ransomware

by

Once ransomware breaks through an organization’s defenses, time is of the essence, and IT must execute 5 steps to rapid ransomware recovery. The need for rapid recovery and minimal data loss was the top concern of 75% of the IT professionals responding to the survey we conducted during our recent webinar, “Creating a Holistic Ransomware Recovery Strategy,” now available on-demand.

There are 5 steps to rapid ransomware recovery with minimal data loss:

StepReason
Frequent ProtectionRansomware can strike at any moment, protection copies should be made, at least every few hours.
Long RetentionSome ransomware variants strike slowly to avoid detection. Recovery may require pulling data from multiple backup copies.
Rapid AlertingThe sooner you can detect you are under attack, the sooner you can stop the attack at its source and limit the damage
Mount Don’t RestoreTraditional restoration means copying data from an alternate storage medium, which takes time.
Practice, Practice, PracticeRansomware recovery is unlike any other. Find a safe way to “infect” your data center and practice.

Rapid Ransomware Recovery Step 1: Frequent Protection

While it may seem the most obvious of the 5 steps to ransomware recovery, it is missing from most response strategies. In an ideal ransomware protection scheme, protection events should occur every hour but at least every three hours. This necessary frequency of protection creates a challenge for many data protection approaches.

For example, most snapshot technologies, especially VMware’s built-in snapshots, will degrade performance significantly if the number of managed snapshots grows beyond a handful. However, even dedicated storage systems like all-flash arrays struggle when managing many snapshots. They may perform acceptably but can’t manage a sophisticated retention schedule. The intricacies of the snapshot metadata make deleting a snapshot, which is what a retention schedule does, egregiously slow. Because of its high metadata overhead, it takes the storage system time to “unwind” an intermixed snapshot, and its deletion means updating the metadata for all other snapshots. One result of this is that snapshots consume far more capacity than they should because they are so slow to give back the space used by old snapshots.

For these reasons, most organizations can’t tap into the full theoretical potential of ideal snapshot technology and, as a result, must count on backup and recovery solutions that significantly increase costs and slow recovery efforts.

Frequent Protection with VergeOS

VergeOS is different. At the core of VergeOS is global inline deduplication. Because VergeIO started with deduplication instead of bolting it on years after shipping a product, it delivers maximum data efficiency without impacting performance. Our IOclone capability leverages global deduplication to enable the creation of full clones of virtual machine data or even entire data centers in milliseconds. These clones are space efficient and independent of each other. You can have thousands of them without impacting performance. More importantly, you can delete them, even via a sophisticated retention schedule, in seconds, meaning any space they consume is instantly returned to the environment.

Rapid Ransomware Recovery Step 2: Long-Term Retention

Ransomware can take two attack vectors. The most common is, it will try to encrypt every file it can get to as soon as it breaks into the environment. The second attack vector is more sophisticated, slowly encrypting data to avoid detection. While the second vector is more sinister, most Bad Actors don’t have the patience to let the malware sit and slowly encrypt for months. They want the money now! Frankly, given the success rate of attacks once landing their malware payload, they don’t have to be sophisticated.

While the second attack vector is not as expected, it is wise to prepare for it. Long-term and granular data retention is the key to recovering from a slow-crawl ransomware attack. Again, because of performance concerns, snapshots are unsuitable for long-term retention in most cases. Backup software is excellent at the long-term recovery aspect but, because of the infrequency mentioned above, cannot provide a lot of granularity.

Solving the Retention Problem with VergeOS

Once again, VergeOS’ IOclone provides an ideal solution for long-term data retention, providing complete clones which are independent of each other. Retaining thousands of them doesn’t impact performance, and you can maintain as granular a history as you feel necessary. Getting rid of old files is another important step in limiting ransomware damage.

As mentioned, you can develop a sophisticated retention schedule to meet these requirements. For example, you can execute hourly clones and retain each for 24 hours. You can then execute a daily clone and retain that for seven days and a weekly clone that you retain for two months, and a monthly clone for a year. This type of schedule means a lot of deletion of older copies to reclaim space. It would cause significant performance problems for traditional snapshot techniques and take weeks to return the capacity reserved by those snapshots. IOclone has no performance impact, and reserved capacity is returned almost instantly.

