Ransomware attacks have been dominating the headlines recently, but this is not a new threat. The first known ransomware attack occurred in 1989 and the frequency of ransomware attacks has increased considerably in the last few years. In 2013, security software vendor McAfee collected 250,000 unique samples of ransomware in just the first quarter, more than double the first quarter of 2012. According to the FBI, CryptoWall—a widely used ransomware product—generated over $18M in ransom by June 2015.
Typically, ransomware infects computers via a Trojan, which encrypts files and demands a payment for the decryption key. It is essentially a "denial-of-access” attack. Since no data is taken, many perimeter security products cannot protect against ransomware. Financial institutions and healthcare providers are often targets, but any organization that relies on data to conduct daily business could fall victim to a ransomware attack.
Most storage systems today offer very little in terms of ransomware protection. In the case of an attack, hackers encrypt your data making it inaccessible. The only option is to recover data from a backup, assuming the backups have not been attacked as well—or pay the ransom. If the backups are clean, then recovery is still typically very slow, making it difficult to meet your corporate recovery point objectives (RPO).
The FormationOne™ Dynamic Storage Platform includes two features, FireBreakTM and TimelineTM that work in conjunction with existing security software to detect and quickly recover from ransomware attacks. This combined solution virtually eliminates the threat imposed by ransomware attacks.
FireBreak Anomaly Detection
FireBreak is an anomaly detection engine that collects rich telemetry data for the storage system at the per-volume, per-application, and per-domain level via a streaming API. FireBreak collects detailed application data to establish a baseline and then provides storage administrators with a set of tools to monitor system capacity, health, and application performance behavior in real time.
If a ransomware attack occurs, the encryption action generates a spike in activity that can be detected by FireBreak, which issues an alert to the administrator via SMS, email, and/or SNMP traps. This detection, works in conjunction with existing security software to facilitate an opportunity for the administrator to investigate the anomaly, verify the intrusion and take immediate action to recover the data with TimeLine.
Immediate Recovery With TimeLine
Because TimeLine provides full transactional data journaling (continuous data protection), once the ransomware attack is detected, data recovery is immediate and actual data loss is minimized. For each volume that is affected, the administrator rolls back to the point in time just prior to the intrusion and delivers near-zero data loss.
Watch the white board video!
Lead engineer Prem Thangamani shows how TimeLine™ provides full transactional data journaling, cloning, and full or incremental snapshots without any additional object data copies or interruption to ongoing workloads.
Lead engineer Ameer Abbas shows how PriorityOne™ provides end-to-end quality of service (QoS) that prioritizes traffic at each component along the data path, enabling the ability to deliver performance at massive scale.