Are immutable backups the last line of defence against ransomware attacks?

• These is no universal nostrum to prevent a ransomware attack…
• … they may avoid be impossible to avoid but the impact can be mitigated
• 'Sleeper Attacks' are a big worry and hard to detect
• Immutable backups currently provide the best protection, but they are still vulnerable. It’s a work in progress 

All businesses and organisations cross their fingers and hope that they won’t be subject to a ransomware attack - many of them will be, though, and having been hit once doesn’t mean they are immune from further attacks thereafter. To protect networks, systems, equipment and data from an incursion in the first place is the ideal strategy but, as we know with the huge increase in successful attacks this year, cyber-criminals seem to worm their way through even the most sophisticated defences. Should (or perhaps when) that happens, many vendors of security products can provide a check list or a set of golden rules to minimise the effects of the incursion and help ensure that something similar won’t happen again. The hard reality is that whilst it isn’t always possible to avoid a cyberattack, it is possible to mitigate its impact.

In general, the advice is not to pay the ransom on the grounds that stumping-up extortion money is no guarantee that files will be decrypted and released. The second maxim is, report the attack – but many victims don’t. Thirdly, restore files from a recent backup. Then comes the advice to use reputable antivirus software and a state-of-the art firewall. It is also vital to use a trustworthy VPN when accessing public Wi-Fi. All this is good common sense, but it’s predicated on the notion of bolting the stable door when the horse has been stolen, ridden away to the knacker’s yard and rendered into dog meat and glue.

As ransomware attacks have proliferated this year, one of the “best practices” advised for data recovery is the 3,2,1 system whereby an organisation maintains three copies of its data in two entirely separate locations. At least one of the copies must be stored on a different medium to the others, such as in a highly-secure cloud, in object storage where distinct units (objects) are kept in a single storehouse and are not placed in files inside other folders. Object storage combines the pieces of data that make up a file, adds all its relevant metadata to that file, and attaches a custom identifier. Of course, backup data can also be downloaded to good old-fashioned disks or tapes.

Recently, though, there has been considerable publicity about so-called “immutable backups,” which are being billed as the last line of defence against ransomware attacks. The theory is that they can guarantee that data cannot be changed, overwritten or deleted, thus stymieing attempts to insert malware. Immutable backups are based on “write once, read many” (WORM) systems and disciplines that ensure no-one, including big cheeses such as data managers, storage administrators and CIOs, can either overwrite or delete a copy of the data. What’s more, they can’t be accessed externally. Immutable data makes it possible to rollback, restore, and provision data from any point in time or any transaction.

It sounds great, but even immutable backups need to be protected by other data strategies, not least because cyber-criminals are increasingly targeting backup systems via “sleeper attacks” where malware infiltrates a system and then lies doggo until later (sometimes very much later), when it is instructed to begin encryption. Sleeper attacks are particularly difficult to discern and identify, which is why increased emphasis is being placed on detection and prevention strategies. 

Recovery planning after a ransomware attack must address two vital aspects: The recovery time objective (RTO), the maximum amount of time that an organisation can afford to be offline with no access to data and systems; and the recover point objective (RPO), which is the maximum amount of data an organisation can lose and yet remain viable. An average RTO can take days and can cost a lot. The research house Gartner says the average cost of being brought down by a ransomware attack is US$5,600 a minute, or at least $336,000 an hour. Such figures quickly become astronomical, which is why enterprises often pay the ransom demanded and hope for the best.

Given the magnitude of the problem, some organisations actually complain about the potential cost of maintaining an immutable data regime. When data can’t be deleted it must be kept and that can increase the price of storage, but especially now that cloud storage prices are reducing it can surely be no more than a marginal cost increase when compared to the price of the disruption and destruction of an incursion and the payment of extortion money. It is not sensible to penny-pinch under such circumstances.

As things stand, immutable backups combined with other data strategies are the best defence against ransomware, but they are not perfect and breaches will continue to happen even to the best protected.