Rapid Ransomware Recovery Step 3: Rapid Alerting

Knowing you are under attack is a critical part of 5 Steps to Rapid Ransomware Recovery because it addresses the other part of IT concerns, “with minimal data loss.” The sooner you know your environment is under attack, the sooner you can shut down the virtual machine under attack and limit the spread. The early warning also enables IT to better identify which protected copy they should turn to when starting their data recovery.

A few storage systems will provide an alert of a potential ransomware attack. Most of these will monitor for an increase in capacity utilization. The problem is that these alerting methods often miss an attack because capacity doesn’t necessarily grow. When malware works through your environment, it typically encrypts one file at a time, and during encrypting, those files will increase in size. After encryption, the file will be almost the same size as the unencrypted file. In other words, these methods will miss the attack. You’d much rather have a false positive than a missed attack.

IOfortify Delivers Reliable Attack Alerting

5 Steps to Rapid Ransomware Recovery

VergeOS’ IOfortify capability delivers reliable attack alerting by monitoring a change in deduplication ratios instead of changes in capacity utilization which is far more accurate. Encryption may not increase capacity utilization, but those files will look like new files to a deduplication algorithm. During our “Creating a Holistic Ransomware Recovery Strategy”, we demonstrated IOfortify, first identifying and alerting, then recovering a virtual machine whose data was actively being encrypted, in real time.

Rapid Ransomware Recovery Step 4: Mount, Don’t Restore

Mounting your recovery means pointing directly to your protected copy without having to move data. Restoring means copying the data from where it is back to the production volume, which can take dozens of minutes, if not hours, depending on the size of the volume and bandwidth of the network.

Again historically, the problem with directly mounting your recovery volume is how you maintain those copies. A traditional complete clone will consume too much capacity and take too long to create to be practical and violate the other above steps. A traditional snapshot still depends on the original volume; promoting it to production may mean a complete copy/restore.

Some backup solutions have an “instant recovery” solution. The problem with this method is that while you are mounting a volume, you are mounting it from a backup storage target which typically doesn’t have the performance or availability capabilities of production storage.

IOclone instant recovery with no performance impact

IOclone enables IT to point directly at a version of the virtual machine or data center before the ransomware attack. It is online instantly, and because of its independence, it does not need to be “rolled back” to production.

Rapid Ransomware Recovery Step 5: Practice

Ransomware recovery is unlike any other, so IT must practice the recovery process. The problem with practice is risking a “leak” of the practice into production.

Virtual Data Centers Make for Perfect Practice

5 Steps to Rapid Ransomware Recovery

VergeOS’ Virtual Data Center (VDC) capabilities enable IT to create a complete, secure copy of their entire data center and “infect” it with a ransomware simulator or an encryption program. Their isolation ensures the practice attack doesn’t “leak” into production. Verge.IO even has some customers that put their VDC, with anonymized data, out as a publicly addressable honeypot so they can test their attack response against a real foe.

Conclusion

The 5 Steps to Rapid Ransomware Recovery require preplanning, and they also require better infrastructure software. Because of the “bolt-on” approach to all features and protection capabilities, platforms like VMware can’t provide the same level of protection as VergeOS. The good news is you can transition from VMware to VergeOS seamlessly and at your own pace. You’ll have a more resilient environment and reduced costs by 50% or more. To learn more about using VergeOS as a VMware exit ramp, read our VMware Alternative page. You can also start using VergeOS as a Disaster Recovery solution, including for ransomware recovery, for VMware without migration using our IOprotect capability.

Watch Creating a Ransomware Response Strategy

This field is hidden when viewing the form
This field is hidden when viewing the form
Name(Required)

VergeIO’s Inbox Respect Policy: We will send you no more than two e-mails per month

Filed Under: Ransomware Tagged With: ,

by

Ransomware counts on Patch Tuesday to successfully infiltrate an organization. While there is nothing wrong with applying patches on Tuesday, it is which Tuesday the patch is applied that can open the door that ransomware plows through. Ideally, you want to apply the patch the next Tuesday after the release; doing so would eliminate the exploits that most ransomware and other cyber threats use to do their work.

The problem is organizations wait weeks or even months to apply patches. Why? Because the IT team needs to understand how the proposed patch will impact the rest of their environment. They don’t want to apply a patch that suddenly causes other currently working environments to fail.

