Fighting Ransomware
Lattus provides a highly scalable archive repository using object storage technology to provide very high-capacity storage while protecting data by spreading it across many different disk spindles and, optionally, multiple locations.

Fighting Ransomware with a Multi-Tier Backup Strategy

Ransomware is one of the fastest-growing kinds of cybercrimes, and the financial impact is enormous. The FBI estimates that reported payments in 2016 reached $1 billion, and many are never reported. Ransomware attacks introduce malware into a computer system, which systematically encrypts stored files, and the criminals demand payment in exchange for the decryption key. Ransom payments are not recommended: they encourage attacks and many organizations have not been able to recover all their data even after paying. A much better solution is creating a resilient data protection system.

Ransomware Attacks a Major University

An example is provided by a major U.S. university recently attacked by cybercriminals. The attack was carefully planned. Trojan-horse malware was introduced using fraudulent emails and other tactics a week before the full attack was carried out. The malware attacked files in NTFS, the default Windows format, and it spread between physical and virtual servers, laptops, and devices like thumb drives. The attack began on Saturday night, starting with the backup servers and then spreading to other devices. Once on the disk, the malware worked through files, encrypting them so they could no longer be read.

Rapid Discovery a Key to Minimizing Damage

The attack might have been discovered earlier, but there was a new backup administrator who was not fully aware of how to detect malware and shut down the system at the first signs. The malware was able to encrypt files for a full eight hours before an administrator noticed unreadable files and tracked down the head of IT, who shut down all the systems. By that time, 20,000 files had been locked on 120 servers, including all of the university’s virtual machines (VMs). The ransom demand was huge—in six figures. But, the university decided against paying because the IT team had a data protection methodology that would allow it to recover the data safely.

Tape Backup Layer a Critical Component for Recovery

The university’s backup started with disk targets—but because the backups were stored in NTFS, they were compromised. Fortunately, the IT team also had been writing backups to an LTO tape library.

Although backup copies on disk were encrypted, the tape layer was unaffected because the files were written to tape before the attack began. And even if contaminated copies had reached tape, the malware would not have been able to spread. The IT team decided to completely scrub the system and rebuild everything from the tape backups. The entire process took approximately two weeks.

Archive Strategy Can Play a Role

Instead of rebuilding the system directly onto the disk that had been infected, the university used its archive—a Quantum StorNext system that created duplicate copies of some data in an object-storage-based private cloud using Quantum’s Lattus solution. The team discovered that the malware did not spread to the StorNext Lattus archive.

Lattus provides a highly scalable archive using object storage technology that also protects data by spreading it across many different disk spindles and, optionally, multiple locations. The team used Lattus as a safe staging area to restore the systems before installing them on the now-clean original server infrastructure.

Recovery Plans Minimize Loss

The copies on tape and the Lattus working area provided the IT team with everything it needed to recover all the backed up data and rebuild the system. The only data that had to be recreated were files stored outside the backup system on some laptops and USB drives, about 600GB.

The bottom line? Ransomware-style cyberattacks may be common and difficult to completely stop, but a best practice backup strategy that includes multiple copies of data on different kinds of media, including tape, can eliminate or minimize data loss.

Products Used

Key Benefits

  • Make sure all administrators, including those managing backups, can recognize a ransomware cyberattack and know how to shut down systems immediately when an attack is discovered.
  • Do not stay logged in as an administrator any longer than strictly needed.
  • Avoid browsing, opening documents, or other like activities while having administrator rights.
  • Create a multi-tiered backup strategy that includes a tape layer to ensure that data can be rebuilt safely in the event of an attack.
  • Backup best practice includes having three copies of data on two different media types, with one stored safely offline and off-site.
  • Consider implementing a multi-tier archive strategy, using tape or object storage, to provide a safe place to store copies of primary data and rebuild systems.
  • Enforce policies that place all critical data on resources that are protected by the institution’s disk and tape backup protocols.

About the University

The university in this case study is one of the premier institutions of higher learning in the world, offering a complete curriculum of undergraduate and graduate programs across the arts and sciences to an engaged and diversified student body. It is also one of the nation’s leading research institutions, generating globally significant discoveries in the natural sciences, social and behavioral sciences, engineering, information technology, and humanities.