Storage

Managing and protecting all enterprise data

pixel - Fotolia

Use object storage technology to fight ransomware infection

Done right, object storage reduces the likelihood of a successful ransomware attack and, in some instances, lets you get data back without paying a ransom.

Ransomware was one of last year's most serious cybersecurity threats. It grabbed headlines following the WannaCry attack, which affected more than 200,000 computers across 150 countries.

Conventional wisdom has long held that a current backup is the best defense against ransomware. Backing up data is important in the war on ransomware, but you may also be able to add an extra layer of protection through what may seem like an unlikely approach: object storage technology. Object storage makes it difficult -- although not impossible -- for ransomware to infect files.

Ransomware encryption

To appreciate how object storage can protect data from ransomware, you must understand how ransomware works. There are countless ransomware variants in the wild, which means cyberthieves aren't using a standard algorithm to encrypt victims' files. In most cases, a ransomware infection attacks data at the file level, not at the volume level. There are two main reasons for this.

First, ransomware runs under the same security context as the end user who's logged in at the time of the attack. A casual user may have sufficient permissions to make volume-level modifications to his or her computer, but modern ransomware variants almost always attack mapped network drives. It's highly unlikely an end user would have volume-level permission over such a drive.

The second reason ransomware usually attacks data at the file level is it would be counterproductive for ransomware authors to encrypt a computer's boot volume. They need to keep the computer's operating system sufficiently functional so it can display payment instructions to the victim. If completely encrypted, the OS would become unbootable and incapable of displaying these instructions.

Ransomware is still a viable threat in 2018

Sources in the security world have reported a sharp decline in the number of ransomware infections at the end of 2017 and into 2018. According to security vendor Barkly, by the end of 2017, ransomware accounted for less than 5% of all malware infections. This raises questions about what's driving this trend and how much of a concern ransomware is now.

There are two main factors attributed to the decline in ransomware infections. One is that the WannaCry malware received so much media attention, the general public is now largely aware of the dangers of ransomware, as well as prevention techniques. As such, ransomware is likely generating less revenue because fewer people are being infected.

The other factor attributed to ransomware's decline is the volatility of cryptocurrencies. Currencies, such as the bitcoin, a longtime favorite of ransomware authors, fluctuate wildly in value from day to day. For example, the bitcoin reached a peak value of more than $19,000 per bitcoin on Dec. 16, 2017. By the end of March 2018, a bitcoin was worth less than $7,000. Given that, ransomware that is hardcoded to demand a certain number of bitcoins could end up asking for an exorbitant amount of money or far less money than its authors intended, depending on what the bitcoin market is doing on a given day.

Given the rapid decline in ransomware, it seems fair to consider whether it's still a threat. There's no doubt that cybercrime trends come and go. In 2003, for instance, cybercriminals were trying to cash in on websites that displayed a relentless stream of pop-ups. That trend faded with the advent of better browser technology and pop-up blockers.

The same is happening with ransomware. Cybercriminals are abandoning it in favor of new schemes such as cryptomining. Even so, the decline of ransomware doesn't eliminate the possibility of an infection, and the consequences remain the same or possibly worse. Ransomware variants abandoned by their creators will remain in the wild for years. If an organization becomes infected by such a variant, it may be impossible to decrypt the data even if the victim is willing to pay the ransom. Hence, ransomware remains a viable threat that IT pros must continue to take seriously.

When ransomware infects a PC, it scans local, attached external and mapped network drives in an effort to locate and encrypt specific file types. Ransomware usually goes after documents, photos, videos and other common data files. In doing so, it may also remove shadow copies of the files in an effort to prevent encrypted files from being rolled back to a previous, unencrypted state.

Enter object storage technology

Just as there are many types of ransomware, each with its own nuance, there are also many flavors of object storage. Each object storage vendor has its own way of doing things, and features and capabilities vary among them. Even so, there are several characteristics most object storage products have in common.

There are countless ransomware variants in the wild, which means cyberthieves aren't using a standard algorithm to encrypt victims' files.

Object storage doesn't use a traditional file system. That's because file systems such as Microsoft's NTFS and Resilient File System don't scale well. As users create layer upon layer of subfolders, it becomes increasingly difficult to locate data within the file system. Never mind that there are usually hard limits associated with file systems, and these limits determine the maximum volume size, number of files accommodated and file size.

Object storage technology, on the other hand, is designed for massive scalability, and therefore uses flat storage architecture to overcome the limits of traditional file systems. Because file directories have scalability limits, files stored within object storage are assigned an object number that can be used to locate the file. This number functions similarly to an index number in a database.

At one time, it would have been nearly impossible for ransomware to locate and encrypt files on object storage. Because ransomware locates files within a file system, and object storage doesn't use a typical file system, ransomware would have a difficult time looking for files to encrypt.

There's another reason why object storage was once immune to ransomware: It isn't designed to be accessed through mapped network drives and SMB shares in the way block storage is. Object storage access is usually based on the REST API. An application that needs to read a file, for example, sends an HTTP get request to the URL associated with the storage. Similarly, an HTTP put request can be used to write data to object storage. Ransomware isn't designed to access storage using a series of HTTP calls, rendering it largely ineffective against object storage.

Mapped network drives

As noted, object storage technology may no longer be completely immune to a ransomware infection. It's theoretically possible for a cybercriminal to develop a form of ransomware that targets object storage, but that isn't the problem. The reason why ransomware could potentially compromise object storage is there are now ways to access object storage through a mapped network drive.

One of the best-known tools for mapping a network drive to object storage is ExpanDrive. This tool maps drives to a variety of cloud storage providers, including Amazon S3, Google Drive, Microsoft SharePoint and Dropbox. ExpanDrive allows cloud storage to access a mapped drive in Windows File Explorer, just as a user might access any other network drive. Because ransomware targets mapped network drives, any object storage that's connected through such a drive is at risk. In this scenario, simply moving data to object storage doesn't guarantee immunity to ransomware encryption.

Still, object storage may be the best option for keeping data safe. That's because each storage vendor offers its own flavor of object storage, and storage features vary significantly from one vendor to the next. Some vendors, such as Dell EMC, Hewlett Packard Enterprise and Hitachi Vantara, focus more on ensuring data security and integrity, so be sure to compare these features when shopping for object storage.

Versioning is an example of such a feature. It works by writing and retaining copies of all previous versions of files, or as many previous versions as are required by data retention policy. Of course, Windows clients have long included native file versioning based on the Microsoft Volume Shadow Copy Service, and ransomware authors do everything they can to eliminate the victim's option of reverting to an unencrypted version of a file.

What makes object storage technology different and often an effective tool in fight against ransomware is when versioning is paired with write once, read many (WORM) capabilities. With WORM, older versions of files are treated as read-only and therefore can't be modified. Suppose ransomware targets an object storage repository with WORM-enabled versioning. The storage wouldn't stop files from being encrypted. However, encryption is treated as a file modification, which results in the creation of a new file version. The file's pre-encrypted state is treated as a read-only, previous version. Because this version is read-only, the ransomware is powerless to encrypt it, and you can recover from an attack simply by rolling files back to their previous version.

Object storage isn't a magical cure all that eliminates any chance of damage from ransomware. But when properly implemented, object storage can reduce the chances of your file data being encrypted during a ransomware attack. It can also sometimes provide a way of getting your data back after an infection without paying the ransom.

Article 3 of 6

Dig Deeper on Storage architecture and strategy