots that are taken at configurable intervals, with the default being 60 seconds. Being read-only, these snapshots are also impervious to ransomware, and they effectively offer a granular way to restore data back to any earlier version.

Let’s say that, having edited fileone.docx, you realize that you've accidentally removed some text that was crucial. Ordinarily, that data would be lost unless it was captured by a system backup, which typically runs just once a day. With Panzura CloudFS, you simply right-click on the document from Windows File Explorer and restore it.

How Resilient Data Stands Up to Ransomware

During a ransomware attack, malicious code is inserted into your files, which changes them. Panzura recognizes altered file data, and the encrypted files are written to the object store as new data.

A legacy storage system would allow the file to be edited, but CloudFS creates completely new blocks of data: F, G, H and I, for example. Because CloudFS preserves data as original objects, the status of any file can be set as “encrypted,” and snapshots and the metadata pointer set to indicate that a clean file version written prior to infection is now the current one. This can be easily done for a single file, entire directories, or even the entire global file system.

CloudFS renders ransomware attacks harmless. When accessing your data is as easy as restoring it from a snapshot, you don’t need a decryption key. Or bitcoin.

Learn more about multi-cloud data protection best practices for cyber resilience and the 3 tenants of cloud security.

Originally published May 9, 2021, updated March 25, 2024