Ransomware is software designed to carry out a digital kidnap of a firm or organization’s data, by taking it hostage and demanding payment of a ransom for its safe return. It aims to achieve this by encrypting data so effectively that you believe you cannot regain access to your files without them being unlocked for you.
Your ability to avoid paying a ransom depends on being able to restore access to your data, without relying on your attacker to decrypt it. As a result, attackers often target backups, and snapshots first, to limit your options. Relying on older, perhaps incomplete backups can result in an enormous amount of data loss, and is such a slow process that restoration may take weeks or even months.
Attacks are now so frequent, that you should assume that your organization will be hit, at some point.
It’s crucial to understand that, as with any kidnap, it’s not the value of your data to the attackers that drives the attack.
Instead, it’s the value that your data holds for you, which determines whether or not you’ll pay a ransom.
Ransomware defense is reactive by its very nature, and while defensive software does an excellent job of fending off multiple attacks, the number of possible entry points to an organization’s network makes it all but impossible to prevent every attempt. Regardless of how quickly defensive solutions react to a known ransomware variant, substantial damage can still be done before an attack can be brought under control.
That means defense is not a complete solution, though it remains an important part of your security strategy.
Assuming that it’s not completely possible to keep ransomware out, mitigating a ransomware attack depends on protecting data. That means the data needs to be structured in such a way that—even if it is compromised—it cannot fail, and it cannot be read.
By virtue of storing data that needs to be editable, legacy file systems are inherently vulnerable to ransomware. When attacked, they do exactly what they are designed to do, and allow files to be changed.
Immutable data architecture changes your posture against ransomware and malware because it’s fundamentally resistant to attack. Rather than being a solution to help defend or protect, it reduces the impact and spread of an attack by being unaffected.
Panzura CloudFS makes cloud object storage immutable, and thus, impervious to ransomware.
To a user, CloudFS looks and feels like any other file system. Files can be opened, edited and saved, copied or deleted—by any authorized user, at any location—in real time.
Behind the scenes is a radically different, much simpler, and infinitely more robust storage structure. CloudFS is a global cloud file system that stores file data as blocks in cloud object storage, as a single authoritative data set that every user in the organization works from.
Those data blocks are immutable—stored in a Write Once, Read Many form so that once stored, they cannot be changed, edited, or overwritten.
Consequently, they are unaffected by malware.
Metadata pointers are used to record which blocks comprise a file at any given time. As users create or edit files, changed data chunks are moved to object storage every 60 seconds, and are stored as new data blocks. At the same time, the metadata pointers are updated to reflect any new blocks that form the file.
These immutable data blocks are further protected by file system-wide read-only snapshots that are taken at configurable intervals, with the default being 60 minutes. Additionally, read-only snapshots are taken at the local filer level every 60 seconds, and these are used to transfer changed data to the object store.
Being read-only, these snapshots are also impervious to ransomware, and they effectively provide a granular way to restore data back to any previous version.
In the event of a ransomware attack, malicious code is inserted into your files, changing them. Panzura recognizes altered file data, and the resulting encrypted files are written to the object store as new data.
A legacy storage system allows a file to be edited as this code is inserted, changing the file itself. By contrast, when a file is infected by ransomware on CloudFS, it is now comprised of completely new blocks of data.
Since CloudFS preserves existing data as original objects in the object store, any file encrypted by the ransomware code can be immediately reverted back to its state prior to infection, using snapshots. This can be easily done for a single file, entire directories, or even the entire global file system.
With Panzura’s immutable data, your files aren’t encrypted at all. Instead, file pointers are now pointing to data blocks containing encryption. Reverting to the snapshot prior to the attack points back to clean data blocks … and your clean files are back.
Unlike restoring from a backup, this approach allows granular restoration of files, with a near-zero recovery point objective, to minimize any data loss.
By the time you’ve identified and stopped an attack, a substantial number of files may have been encrypted. Data Services plays a vital role in identifying those files. Its global search capabilities allow you to search by user, or file action, such as renaming or changing permissions. Data Services’ speed of search reduces a task that could itself take days, down to hours or minutes.
The Panzura global services team plays a crucial role in swift and granular recovery from attack, supporting you with mass restoration of files to the most recent “clean” snapshot. The team also works closely with IT teams to help them to know when they’re bringing attacks under control by stopping the spread of affected files.
While a file system does not store structured (database) data, storing database backups in CloudFS gives you an immutable backup to restore from. Additionally, backup data from other, less resilient, file systems can be given immunity to ransomware by being stored immutably in CloudFS.