Ransomware thieves beware

Sponsored Feature You know that a technology problem is serious when the White House holds a summit about it.

Ransomware is no longer a simple nerd-borne irritation; it's an organized criminal scourge. Research from the Enterprise Systems Group (ESG) found 79 percent of companies have experienced ransomware attacks within the last 12 months. Nearly half were getting attacked at least once each month, with many reporting attacks happening on a daily basis.

From the early days of enterprise ransomware, security pros had one common piece of guidance: back up your data. It's still good advice, even in the era of double-extortion attacks where criminals exfiltrate victims' information while encrypting it. But there's a problem: attackers are very aware of your backup systems, and they're searching for them while also looking for production data to encrypt or exfiltrate.

A typical ransomware attack starts when the attacker gains a foothold, often through phishing emails or exploited/unpatched vulnerabilities. Once inside, attackers aim to locate and encrypt production data to cripple operations.

Increasingly, though, they're also searching for backup environments and data. If they find them unsecured they'll encrypt that too, hampering recovery efforts. In fact, some attacks - such as 2021's REvil attack on Kaseya - target backup systems first to ensure that backups will be useless after the malware scrambles production data.

According to Veeam's 2023 Ransomware Trends Report, 93 percent of cyber attacks last year targeted backup storage to force ransom payments. Attackers successfully stopped victims' recovery in three quarters of those cases said the company, which specializes in backup and recovery software and services.

Companies are aware of the problem and are looking for help. The ESG study, which surveyed over 600 organizations, found nearly nine in 10 were concerned that their backups have become ransomware targets.

"Government cybersecurity agencies now tell businesses that they should plan on when, rather than if, they're breached," points out Eric Schott, chief product officer at Object First.

Started by Veeam's founders, Object First is on the front line of the battle to protect backup data with its immutable backup storage appliances. "We understand backups are an early target for recon and subsequent attack," says Schott.

Object First designed its out-of-the-box immutability (Ootbi) backup storage to integrate with Veeam's backup software. The immutable storage feature prevents data tampering, even if attackers were to gain access to the object storage buckets or appliance administration.

Zero trust data resilience

Employing immutable storage is part of a strategy that Object First and Veeam developed based on the Zero Trust Maturity Model. This framework, which the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) introduced in September 2021, follows a gradual 15-year development of zero-trust principles that use the 'trust no one' approach to cybersecurity.

Zero Trust focuses on stopping people from compromising systems after they breach initial defenses. At its core is the assumption that you're already breached (or will be at some point in the future).

"We view system hardening as important, but it is not the same as Zero Trust," says Schott, explaining why the company chose this approach as a foundational part of its system design.

The Object First and Veeam framework building on that model is Zero Trust Data Resilience (ZTDR). It contains several principles. One is the use of least-privilege access to backup infrastructure, others include end-to-end system visibility and threat intelligence to protect systems from attack, along with the use of automated recovery plans if an attack does occur.

Another important principle is segmentation, which divides the backup infrastructure into distinct, isolated 'resilience zones' with its own security controls and policies. This minimizes the attack surface and limits the impact of a single hardware or software compromise.

When applied to backup infrastructure, this multi-layered security approach ensures that a breach in one zone does not compromise the ability to recover the zone, and does not compromise the entire backup infrastructure. For example, primary and secondary backup storage can be placed in separate zones to enhance resilience.

Object First has also used this principle to segment its backup hardware from backup software. This makes it harder for an attacker to move laterally to the backup storage.

"Object First's appliance is a single-function device, so it is also easier to manage and secure" says Schott. "It makes things simpler for smaller organizations to deploy without security specialists or dedicated IT staff and improves operations in large organizations by reducing administrator overhead."

Divide and conquer, encrypt and protect

What happens if an attacker does reach Object First's hardware? This is where Zero trust principles come into play. Object First's Ootbi (out-of-the-box immutability) appliance is built to ensure that backup data cannot be modified or deleted once it is written. "It's crucial for protecting data from ransomware attacks and other cyber threats," Schott adds.

To achieve immutability, Object First based Ootbi on the S3 storage protocol. This includes a feature called Object Lock, which uses a write once, read many (WORM) approach to ensure that written data cannot be modified or deleted after the fact. Users control the time limit on immutability using retention periods in Veeam, and they can apply legal holds to prevent deletion or modification of data until the hold is removed.

Immutability means that even total system compromise won't enable hackers to delete or scramble your data. "Even if you have full admin credentials and access to every bucket secret, you can't destroy immutable data," Schott says.

A hacker with physical access could conceivably take a hammer to the appliance if they want to destroy the data, but that's where the 3-2-1 backup approach recommended by Veeam and Object First is important. It involves keeping at least three copies of your data, storing them on at least two different types of media, and having one copy stored offsite or in the cloud.

Immutability was a key driver for managed IT service provider Waident Technology Solutions, which tested multiple products before settling on Ootbi to support its customers. This gave the company an on-site primary backup solution that it could combine with off-site backups in the U.S. and Europe.

Scale and grow

Object storage's architecture provides an optimal platform for backup workflows because it's not bound by the size limitations associated with file and block storage. It uniquely separates data from metadata, storing each as discrete objects. This architecture allows it to easily scale on demand to accommodate large amounts of data, addressing the needs of modern businesses dealing with swelling data volumes.

Conversely, file and block storage is constrained by hierarchical structures or fixed capacity limits. People wanting to scale block-based storage architectures typically build smaller systems and manage them individually, introducing more management complexity and overhead.Object First joins multiple storage units into a single cluster, allowing scalability and load balancing, without shared storage hardware, or a single distributed database for metadata.This allows an on-premise scaling and performance experience without burdening the administrator to manage separate storage systems.

Object storage is well suited for cloud environments. Its focus on individual data objects supports the distributed, often multi-regional nature of cloud resources in a way that is more difficult for file and block architectures.

One company that relied on this immutability in the cloud was SaaS-based legal practice management company Centerbase. Legal companies are top targets for ransomware because of the sensitive data they hold about their clients.

The company used Ootbi storage for its immutability and Veeam integration. It felt this combination could reduce its Recovery Time Objective (RTO) and Recovery Point Objective (RPO) metrics, helping it to get back up and running more quickly in the event of an attack. After installing Ootbi, it slashed its RPO by 50 percent from eight hours to four, while also improving backup speeds, it reported.

End-to-end encryption excludes exfiltration

Out of the box immutability protects data from malicious encryption or deletion, but that's not all that ransomware attackers want to do. They increasingly want to steal data, threatening to publish it unless victims pay up. To protect customers from that, Object First relies on another capability in the backup software from Veeam: end-to-end encryption.

Veeam's end-to-end encryption ensures that all data sent into the backup storage is encrypted, providing an additional layer of protection against data exfiltration. By encrypting data at all locations within the 3-2-1 backup environment, Veeam makes it impossible for attackers to read sensitive data in the highly unlikely event that they're able to reach it at all.

The Veeam encryption keys can be securely stored within Veeam servers, or within external Key Management Services (KMS) including those stored in the cloud.

Having both on-site and off-site backups with immutable storage and Veeam's encryption enables busy admins to enforce the same set of operations across both domains for maximum security without complex configuration, Schott explains.

"This level of protection provides a strong deterrent against ransomware attacks, safeguarding businesses and enabling continuity in operations," he says.

In the face of rising ransomware threats targeting backup data, the combination of Veeam's end-to-end encryption and Object First's immutable storage provides an advanced line of defense. To develop an easy approach to zero-trust backup deployment, Object First did a pretty good job of thinking outside the box.

Sponsored by Object First.