Recoverability is an important piece of the ransomware defense strategy. Experts advise against paying ransoms, so current, unencrypted, uncorrupted backups that offer acceptable recovery points will enable organizations to recover data and get operations back online without payment.
Even if an attacker keeps their word and provides the encryption keys if the organization pays, recovery with encryption keys is usually a lengthy and laborious process. Immutable backups include a write once, ready many, or WORM, designation, whereby even a storage administrator cannot overwrite or delete the data copy. They also cannot be accessed from external hosts, with writes to the internal system only allowed via trusted internal services or APIs. For example, in mount-based restore processes, organizations can consider cloning the internal view for external exposure so that the internal view remains unchanged.
Immutable backups for ransomware offer some relief, but should be complemented by other data protection strategies.
Is immutability really the last line of defense?
In theory, immutable backup and storage play a critical role in the recoverability equation because they are fixed and unchangeable. Some vendors and members of the IT community often pitch immutability as a "last line of defense" point to recover from if other backups have been tampered with.
Although immutable backup is an excellent option in the fight against ransomware, like other data protection techniques, no method is foolproof.
Preventing ransomware attackers from accessing the backup environment to begin with is a critical piece of the cyber resiliency strategy. Backup environments are increasingly popular targets of ransomware attacks. "Sleeper attacks" that can be difficult to detect can attack backup environments, where the malware infiltrates the environment and lays dormant until encrypting data.
To make the best use of immutable backups to keep data safe from ransomware, organizations should do the following:
- Ensure end users adopt a holistic strategy for cyber resiliency that goes beyond data backup and recovery to also include attack detection and prevention.
- Evaluate storage systems for backdoors that enable bad actors to remove or shorten WORM designations, or to delete clusters hosting immutable backup copies.
- Implement strong access and credential management, including role-based access control and multifactor authentication, as well as require two-person concurrence for certain administrative actions.
Another reason why preventative measures are so important is the current rise of double extortion ransomware attacks -- whereby the attacker not only encrypts data, but also threatens to publish that data. Encrypt data in flight and at rest with strong encryption key management and employ physically or logically air-gapped storage. This type of storage ensures the target storage infrastructure is not host-accessible, which can further inhibit the attacker from accessing backup data.
There are a host of anomaly detection capabilities available to help organizations identify vulnerabilities in their environments and to help them identify that a ransomware attack might have occurred. For example, they may be able to identify encryption activity, embedded files or other tampering activity. When used in conjunction with each other, these capabilities can help organizations prevent an attack from occurring in the first place. They can also help uncover when organizations might have been hit with ransomware.
While immutability is an important component of ransomware resiliency, a comprehensive ransomware prevention and recovery strategy goes much further to include preventative and detection capabilities as well.