An efficient data protection plan built around robust backup practices has long been considered the best hedge against ransomware attacks that encrypt files. Unfortunately, the malicious actors launching these attacks know that, too. The latest ransomware strains are designed to target backup environments and leave victims incapable of recovering from an attack.
That’s why all data protection environments should include an option for immutable backups that cannot be encrypted, deleted or otherwise modified, even by an administrator. Immutable backups ensure that an untouched version of data is always recoverable and safe from any attack or system failure.
Many organizations are under the mistaken impression that they are fully protected by the traditional “3-2-1” data protection strategy. Considered an industry best practice for decades, this approach calls for organizations to make three copies of data. Two should be stored on different types of media, with one located at an air-gapped or offsite location. Having at least one copy isolated is meant to act as an insurance policy against data loss.
Closing the Attack Loop
However, even air-gapped backups are vulnerable to so-called “attack loops.” In most ransomware attacks, the malicious code doesn’t execute immediately but lies dormant for months before being activated. As a result, the ransomware is being backed up along with legitimate data. Any recoveries from infected backups will also restore the ransomware executable, which will continue to encrypt files.
A true immutable backup solution closes the attack loop in a variety of ways:
- Whether you use on-premises disk or tape storage or a cloud-hosted storage system as your backup target, you can use backup software to create immutability flags, which are file system attributes that prohibit changes to files or folders. Immutability flags even supersede administrator read and write permissions.
- Variable repository naming adds another layer of protection. This technique renames backup repositories in nonstandard formats, effectively making them moving targets that are difficult for ransomware to identify or locate. Authentication and access controls such as two-factor authentication, role-based access control and single sign-on are important additional safeguards.
- Many solutions also use an immutable file system such as the Zettabyte File System (ZFS) to ensure data integrity. ZFS creates snapshots at the block level of the file system, making them immune to any file-level ransomware encryption.
- AI-powered anomaly detection features can detect and isolate infected files before they are backed up. Once suspicious files are identified, this tool notifies backup and security administrators, giving them the opportunity to inspect and remove the file if necessary.
Beyond ransomware protection, immutable backups offer protection from a variety of threats such as malicious insiders who try to delete or modify files, accidental deletion or modification, or data corruption from bugs or power outages. They also help organizations meet regulatory requirements for data preservation, ensure data authenticity for litigation requirements, and protect data against retention policy changes.
Ransomware attacks reached record levels in 2021, with analysts estimating that there were more than 700 million attacks — a 130 percent increase over 2020. Those numbers are likely to continue rising in 2022.
An immutable backup can help ensure that your critical resources can be reliably accessed in the event of an attack. Give us a call to discuss how to implement data immutability as part of your ransomware remediation plan.
February 7, 2022