Catching Up with Our CTO: The Evolution of Ransomware and the Perils of Centralized Backup

The world has enough to deal with already. This recent spike in ransomware attacks on businesses struggling to cope with the coronavirus pandemic is particularly unsettling. Interpol is reporting more ransomware attacks on hospitals, and architectural firms and other organizations say attackers are taking advantage of the remote-work chaos. To make matters worse, today’s ransomware attacks can be far more damaging and widespread than the ones of just a few years ago.

A sophisticated ransomware breach is now a distributed disaster, one that it impacts all your offices almost simultaneously.

For example, the Norwegian firm Norsk Hydro suffered a ransomware attack that impacted operations in 40 countries and cost the firm an estimated $70M. Unlike most organizations, Norsk Hydro made the bold decision to share its horror story, but ransomware has been quietly impacting businesses for years. We’ve helped many of our clients recover quickly from attacks, and we have built close partnerships with companies that came to us because they had been hit and didn’t want to go through that pain again. Most companies choose not to share these stories, however, because admitting to a ransomware infection appears to be an admission of poor security.

I don’t believe this is necessarily true. An IT organization can take all the security precautions imaginable, and follow prevention best practices down to the letter, but when you have tens of thousands of users and as many connected machines, malware will eventually find a way inside. When I asked the CSO for a large high-tech company about his biggest security concern, he answered: “The users, always the end-users, but I can’t get rid of them.”

Like all good evil genius hackers, the devious minds behind ransomware have accelerated its evolution. These latest ransomware variants infect a client, spread through the network, and rapidly encrypt everything they can touch. Earlier this year, when we were all still traveling, I visited with a large multinational AEC firm that had suffered from one of these new ransomware variants. The company was running best-in-class enterprise backup. They were following best practices. They’d educated their end users, secured their firewalls, and done everything by the book.

None of this helped.

When the company was hit, the malware immediately spread through its network, encrypting the file servers at hundreds of sites. Within two hours, IT had responded and shut everything down, but the damage was already done.

What Happens Next is Scary

This scenario is more common than anyone cares to admit. But it’s the next phase, the recovery, that reveals a fundamental flaw in centralized backup. If we assume a large global enterprise backs up four times a day, then their Recovery Point Objective (RPO) is roughly 6 hours. After an attack, they should expect to be able to restore these previous versions, before the data had been encrypted, within a reasonable time frame. Yes, their end-users would lose half a day’s work, but they can still expect their Recovery Time Objective (RTO) to be a couple of hours, maybe a day if it takes a while to get the servers rebuilt through the WAN.

But it’s not that simple. Enterprise backup systems don’t merely dump files into data centers. A central media server dedupes and compresses data to ensure optimal use of storage capacity. These operations demand intense compute resources, but the systems have at least three to six hours, so there is enough time. If a single site were to suffer from a ransomware attack, the media server could rehydrate that compressed data and IT could reasonably get the users at that site back up and operational within a business day, or less. When there are just a few sites in the picture, this centralized backup approach can work perfectly fine.

The problem arises when you try this for dozens or hundreds of sites. The compressed, deduped data from each site has to be rehydrated before being put back in the servers. This is compute intensive and the central backup server only has the capacity to manage a handful of locations at a time. So if you have 100 sites that need to be restored, you are in serious trouble. The RTO can jump from a couple of hours to a couple of hundreds of hours. IT has to rank the sites in order of priority, and they all have to get in line and wait. Unbeknownst to anyone, the media server has become a treacherous bottleneck.

An enterprise-class centralized backup system is like a giant octopus with hundreds of tentacles. The compressed, deduped, protected data is stored in the head. Each location is at the end of a tentacle, and the octopus can only repopulate one tentacle at a time. The RTO might be a day or two for a critical location. But as we scale up to dozens or hundreds of sites, other locations will have to wait for weeks or even months, and IT will be completely overworked and strained to the breaking point.

Ransomware Recovery with Cloud File Services

I have never liked backup, especially when it comes to big file servers. Even under the best of circumstances, they are too slow and unreliable. They tend to fail in unexpected ways. The ransomware horror story above is just one more example. This is why we built UniFS® to be an infinite, immutable, versioned file system. Nasuni is a complete file services platform, but the fact that our core technology, UniFS, is a cloud-native file system makes it possible for companies to recover swiftly from distributed ransomware attacks regardless of the scale of the attack. There is no bottleneck in UniFS restores.

We didn’t build our file system to respond to ransomware. We built it so that it wouldn’t need backup and would instead self-protect. After a ransomware attack, UniFS resets to a previous point in time – giving organizations an RPO of minutes, not hours – getting them back up and running in a distributed way in a few hours or less, across 100s of sites. This is the massive difference between our approach and centralized backup: We do not become slower when you have more sites. We scale RTO to the scale of your organization.

Nasuni recently celebrated its 11^th anniversary. Years ago, I used to say to our customers, almost as a joke, that they could lose every one of the Nasuni appliances at every site and their files would still be fine. Their files and file system live in the cloud and the cloud is indestructible. It was a joke because the scenarios we are going through today – globally distributed ransomware attacks, the pandemic shutdown, etc. – were unimaginable. But I’m very relieved we chose to design our technology this way.

Nothing can absolutely prevent a ransomware attack, and the insidious malware certainly isn’t going away. Nasuni gives its clients a means of mitigating the damage, reducing the recovery time for globally impacted enterprises from weeks to minutes.

Again, that’s weeks to minutes. The best backup is no backup.

For a deeper dive on the features organizations should look for in a ransomware recovery solution, check out our latest whitepaper.