This content is part of the Essential Guide: Recovering from ransomware: Defend your data with best practices

Snapshot-based backup snaps back against cyberattacks

A flat backup approach could help your organization recover easier if it's hit by ransomware. There are snapshot-based options available from system and backup software providers.

Ransomware is making CIOs and administrators lose sleep. The fear that a hacker will encrypt your data and then force you to pay for the key is very real. Using your own encryption is no panacea, since the ransomware can just super-encrypt that data to make it inaccessible.

While OS utilities such as Windows Defender attempt to protect selected data from a ransomware attack by locking out external changes, this type of approach is limited by the need for detailed setup and monitoring. This can leave files in a newly created directory unprotected. Linux, as a very open system, is much more poorly defended.

We must look elsewhere for a safe haven. A recent answer to the ransomware issue is to deploy a flat backup system, essentially a perpetual snapshot, to key data. The benefit of this snapshot-based backup approach is that data is never deleted from an object, so it is possible to recover to a point in time just before the ransomware started to corrupt the storage system.

This means a relatively easy recovery if both the ransomware start point is known and all the files are recovered to the same point in time. In fact, the snapshot can take the recovery in stride, since it is just choosing earlier blocks to transfer instead of the most current, corrupted data.

Applying recovery to individual files requires a good user interface or else it becomes tedious. In this mode, just as with a backup, finding the right file and then the right version is a function of how well the interface is written.

Careful considerations needed for ransomware recovery

The benefit of a snapshot-based backup approach is that data is never deleted from an object, so it is possible to recover to a point in time just before the ransomware started to corrupt the storage system.

There are drawbacks, however, to a simple snapshot-based backup system. We want a backup to be remote so that we also attain disaster protection for our data. This is critical, especially with the nonstop expectations that the distributed public cloud brings. Snapshots in a replicating storage system, such as Amazon Web Service's Simple Storage Service (S3), achieve that remoteness, though asynchronously.

With snapshots, while data is perpetual, the snapshot itself can go away for a number of reasons. Since the data is online, it is possible to erase complete file systems or delete buckets or LUNs. This type of action may lead to the deletion of the whole snapshot set, even a remote replica, with the result that all data is lost. A hacker with root privileges could, in theory, achieve this easily.

Another threat that around 60% of IT shops are at risk for is the hacker that just wants to read all the personal data in your system, whether in-house or in a public cloud. One assumes that administrators know that today's good practice is to be paranoid and encrypt important data, but many do not do so.

Protecting against all the hacker vectors needs more than S3 and encryption. The key is to remove the deletion option from the mainstream operations team and create a mechanism that only the backup administrators can invoke to delete a file system or bucket. This could be a separate password for deletion, for instance, known only to select backup administrators. The problem with this approach is that it requires the cloud service provider's orchestration software or host OS to know how to handle the independent control method. This is, at best, a work in progress today.

Snapshot-based backup options

That brings us to a third-party solution. If the objective is to move a copy of the data to a secure, remote offline storage media, a flat backup software package might be just the thing we need. This type of backup tool moves any changed data in a snapshot to a remote backup on a frequent basis. In some ways, this is like a continuous backup approach, but the key difference is that, with a flat backup of snapshots, there is a granularity in backup times depending on the time between the backup passes. Nonetheless, a flat backup is very easy to set up and uses less system resources, so the trade-off is much more economically in favor of the snapshot-based backup approach.

With third-party software, it is possible to add features such as a different super-encryption key to further protect data; require multipart authentication to delete the backups; and independently control the lifecycle of the backups, which is really useful if a long-running -- and inefficient -- snapshot is consolidated to a clean copy.

Software for snapshot-based backup is available from many sources. The large system providers, Dell Technologies, IBM and Hewlett Packard Enterprise, all provide products, while the well-recognized specialist backup software providers, including Veeam, Druva, CloudBerry Lab and Actifio, are also up to speed. Nakivo provides backup and fast restore for virtual machines across a spectrum of cloud service providers, while Rubrik offers a backup service to the cloud with app consistency a key feature.

When choosing a vendor, concentrate on ease of implementation and use; support for compression of data; and compatibility with your hardware, which can be a major issue -- especially with multiple storage platform types -- given the proprietary nature of snapshots. Remember that storage is cheap today and getting cheaper, with data compression as an option for huge savings in space. Given the cost of downtime, a little well-managed data sprawl is a good trade-off.

Next Steps

Flat backup technology has come a long way

Snapshots are integrating better with backup

Common misunderstandings with flat backups

Dig Deeper on Data backup and recovery software

Disaster Recovery