Ransomware attacks are getting smarter. Hackers aren’t just encrypting data anymore; they’re also threatening to leak sensitive information, ramping up their tactics to include double and triple extortion. Now, they’re not just going after operational data but also targeting backups.
It makes sense for attackers to focus on backups. If an organization can restore its data from backups, it’s less likely to pay a ransom. So, attackers are learning to find and either disable or erase backup volumes.
In response, tech companies have started incorporating ransomware protection directly into backup and storage systems. This new approach allows security teams to detect ransomware attacks early on and act quickly. However, since this functionality is still relatively fresh, some may wonder if it should be a core part of an enterprise’s anti-ransomware strategy.
Let’s rewind to the early days of ransomware. Attackers would break into systems, encrypt data, and demand payment for the decryption keys. Companies stepped up their backup processes in response. Now, backup and recovery tools have built-in anti-ransomware features like anomaly detection and immutable snapshots. Some even separate backups entirely from production systems to create a protective barrier.
Despite these improvements, attackers are adapting. They now not only target operational data but also try to delete or encrypt backup files, or manipulate the APIs of backup software. Backups are scheduled to occur every few hours or overnight, giving attackers a window to act before the next backup runs. If a system gets compromised, companies might unintentionally back up data that’s already infected.
This plays into the hands of hackers who can set “time bombs” within these backups, waiting for organizations to restore them, only to find their data riddled with malware.
To address this vulnerability, many suppliers are now offering ransomware detection at the storage layer. If the system catches signs of an attack, like mass encryption events, it can create an immediate immutable snapshot and alert IT teams. Brent Ellis from Forrester says this proactive approach helps minimize damage and response time.
For storage providers, the primary defense against ransomware lies in immutable snapshots that can be stored locally, offsite, or in the cloud. Firms can implement complex routines to manage these snapshots across different locations. However, they consume more space than traditional backups and won’t help if the data is already infected at the time of backup.
To plug this gap, vendors are adding detection capabilities that watch for signs of suspicious activity, like rapid changes to files or unusual file names. These indicators can be early warnings of malware at work.
However, relying solely on storage systems isn’t enough to fend off ransomware. Organizations also need strong endpoint protection, anti-phishing tools, and a solid backup and recovery plan.
Backup vendors have ransomware detection features that scan files as they are integrated into their systems. Moving detection to primary storage environments allows for quicker identification of threats. Ellis points out the importance of detecting mass encryption events, which trigger alerts and help IT teams respond rapidly.
Several storage suppliers have introduced tools with AI capabilities to spot anomalies. Companies like NetApp, Pure Storage, Dell EMC, and IBM offer various protective features. For instance, Dell EMC utilizes Data at Rest Encryption and snapshot technology, while Pure’s Safemode snapshots include enhanced security protocols.
The takeaway? While storage can speed up reaction times and reduce risks, firms need to deploy a multi-layered approach, combining storage tools with analytics from backup systems for maximum efficacy. One approach alone won’t suffice; the defense must begin in the production environment, especially at the storage level.