Backup software products are starting to adopt anti-ransomware features – and that’s a good thing. Ransomware has clearly expanded beyond consumers and is regularly attacking businesses and government entities. But not every backup company is convinced this is a problem they should solve.
At VMworld I asked several backup companies what they are doing to battle ransomware. The answers ranged widely. The most common answer I heard was a given product’s answer to ransomware was to restore the last known good copies of files, replacing infected files. These companies seemed to feel that stopping ransomware before it could infect files was another company’s job. For example, these companies felt it should be the job of an intrusion detection and prevention product, or a malware and virus detection product.
The problem with this idea is the techniques employed by some ransomware strains are specially designed to get around traditional products designed to stop malware from entering the data center. By the time ransomware is detected, it has already done a significant amount of damage.
The other reason why I believe this thinking is short-sighted is backup software products are in the unique position of seeing all file changes across an environment. Every file that gets encrypted by malware will be backed up by the backup software. A little artificial intelligence or bayesian logic would allow a product to see that something is amiss and stop it in its tracks – at least as far as the backups are concerned.
Linux Backup Products Have an Advantage
One of the big concerns about ransomware is backup software products that store their backups on Windows or an SMB-mounted share, as they would be susceptible to the same attacks that go after the systems they’re backing up. This is why products based on Linux products have an advantage. While Linux is not impervious to ransomware or malware, it is impervious to the same Windows-focused malware that attacks the rest of your data center. At this point there have been no cross-platform malware strains.
Even if a given backup product had no other features than running their software on Linux, I would consider that a competitive advantage over a product that runs on Windows. Besides the fact that many consider Linux more secure than Windows, the fact that Windows desktops and servers are the specific targets or ransomware should give anyone pause. To be clear, this is not me attacking the Windows OS; it is just a reality that Windows is a prime target due to its popularity. There are multiple reports of companies that have had their backups, stored on Windows directories and shares, encrypted by ransomware along with their production data.
Ransomware Best Practices
Other companies have put some thought into the risks that ransomware poses and are at least giving their customers advice on how to protect against it with their current product. The best example of this are Windows-based products that can backup to disk. If the product is capable of backing up to a secondary storage device without going through SMB or NFS, then you should look into that method. If there is any method other than a network mount to get data to your backup device, use it. The problem is that if the backup server gets infected, the ransomware can easily crawl that network mount and corrupt or delete the backups.
Specific Ransomware Responses
The following is a list of the responses I received from the various vendors as I walked around VMworld. If I’m missing anyone, it’s because they weren’t available to speak with me or they did not exhibit at the show.
- Nakivo can place its backups on another server via an FTP connection, thus making those backups not susceptible to an SMB or NFS attack.
- Cohesity used the term “immutable copies” to refer to how its store backups. The snapshots that the solution is based on are not visible to the end user and so would not be susceptible to a user-space attack. In addition, it is a Linux based solution.
- Dell EMC says it is working on releasing a “VPN trickery” to create a “virtual air gap” between attackers and your backups. One interesting part of the solution is to use Index Engines to validate the backups before doing a fast copy of them to a second Data Domain box, after which the data is placed in a retention lock.
- Druva is a cloud only solution based on Linux, and as such it believes its backups would be isolated from an attack that strikes your data center.
- Quest’s answer to ransomware is rapid recovery, allowing you to easily and instantly recover your VM if it is infected.
- Unitrends had the most advanced ransomware solution, as it looks for behavior patterns within the backed up data. It looks for things like too many changed files, system files changing that shouldn’t change, and other things. If it notices things like that, it notifies the appropriate people, allowing them to directly address the problem.
- Veeam recommends placing backups on one of its storage partners and using one of their proprietary interfaces to get the data there, including Dell EMC Data Domain Boost, HPE StorOnce Catalyst, or Veeam’s own Data Mover. The Data Mover is supported by Exagrid and Quantum.
- Vembu offered best practices to protect from ransomware, starting with locking down the backup server.
- Zerto allows you to roll back to any point in time using their recovery journal. Therefore, if you’re able to identify the exact point in time when you were infected, you could recover to just before that time. It is also a Linux-based solution.
It’s good to see that the backup software community is responding to this threat in a variety of ways. Customers should examine their data protection mechanisms to see how vulnerable they would be to a typical ransomware attack, paying special attention to Windows-based backup servers. Since such servers can and have been compromised via ransomware, storing such backups on a local or network-mounted directory is really ill advised. It’s time to have a conversation with your backup software provider to see what steps you can do to get better protection.