Many organizations likely breathed out a small sigh of relief when REvil suddenly disappeared from the world’s ransomware stage. Allegedly responsible for attacks on Apple, meatpacker JBS SA and, most recently, Kaseya, few shed any tears over its disappearance.
However, plenty of ransomware strains remain from which organizations must still defend against and recover from. Immutable storage solutions represent one such option to which organizations may turn to recover from a ransomware attack.
Immutable storage solutions store data in an unalterable format. Media storage types may include cloud storage, disk, tape, thumb drives, compact disks (CDs), and optical. Cloud storage and disk often get preference since they provide the speed and ease of access that organizations often need.
To make disk storage immutable, organizations must use or implement software that offers data immutability features. They typically obtain this software in one of two ways. They may acquire a hardware backup or storage appliance that includes data immutability as an option. They may also acquire backup software or software-defined storage that can make any disk storage immutable.
Some object cloud storage (AWS S3, Microsoft Azure Blob, etc.) offerings have included data immutability options for some time. Initially, organizations could, and still can, turn on cloud storage’s journaling feature to track changes to existing data.
Changes may still occur to production data but the cloud tracked any changes to it. Should the production data become compromised, the changes saved in the background gave organizations the option to recover to a previous point in time.
In the last few years, cloud providers such as Amazon have introduced Object Lock. Using this feature, organizations can apply retention settings to data saved on their object cloud storage. This setting prohibits organizations from making any changes to the saved data or its metadata. Once the data reaches its expiration date associated with its retention setting, it may either get deleted or unlocked.
Creating an air gap by physically disconnecting media from an organization’s IT network also serves to make data immutable. Ransomware can only delete, encrypt, or lock data it can access. By disconnecting or removing media from an IT network, ransomware cannot access it.
While admittedly low tech, air-gapped technologies cost very little, they are mature, and they work. Organizations can air-gap storage media in a couple of way. They may physically remove the media from a device.
Compact disks (CDs), optical, tape, and even removable disk can function in all these roles. Further, these media types often have physical attributes that organizations may use to make the media Write Once Read Only (WORM). Using these attributes, organizations may not need any special software to make the data immutable. In this way, they may leave the media online without worrying about it getting deleted, locked, encrypted. However, any media connected to an IT network still runs the risk of its data being exfiltrated.
Immutable Storage Only a Recovery Option
The adage that an ounce of prevention is worth a pound of cure still holds true. Immutable storage does not detect, repel, or prevent ransomware or ransomware attacks. It only stores data in an immutable format making it possible for organizations to recover.
Further, immutable storage cannot guarantee data stored on it contains no ransomware. Organizations should ideally scan any data in production, stored on backups, or used for recoveries for ransomware.
Robust cybersecurity software can detect, prevent, and ideally even remediate ransomware attacks. However, as Apple, JBS SA, Kaseya, and others can attest, cybersecurity software cannot defend against all ransomware. In these circumstances, storing data on immutable storage offers a means for recovery and can help keep security breakdowns from becoming a catastrophe.
Keep Up to Date with DCIG
To be notified of new DCIG articles, reports, and webinars, sign up for DCIG’s free weekly Newsletter.
Technology providers interested in licensing DCIG content or having DCIG produce custom reports, please contact DCIG for more information.