Today’s infrastructure solutions must enable IT to vet and apply patches quickly and eliminate Patch Tuesday altogether. IT needs a solution that can address these patching challenges:

  1. Difficulty determining where the potential conflict is because of the number of vendors involved in delivering IT services.
  2. Difficulty in assembling and maintaining a lab environment to test patches.
  3. Difficulty rolling back a patch once it is deployed.
Ransomware Counts on Patch Tuesday

Eliminate Patch Tuesday and set yourself up for ransomware recovery success by attending our live TechTalk, “Creating a Ransomware Response Strategy,” this Thursday at 1:00 PM ET.

There are Too Many Vendors to Eliminate Patch Tuesday

One of the biggest challenges facing IT as they attempt to apply patches to prepare for the next ransomware attack is the complexity of the multi-vendor data center and this is why ransomware counts on patch Tuesday. While Hyperconverged Infrastructures (HCI) were supposed to make the multi-vendor data center easier to manage, they have the opposite effect. Traditional HCI is still a vertically layered stack of multiple software solutions. At a minimum, most HCI has software-defined storage (SDS), hypervisor (VMware/Hyper-V), software-defined networking, and software that protects the environment (backup and recovery).

Many environments are only one step down the software-defined path, running a legacy three-tier stack, virtualizing only compute. As a result, legacy data centers and even more “modern” HCI data centers are equally confusing when determining the impact of applying a patch.

Ultraconverged Infrastructure Simplifies Patch Reconciliation

VergeOS rotates the traditionally vertical IT stack into a tightly integrated linear plane that provides all infrastructure services (networking, hypervisor, storage, data protection) as a data center operating system within a singular software code base. We call this ultraconverged infrastructure (UCI), and it moves beyond legacy hyperconverged infrastructure to deliver greater efficiency and scalability at a significantly lower cost.

Reducing the IT stack to a singular, horizontal layer increases efficiency and scalability and simplifies the patching process. Updates for the entire infrastructure come from a single source, and because VergeOS is inherently highly-available, IT can apply patches and updates without disruption. VergeOS applies patches one node at a time, and workloads automatically move between nodes so that applications are unaffected.

You Need a Lab to Eliminate Patch Tuesday

Patches also come from operating systems and application vendors. Properly evaluating the impact of these patches is best done in a lab. IT organizations need a lab for patch testing and various other use cases. The problem is not just the cost to configure and maintain the lab but also making sure the lab has the same settings and data as the production environment. These requirements mean that most organizations don’t have a dedicated lab environment. When one is needed, they have to scramble to put something together. As a result, the lab is nothing like the production environment they are looking to simulate.

Virtual Data Centers: The Always Ready Lab

One of the critical capabilities of VergeOS is Virtual Data Centers (VDC). Virtual Data Centers are to physical data centers, what virtual machines (VM) are to physical servers, an encapsulation. Using another VergeOS capability, IOclone, IT professionals can, within milliseconds, create a space-efficient copy of their entire data center within.

Capturing the entire data center, including the data, networking configuration, storage policies, and application setups, is critical to ensuring that IT does patch verification against an exact replica of production. Since the copy is standalone and not dependent on the original, administrators can apply the patch without concern of impacting the production environment.

IT can implement a single VDC for its entire data center or subdivide it by application or workload. For example, a VergeOS administrator may create a VDC for Oracle, another for MS-SQL, and a “core” VDC for general-purpose VMs. Each VDC can be cloned hundreds of times, and those clones can be used as golden masters, backups, development, and patch verification.

IT Needs to Eliminate Patch Tuesdays AND Surprise Wednesdays

Even with the best testing, sometimes an errant patch slips through. Depending on the level of chaos it causes, IT may have to recover from the backup infrastructure completely. Recoveries from backup, especially large ones, are time-consuming, meaning IT may deal with the Wednesday surprise for the rest of the week. The problem is most infrastructure software is too inefficient to maintain its data protection points, typically traditional snapshots, for more than a few hours. As pointed out in this article, “VMware Storage Challenges,” this problem is especially apparent in VMware environments.

