Ransomware Protection

The single most critical aspect of being a Cloud Service Provider is the security of our customers’ businesses. Delivering Cloud Service means enabling our customers to conduct business on a safe, secure platform. Malware attackers are in direct opposition to this goal; they rely on disrupting businesses in order to extort money from them. That means that as malware attackers develop new vectors of disruption, Cloud Service Providers have a responsibility to adapt.

Security is a back-and-forth between threat and protection. Antivirus software was developed as a response to the first wave of Trojan Horse and Worm attacks on business infrastructure. As malware attacks became more sophisticated, so too did anti-malware, leading to the development of AI-driven malware recognition and Sandbox technology.

The most recent adaptation for Service Providers is Ransomware Protection through WORM (Write Once, Read Many), also known as Storage Immutability. Green Cloud’s new Secure BaaS offering incorporates Ransomware Protection through a Cloudian storage back-end. Combined with Veeam’s industry-leading Backup and Replication solutions, we are excited to offer our partners a proven way to protect their customers against ransomware.

The Problem of Ransomware

Due to the nature of their work, Service Providers must be familiar with malware in its many forms. It can infiltrate a network through any number of vectors: email attachments, malicious thumb drives, social engineering, or even hand-crafted false web pages. Ransomware isn’t that different from traditional malware in this sense; it still uses all of these same vectors to achieve access to a target network.

Ransomware distinguishes itself from common malware by turning encryption, a tool generally used to secure data, into an attack. Encryption is a process by which data is transformed into a different form, a code, after which the original data can only be accessed with a specific key. The ransomware randomly generates a key, encrypts all data available to it, and then sends that key back to the attacker. That way, only the attacker has access to business-critical data, which lets them hold it for ransom.

After it became evident that ransomware was a critical threat, Service Providers began instituting rigorous backup requirements. Attackers have answered with a simple strategy: encrypt or destroy backups first. Once malware has made its way onto a network, the attacker can delay encryption (referred to as an Incubation Period) until they have located and destroyed any backups. That means the Service Provider will be in for a nasty surprise when they attempt to restore that client’s data.

How WORM Works

WORM is the latest response from the security community against ransomware attacks, and it stands for Write Once, Read Many. In order to prevent backups from being destroyed or overwritten, security researchers defined a new standard for storage systems that prevented anyone, even system-level administrators, from modifying backup data. This may sound simple in principle, but is quite difficult to design and execute. Additionally, it is not a simple plug-and-play software implementation – WORM must be supported on the storage array itself.

Access to data on the storage array must be limited to a highly restricted, security-hardened account. No remote account or utility is allowed access to write data to the array. Once this feature is enabled, data is written once to the disk, and then locked for a pre-determined period of time. In order to interact with this storage, users send and retrieve data through a management utility such as an Object Storage API.

During our search for a comprehensive ransomware solution, Green Cloud came across Cloudian. Already a proven storage provider, Cloudian’s implementations of WORM and Data Immutability on their storage array drew our attention because of their strict compliance with governmental regulations. Cloudian’s integration with Veeam made it a natural fit for Green Cloud’s BaaS offering.

Ransomware Protection In Action

Let’s take a look at how WORM-enabled storage performs during a ransomware attack, in contrast with standard storage. When an attacker first infiltrates a network, they will make sure they have repeatable access to that network. Then begins the Incubation Period, where the attacker lays low on the network while collecting data.

Backups are the primary target. If possible, the attacker will locate and modify backup data. This can be in the form of encryption, configuration changes to remove drives from the backup job, or outright deletion. Traditional storage offers no protection against this type of attack. If the attacker gains access to the backup storage medium, they can wipe out months or years of user data to ensure that their ransom attack is successful.

In contrast, when the attacker attempts to write over backups on WORM-enabled storage, they find that the data cannot be modified in any way. Even modifying the backup job to contain bunk data will not destroy or overwrite the existing backups. This greatly extends the incubation period, which means more time where the malware can be detected and removed by Endpoint Protection or other anti-malware solutions.

Ransomware Protection and Secure BaaS

Enabling our partners to deliver a safe, secure platform on which customers can do business is a priority for Green Cloud. Veeam emphasizes that Service Providers should follow the “3-2-1 Rule” when designing their backup infrastructure:

  • Have at least three copies of your data.

  • Store the copies on two different media.

  • Keep one backup copy offsite.

Green Cloud’s BaaS has allowed us to fill a critical data protection role as a remote repository for on-site backups. Secure BaaS, our new offering powered by Veeam Cloud Connect and Cloudian Storage, offers a Veeam Repository that is fully protected against ransomware and malicious deletion.

For more information on Secure BaaS and Ransomware Protection, feel free to contact your Account Manager, or visit https://gogreencloud.com/contact-us/.

Previous