Fighting Ransomware With A Multi-Tier Backup Strategy

Ransomware is one of the fastest-growing kinds of cybercrimes, and the financial impact is enormous. The FBI estimates that reported payments in 2016 reached $1 billion, and many are never reported. Ransomware attacks introduce malware into a computer system, which systematically encrypts stored files, and the criminals demand payment in exchange for the decryption key. Ransom payments are not recommended: they encourage attacks and many organizations have not been able to recover all their data even after paying. A much better solution is creating a resilient data protection system.

Ransomware Attacks a Major University

An example is provided by a major U.S. university recently attacked by cybercriminals. The attack was carefully planned. Trojan-horse malware was introduced using fraudulent emails and other tactics a week before the full attack was carried out. The malware attacked files in NTFS, the default Windows format, and it spread between physical and virtual servers, laptops, and devices like thumb drives. The attack began on Saturday night, starting with the backup servers and then spreading to other devices. Once on the disk, the malware worked through files, encrypting them so they could no longer be read.

Rapid Discovery a Key to Minimizing Damage

The attack might have been discovered earlier, but there was a new backup administrator who was not fully aware of how to detect malware and shut down the system at the first signs. The malware was able to encrypt files for a full eight hours before an administrator noticed unreadable files and tracked down the head of IT, who shut down all the systems. By that time, 20,000 files had been locked on 120 servers, including all of the university’s virtual machines (VMs). The ransom demand was huge—in six figures. But, the university decided against paying because the IT team had a data protection methodology that would allow it to recover the data safely.

Tape Backup Layer a Critical Component for Recovery

The university’s backup started with disk targets—but because the backups were stored in NTFS, they were compromised. Fortunately, the IT team also had been writing backups to an LTO tape library.

Although backup copies on disk were encrypted, the tape layer was unaffected because the files were written to tape before the attack began. And even if contaminated copies had reached tape, the malware would not have been able to spread. The IT team decided to completely scrub the system and rebuild everything from the tape backups. The entire process took approximately two weeks.

Archive Strategy Can Play a Role

Instead of rebuilding the system directly onto the disk that had been infected, the university used its archive—a Quantum StorNext system that created duplicate copies of some data in an object-storage-based private cloud using Quantum’s Lattus solution. The team discovered that the malware did not spread to the StorNext Lattus archive.

Lattus provides a highly scalable archive using object storage technology that also protects data by spreading it across many different disk spindles and, optionally, multiple locations. The team used Lattus as a safe staging area to restore the systems before installing them on the now-clean original server infrastructure.

Recovery Plans Minimize Loss

The copies on tape and the Lattus working area provided the IT team with everything it needed to recover all the backed up data and rebuild the system. The only data that had to be recreated were files stored outside the backup system on some laptops and USB drives, about 600GB.

The bottom line? Ransomware-style cyberattacks may be common and difficult to completely stop, but a best practice backup strategy that includes multiple copies of data on different kinds of media, including tape, can eliminate or minimize data loss.