IOclone: Unlimited Clones and Retention

To make surprise Wednesdays less of a concern, IT needs the ability to retain backup copies for more than a few hours. Traditional backup software can meet this need, but the time and nuances in recovering an application with an errant patch are significant. IOclone has the entire state of the VM and the entire data center or workload. No rollback is needed; point to the last known good instance, and the application is running.

Get Ahead of Ransomware

Ransomware Counts on Patch Tuesday

Because ransomware counts on patch Tuesday, applying the latest patches is critical to staying ahead of ransomware. With VergeOS, IT can apply patches almost as soon as they are released without waiting for Tuesday. They can test application patches against a mirror image of their production environment. If an errant patch slips through, they can instantly point to the non-patched version.

Even with the improved patching capabilities within VergeOS, ransomware may still slip through because of user carelessness. Our IOfortify solution takes you the rest of the way by leveraging the hardened VergeOS, IOclone, and new detection capabilities to deliver rapid restoration from an attack. During our TechTalk, “Designing a Ransomware Response Strategy,” we will conduct a live demonstration of IOfortify in action. See if we can recover a VM under attack during the webinar.

Patch Comparison: Traditional Infrastructure Software vs. VergeOS

Rapid Patch RequirementTraditional Infrastructure SoftwareVergeOS
Determining Patch ImpactDifficult – Multiple vendors makes identifying potential conflicts time consumingEasy – One Vendor
Pre-deployment TestingDifficult – Hard to setup, maintain and pay for dedicated labEasy – Virtual Data Centers and Cloning can create “Instant labs.”
Patch RollbackHard – Recovering from a backup copy is very time consumingEasy – No rollback required, just point to pre-patched clone.

Filed Under: Blog, Ransomware Tagged With: ,

by

The best time for IT Professionals to start building a ransomware response checklist is now, before an attack occurs. There are several reasons for creating a checklist:

√ Successful Ransomware Response requires preparation.

√ Stress levels are high during an attack. You might forget a critical element in a rush to get everything back online.

√ A checklist will expose areas where you must practice and test.

√ A checklist provides a framework for comprehensive auditing.

Section One: Build a Ransomware Resilient Foundation

Implement a Prevention Solution
The first step in building a ransomware response checklist is to have the foundational elements covered. The best response is the one you don’t have to conduct because the attack doesn’t get through. While no prevention solution is perfect, and you still need a response strategy, they are effective at preventing many types of attacks.

Simplify Patching
Most patch releases sent to IT professionals today involve closing down potential security exploits. These patches should be applied upon release. The problem is most IT professionals are hesitant to apply patches to the environment because of downtime and the potential for unexpected impact of the patch. This is especially true of infrastructure software since an errant patch or downtime because of a patch can impact dozens of servers instead of just one.

Simplifying patching is a critical item when Building a Ransomware Response Checklist.

Another challenge is that most IT infrastructures are comprised of multiple pieces of software. Instead of a single, cohesive data center operating system (DCOS), IT must run layers of incompatible infrastructure software components, including networking software, virtualization software, storage software, and data protection software. Patches are applied to these layers when the respective vendor for each layer releases a service pack, which rarely coincides with when the vendors of the other layers release their patches.

Look for a vendor that takes a DCOS approach to infrastructure, which is not only critical to simplifying patching but also simplifies the entire ransomware response effort.

A DCOS should provide two deliverables in terms of patching. First, it should be able to simplify the foundational DCOS patching process by integrating the legacy IT stack into a single software element. Second, it should make the patching of guest operating systems and applications running inside VMs simpler by enabling zero-capacity and zero-performance impact clones so that IT can test the released patch for conflicts with other elements within the data center. If there is a problem with the patch, IT can roll back to the prior version, or if the patch works, roll the patched version into production.

▢ Harden the Operating Environment
An essential but often overlooked step is to harden the infrastructure software as much as possible. Suppose the ransomware can infect a part of the core infrastructure, like the hypervisor, the storage software, or the data protection software. The impact is widespread in that case, and recovery is far more complex.

Hardening the Data Center is a critical item when Building a Ransomware Response Checklist

While most mainstream OSs are not resilient to attack, you should ensure your core infrastructure software, like the hypervisor, storage, and networking software, are hardened. Look for infrastructure software that takes special developmental steps to make it act like firmware, loaded into RAM, and can be replaced easily from an unalterable good copy. Again, a DCOS makes these processes easier since only one software component needs to be hardened instead of three or four.

