Although its first incident goes back in history to 1989, many of us probably haven’t had heard of or didn’t know what Ransomware means until Friday, May 12, 2017 late afternoon, when one of the major cyberattacks of Internet history named as “WannaCry” had already put it seeds into the network of some of the large organizations in the world such as Renault, NHS and others. Ransomware has evolved in shape over time. Starting as simple as preventing OS login into becoming as sophisticated as hijacking your files and data.
Some common infection methods include Spam email campaigns, exploiting software vulnerabilities, botnets, SMS messages, etc. The reality is, with all the appreciated advancements in core security solutions such as Antiviruses, Firewalls, etc. these attacks were still able to be carried out. The paychecks were as high as $200K in some cases. FBI reports that the sum of payments to ransomware criminals reached $209 million in Q1 2016 with almost 500% growth rate this year.
Once you are affected by a Ransomware, it starts encrypting all kind of your files with unbreakable encryption techniques that require multiple keys to decrypt and get back the original files; something known as “Asymmetric Encryption”. It can also change file attributes such as file name, extension, etc. so that you lose track of which files were affected. Most importantly, as in many other malwares, it can spread over the network affecting as many other victims as possible.
There are tons of articles on Ransomware and its characteristics on the web, however, the question which I usually get from the field is: “we have deployed all these kinds of security technologies and measures, but we still get hit by these attacks, what shall we do more?”. The reality is, we don’t live in a perfectly secured digital world! Today, Criminals are offering Ransomware-as-a-Service, no software is completely secure, and users are not vigilant enough to stop clicking infected and malicious links. So, the ultimate you can do in addition to following the guidelines posted by security agencies is to have IT systems in place that can very quickly Identify and recover from such attacks.
In case of a Ransomware attack, if the attacker passes the first line of defense, there are two major steps that need to be taken together combined to minimize losses and recover as fast as possible:
- Detect the attack as early as possible &
- Have a granular roll back to benign data
As you have already probably guessed, these two rules need to exist together, otherwise any attack would remain prominent. If you have granular snapshots but can’t detect the breach at its earliest and specify which files/folders have been affected, or conversely, if you are able to quickly kill a ransomware attack but can’t granularly rewind your data to its normal state, you will still suffer from business discontinuity and get hugely impacted by a ransomware attack.
One area Splunk is best known for is, Security and Ransomware prevention. By using Splunk, customers can actively monitor their environments and areas that might be prone to Ransomware attack so that they can discover and detect any treat as early as possible. On the other hand, NetApp’s world class Snapshot technology lets customers have granular and storage efficient backups of their files and data.
System administrators use NetApp Snapshot™ copies to take and maintain frequent, low-impact, user-recoverable copies of files, directory hierarchies, LUNs, and/or application data. The NetApp Snapshot technology vastly improves the frequency and reliability of backups, since it incurs minimal performance overhead and can be safely created on a running system. NetApp Snapshot copies allow near-instantaneous, secure, user-managed restores. Another important use case of NetApp snapshot under ransomware attacks is the ability to directly access Snapshot copies to check individual items were infected or not before having a full recovery. Since the security of the file is retained in the Snapshot copy, the restoration is both secure and simple.
Therefore, combining these two technologies will let customers maintain business continuity without having to raise heavy paychecks to get back their rightful data.
In addition to the above, NetApp solutions for Splunk allow customers to perfectly run their Splunk environments directly on NetApp data platforms eliminating the need for extra infrastructure cost and thus achieving better TCO and ROI for the whole solution. By running Splunk on NetApp solutions, customers not only get cost efficiency but also almost 100% higher Splunk application performance compared to that of the traditional DAS based architectures. More details on NetApp performance and reliability benefits in Splunk Enterprise environments can be found in TR-4650, “NetApp ONTAP and Splunk Enterprise”.
In conclusion, Ransomware attacks are there to stay. NetApp along with Splunk offers solutions to enable customers prevent, detect and recover from Ransomware attacks with as minimum impact as possible and at the same time maintain business continuity. For more details on Splunk solutions for Ransomware prevention, read the following blogs from Splunk:
Combine your learnings with the 10 Good Reasons why NetApp for Ransomware Protection and consult your NetApp sales representative for further engagements.