Misplaced your phone? Can’t remember where you left it? Did someone steal it … or did you lose it? We’ve all been through these moments, and many of us have actually lost our phones, along with a lot of personal data. This is certainly a difficult situation to deal with. Now imagine how hard it would be if an organization with thousands of employees lost all of its data with no idea who stole it and with no measures in place to recover the lost data.
Welcome to RANSOMWARE!
What Is Ransomware?
Ransomware is a type of malicious software (malware) that uses cryptography to encrypt the victim’s sensitive data and holds it hostage until the victim pays the demanded ransom to receive a decryption key. Ransomware is often a product of organized crime, and attackers may not operate ethically, refusing to provide the decryption key even after the ransom is paid.
According to a CNET report, the cost of ransomware could be as devastating as that of a natural disaster hitting a U.S. city, with an estimate of more than $19 billion across local governments and other sectors.
The cost of recovering from a ransomware attack usually includes rebuilding the affected environment, the cost of the ransom itself (if the demanded ransom is paid), and the business disruption due to the attack. According to a CoveWare ransomware report, in Q2 2019 the average ransom payment was $36,295 per incident per day. In Q3, that amount increased to $41,198—and there could be multiple incidents in a single environment. Also, typical downtime averaged 12.1 days in Q3, up from 9.6 days in Q2.
Another report from Symantec highlights the fact that these malware attacks are a major challenge for organizations. WannaCry, copycat versions, and Petya have continued to inflate infection figures. Until 2017, consumers were the hardest hit by ransomware, accounting for major incidents of infection. In 2017, the balance tipped toward enterprises, with a majority of infections occurring in businesses. In 2018, that shift accelerated, and enterprises accounted for 81% of all ransomware infections. Overall, ransomware infections recorded for enterprises were up by 12% in 2018.
Protection Measures Offered by FlexPod
These days, phone manufacturers provide mature, robust, cloud-connected data services that perform sophisticated, granular data backup. These services could be easily accessed during a disastrous theft event. Similarly, FlexPod® is a proven platform with more than 9,000 worldwide customers and $11.5 billion in sales, running the mission-critical workloads of some of the largest enterprises on earth. FlexPod offers a wide range of benefits, with tools and technologies that safeguard customers’ data against ransomware and help them to recover quickly from a possible hostage situation.
Components of a solution with FlexPod to protect against a ransomware attack.
Most of the solution components are already integrated as part of a NetApp® ONTAP® system. Components such as NetApp Snapshot™, SnapRestore®, SnapCenter®, SnapLock®, and FPolicy® offer many useful features for data protection. The remote NetFlow collectors, such as Cisco Stealthwatch supported on Cisco NX OS running on Cisco Nexus switches, can help perform continuous monitoring and provide real-time threat detection and incident response forensics in case of an attack. In addition to all of these components, the Cisco UCS servicing as a compute endpoint is bundled with key products in compute or in the application layer. These products include Cisco Advanced Malware Protection for Endpoints, Cisco Advanced Malware Protection for Email Security, and Next-Generation Intrusion Prevention System.
For more information, TR-4802: FlexPod: The Solution to Ransomware describes the methods to detect, remediate, and prevent a ransomware (WannaCry) attack in a FlexPod Datacenter.
In the event of an attack, the malware starts encrypting the files, triggering an exponential increase in the size of Snapshot copies and a proportional decrease in the storage efficiency percentage within a matter of minutes. Administrators can be alerted to this rapid change.
With phone vendors providing cloud services for their devices, if you lose your phone it would be easy to get a new device and apply your fingerprint to restore all of your data and apps.
Similarly, the file systems mapped to a virtual machine can be restored using the last known clean Snapshot copy that was created prior to the malware attack.
Using a NetApp SnapCenter plug-in on vCenter, a VMware-consistent Snapshot copy can be restored, which recovers and restarts the VM. The CIFS share of the VM can also be individually restored and returned to the last known healthy Snapshot copy of the volume.
With the Snapshot copies in place, the file systems can be remediated, and the environment can be restored to be production ready with minimal downtime.
If you lose your phone, and you’ve signed up for the cloud services that your phone vendor provides, you’ll soon be back in business. Similarly, malware attacks can be prevented, and the environment can be protected from such threats by using the tools provided by ONTAP and other services offered by FlexPod.
One such tool is FPolicy file screening, which can be used to define policies on volumes and allow specific file operations to protect the file systems from unsafe file type extensions. The detailed discussion in TR-4802: FlexPod: The Solution to Ransomware describes all of the scenarios discussed in this blog and demonstrates the functionality of the ONTAP features that enable protection against ransomware attacks.