Section Two: Build a Ransomware Resilient Protection Strategy

Increase Protection Frequency and Retention
Protecting data is an obvious inclusion in any attempt at building a ransomware response checklist. Most data centers run into three challenges when creating a ransomware-resilient data protection strategy:

  1. Protection events occur too infrequently to be meaningful.
  2. Protected copies aren’t retained long enough to outlive a prolonged attack.
  3. Too many protection solutions are used, making the process complex and expensive.
    A best practice for a successful ransomware response is to make sure you are capturing all data hourly. Snapshots, on paper, look ideal for this use case, but most solutions experience significant performance problems as the number of snapshots increases, limiting how long those snapshots can be retained.

Consolidate Protection Tools
To get around the limitation of traditional snapshots, most organizations use at least four data protection tools to protect their environment. They may use a combination of hypervisor snapshots, storage system snapshots, replication software, application-level backup utilities (dumps), and enterprise backup software. Using all these applications makes the data protection process more expensive and complex, especially during a ransomware recovery effort. IT may be unsure which part of the process has the best known good copy.

Look for an infrastructure DCOS that enables you to consolidate, preferably down to one, the number of tools used for data protection. In essence, the DCOS will protect itself. It should provide the ability to protect data frequently and retain those protection events indefinitely without suffering performance degradation. It should enable you to restore the entire data center footprint, if need be, including network and storage configurations, with a single click. Lastly, it should enable affordable, high availability so data can be moved off-site and adhere to all aspects of the 3-2-1 rule.

Finding an alternative to traditional snapshots is a critical item when Building a Ransomware Response Checklist

Consider a Snapshot Alternative
Traditional snapshot technology, standard in most storage systems and hypervisors, is ill-suited to meet these requirements. The metadata requirements to maintain a high frequency, long retention snapshot schedule is too great. It impacts performance and makes deleting old snapshots to free up capacity too time-consuming. Clones are a better option for performance and retention because they are independent copies, but without global inline deduplication, frequent clones and long retention will consume too much storage capacity and degrade performance too much to be practical.

Look for an infrastructure that combines the best benefits of both clones and snapshots by implementing DCOS-wide deduplication. If the deduplication technology is built into the core of the DCOS, then it will eliminate concerns about algorithmic performance overhead and capacity consumption while enabling the cloning of PBs of data in milliseconds.

Section Three: Build a Ransomware Resilient Detection Strategy

Alerting to a potential attack is a critical item when Building a Ransomware Response Checklist

Detect Data Anomalies
Detection is a critical component of building a ransomware-resilient checklist. The sooner the DCOS can alert IT to an attack, the faster IT can stop and remedy the situation. Most ransomware attacks take two vectors after the malware finds its way into the environment. First, they start encrypting files as fast as possible, and second, the malware starts replicating itself to encrypt more files in parallel.

Again multiple detection tools are problematic. Look for a DCOS that can deliver in near real-time, a single source of alerting based on data change rates. In a globally deduplicated environment, the DCOS builds an alert off of an unexpected increase in capacity consumption.

Preserve Forensic Data
When ransomware attacks, most IT professionals’ first reaction is to start the recovery response as quickly as possible. The problem with jumping right into recovery is that the process will likely destroy any forensic data available to determine how the attack entered the environment and how it spread. Both data points are crucial to future prevention efforts.

Instead, look for a DCOS that enables quick isolation of the current state. Again using a cloning type of technology powered by global inline deduplication enables these clones to be made in milliseconds without consuming too much capacity. It is also critical that this clone be independent and isolated.

Create Ransomware Honeypots
Another detection strategy is to create Honeypots of the environment and expose them to attack, obviously anonymizing data in them. These honeypots can alert you of a potential wider threat and provide excellent practice for further hardening your data center. Honeypots typically have a lower false positive rate, when compared to most traditional intrusion-detection systems.

Look for a DCOS that can virtualize entire data centers in the same way that virtual machines virtualize servers. Then the DCOS can easily create honeypot data centers that are securely isolated from the production virtual data centers.

