Immutability, Ransomware, and Your Data

ransomware and your data

Welcome to the sixth month of the pandemic!  The coronavirus has upended our normal rhythms of life and business.  Like so many others, I have gone from working in our vibrant and lively office to spending most of my days at home.  For many, this has been a generational shift and has impacted everything from work-life balance to child care to benefits packages.  It has also had a profound impact on information security.

For those companies that were not built with a global and highly mobile workforce, the IT and security considerations are acute.  Information security chiefs have good cause for concern as the industry has seen a 250-300% increase in attacks.  We all worry that we could be the next victim.  Will a ransomware attack take down our business?  How bad will it be?  I’ve personally been taking several calls a week from our customers asking how Actifio can protect them from being the next victim.  CISOs want to know what protects their backups from getting encrypted or destroyed during an attack.

At its core, Actifio ingests production data in an incremental-forever manner to maintain what we like to call the “Golden Copy”.  This repository holds a series of point-in-time native format images represented by the recorded changes from one point-in-time to the next.  When a point-in-time image is mounted, all changes to that image get written in a sandbox attached to that specific instance of the mount.  The original point-in-time image is immutable and the Actifio appliance will detect corruption or alteration that occurs at the storage layer.

Let’s take a hypothetical example.  You have a Windows server that gets infected with ransomware and all of the data on it is encrypted.  You mount a clean point-in-time image and bring it back up, running off of your Actifio virtual storage.  But you forget to patch it against the malware and it gets reinfected while it is still running off of the Actifio storage.  Did you just infect your backup?  No!  You only infected that mount of the backup and all you need to do is tear it down and remount right back to your perfectly pristine point-in-time image that has not been altered by single bit.  In fact, a few years ago I actually explored this exact scenario in an isolated lab environment with real ransomware, some Windows servers, and Actifio SKY.  You can watch the video of it here: Actifio WannaCry Recovery Demo.  I’m not sure I will forget the reaction when I told our IT folks I wanted to intentionally infect some servers with live ransomware!

My take-home message at this point is that even if you do nothing more, your Actifio backups are not going to get infected with ransomware.  However, some customers want some additional levels of controls.  You might be subject to financial regulations such as FFIEC Appendix J or SEC 17a(4), or perhaps you just want to sleep even better. 

Enter retention locks.

Retention locks are different from immutability.  Your point-in-time backups are already immutable.  Ransomware might be able to corrupt an instance of the mount, but it can’t corrupt the original image.  However, an Actifio user with appropriate permissions can still go in and delete or expire a backup.  Normal ransomware is not going to do this but perhaps a bad actor compromises one of your IT administrators’ machines, gets their credentials, and expires out all of your backups before introducing ransomware.  It’s not a common scenario but it could happen.

Retention locks are a feature that you can enable on any policy type within a given SLA.  Once set, no one, not even a super-user can expire or delete the covered images until the retention lock period has elapsed.  They can change the lock setting on new images going forward, but once it’s set on an existing image, it’s set.  On top of that, on certain object storage platforms, Actifio appliances can even pass the retention lock down to the storage on a per-object basis, such that even a storage administrator would not be able to erase the underlying objects or their buckets.  I do recommend that people be very careful with turning this on and start slowly.  Perhaps set a small retention lock on one set of images a week and measure the impact.  You can always get more aggressive, but you can’t go the other way and you don’t want to run out of storage or incur high cloud storage costs!

Stand by for an upcoming blog on ransomware recovery.  In the meantime, you can watch a recorded webinar I recently co-hosted on ransomware here: Protection Against Ransomware Webinar Replay

Video: How Actifio Protects Against Ransomware and Malware

Recent Posts