Section Four: Build a Rapid Recovery Strategy

Mount the Recovery, Don’t Copy

When ransomware strikes, rapid recovery is critical. Depending on the severity of the attack, IT may need to recover a few VMs or an entire data center. Copying data from another snapshot or a backup process takes too much time. Again, clone the current state for forensic reasons, then start recovery. The key is to be able to mount, in place, the last known good copy of data. That mount still needs isolation so IT can scan it for any malware trigger files before returning it to production.

Look for a DCOS that can in-place mount a previous VM version or an entire data center. An in-place mount provides instant access to the data so IT can scan it to ensure there are no malware remnants and then provide user access.

How’s Your Checklist?

Building a Ransomware Response Checklist is only effective if you tick all the boxes. If your evaluation is missing a couple of marks, then consider attending VergeIO’s next TechTalk, “Creating a Ransomware Response Strategy,” with our CEO, Yan Ness, and SE Director, Aaron Reid. They will dive deep into the elements of this checklist and show you a live demo of our IOfortify solution for recovering from a ransomware attack.

Filed Under: Ransomware Tagged With: , , ,

by

Users receive immediate alerts of an attack to act fast to prevent it and restore their entire system to a secure state within a matter of minutes

Ann Arbor, Mich, June 13, 2023 — VergeIO, the Ultraconverged Infrastructure (UCI) company, today introduced a groundbreaking solution for ransomware protection – IOfortify. This latest innovation combines robust security; unlimited, unchangeable clones; and rapid, complete recovery to fortify data integrity and provide users with true peace of mind.

Combining this data resilience with unlimited and unchangeable, space-efficient clones allows users to effortlessly roll back to an earlier version of its data center architecture to ensure business-critical information remains safe and secure from unwanted changes. Creating a set of space-saving copies takes milliseconds and allows the preservation of an unaffected infrastructure and VM state at any given time as a failsafe to any attempted ransomware attacks.

Recovery is crucial if malicious software is deployed. IOfortify is up to the task of providing quick and thorough restoration of systems, applications, and files. Because of its ability to speed the restoration process, IOfortify enables organizations to get back on track in a matter of moments, reducing downtime and ensuring business continuity with exceptional efficiency.

“VergeIO’s introduction of IOfortify marks an important milestone in ransomware defense. Its ultraconverged infrastructure solves a major hyperconverged infrastructure problem by delivering built-in ransomware defenses, providing users with immediate alerts and swift recoverability neutering ransomware attacks in minutes. This innovative cyber security defense layer fortifies data integrity in the face of evolving cyber threats. A must for any hyperconverged infrastructure.”

Marc Staimer, President of Dragon Slayer Consulting and senior analyst at Wikibon

IOfortify does more than help users recover from an attack, it helps them identify if they are under attack and points them to which clone is the best candidate for rapid recovery with minimal data loss.  Since VergeOS has control over the file system, it is able to detect any anomalies. With IOfortify, customers can receive immediate alerts of an attack, giving them the opportunity to act fast to prevent it and activate our rapid restoration services.

With IOfortify, we’ve redefined ransomware protection. One hundred percent of VergeIO customers who were affected by ransomware have successfully restored their entire system to a secure state within a matter of minutes. Those looking for unbeatable ransomware protection should embrace the future of fortified data integrity by building their infrastructure on VergeOS with IOfortify

Greg Campbell, VergeIO founder and CTO

VergeOS moves beyond legacy HCI configuration with its ultraconverged infrastructure (UCI), which integrates virtualization, storage, and networking into a single piece of software. This integration provides a high degree of efficiency that enables VergeOS to deliver more performance from existing hardware and a wider range of scale. VergeOS can scale up to meet the needs of the most demanding enterprise and scale down to fit the constraints of the edge. IOfortify is integrated into VergeOS and is available now at no additional charge to VergeOS customers. 

For more information, register here for a Tech Talk on New Ransomware Response Strategies, live on June 22nd at 1:00 pm ET

About VergeIO

VergeIO is the Ultraconverged Infrastructure (UCI) company. Unlike hyperconverged infrastructure (HCI), it rotates the traditional IT stack (compute, storage, and networking) into an integrated data center operating system, VergeOS. Its efficiency enables greater workload density on the same hardware with high levels of data resiliency. The result is dramatically lower costs and greatly simplified IT.

Media Contact:
Judy Smith, JPR Communications
818-522-9673
[email protected]

Filed Under: Press Release Tagged With: , , ,