A few years ago, the term ransomware was not something I would hear about regularly. Lately, however, I hear about it all the time. Naturally, my curiosity has made me dive a lot deeper into the subject. A nagging question that has remained on my mind is: How is it possible that an IT organization can become the victim of ransomware? IT organizations must have operational practices in place to avoid getting attacked?!?
Eventually, I came across a podcast that dives into the heartbreaking, heroic, and educational stories of IT professionals who have encountered and fought against ransomware: The Ransomware Files. I would highly recommend it to anyone who is interested in the subject. What should have been obvious to me, but I only realized after listening to a few episodes, is that it can happen to anyone. And when it does happen, you may not even realize that it happened because of something you or your client did.
The lengths to which attackers go to masquerade and obfuscate malicious software could be considered either genius or simply mad. Ranging from plain executables in emails to infected spreadsheets to elaborate supply chain attacks where ransomware is embedded into provided software at one of your clients managed, colocated, or your own data center estate. You would obviously trust qualified suppliers and unknowingly introduce infected software bundles and tools into your client’s environment. At this point, my brain (and probably yours) hurts because the possibilities are endless. I mean…how can you help your customers avoid getting hit by ransomware?
Ransomware attacks are expensive
It is no surprise that industry analysts and cybercrime experts are putting big numbers behind ransomware. For example, Cybersecurity Ventures estimated that ransomware attacks accounted for 20 billion USD in corporate losses in the year 2021*, whereas Gartner estimates that by 2025, 75% of organizations will have suffered from a ransomware incident. It is therefore critical that organizations invest in technologies to prevent ransomware from becoming an expensive problem.
And while prevention is key, examples demonstrate that there is no universal tool that will prevent your customers (or you for that matter) from getting attacked. Therefore, a solid client response and recovery plan is required.
Your client’s ransomware recovery may not be trivial
Recovery should be a straightforward process. You recover the operating system, application binaries, and configuration and then application data. There are many options available to do that, but when inspecting these options closely, the process is not trivial. Granted, the recovery of only the application data, when using external enterprise storage systems, is rather trivial. For many years, snapshot technology has made fast application data recovery a breeze. The tricky part for IT and MSP technical professionals is finding an unencrypted version of the data and restoring it to a clean recovery point—standard recovery practice.
Unfortunately, recovering your client’s application data alone is not enough. You also need to recover the operating system, which is usually stored on direct attached drives, often on a mirrored drive. Here, the recovery process isn’t that trivial anymore. The operating system can either be re-installed from scratch– assuming you know the exact configuration of that system, its application, and cluster configuration–or by recovering from an image backup. Both options are lengthy and time consuming, and when done on multiple servers, can take hours to days, consuming significant technical resources that can perform the recovery in parallel.
Of course, this assumes two things: That you’re allowed to start recovery (often law enforcement will want to collect evidence first) and that you have access to critical infrastructure services that are required for recovery. I’m talking about the tools and resources that you need to recover from your client’s backups, the installation images and binaries you need to reinstall operating systems, the management consoles that you need to promote snapshots and manage virtual machines or containers. It is not uncommon for ransomware to attack critical infrastructure services that prevent managed service providers and IT organizations from accessing their infrastructure. What do you do if these tools are not available?
The ultimate ransomware protection for your clients
Ultimately, the best way to protect your clients from ransomware attacks is by being a proactive consultative cyber solution provider. Delivering a robust cyber-resilient strategy will prevent ransomware payouts, and as a result break the business model for cybercriminals. If there is no money in the game, it will slow down. But cybercriminals are not always interested in profits, sometimes their objective is to destroy, to put companies out of business, influence market dynamics, or attack entire countries.
So, I should have said that the best way for your clients to recover from ransomware is by offering solutions that proactively provide rapid recovery from an attack. This means working with your customers long before any ransomware attack to put a strategic, proactive recovery plan in place to prepare your customer for the “when moment”. It also means implementing a zero-trust policy and investing in infrastructure technologies that can help recover precious data and operating environments quickly. Nebulon can help you deliver the latter.
Nebulon TimeJump and Nebulon ImmutableBoot are capabilities of smartInfrastructure that reduce the ransomware recovery time of physical infrastructure from multiple days to under 4 minutes for the operating system, application configuration and application data, for many clusters at once, allowing MSP organizations to recover customer systems and infrastructure much more quickly. It is the first and only combined server and storage solution architected to allow complete ransomware recovery in less than 4 minutes.
We do this through our services processing unit (SPU), a PCIe card embedded in application servers in a separate fault domain and an isolated security domain from the server. This means that any ransomware that is running on the server cannot encrypt the servers’ drives or compromise the storage layer, and that operating system crashes that are caused by ransomware or other malware won’t affect the availability of the SPU’s enterprise data storage services. The immutable snapshot capabilities of the SPU can protect both the operating system and applications, allowing the fastest operating system recovery times available.
What to take away from this?
One thing is certain, ransomware attacks have become inevitable. So, protecting your client’s critical infrastructure by implementing technologies for fast recovery, especially for their management infrastructure that is imperative for client business continuity. This avoids the need to pay any ransoms that fuel the ransomware business.
To learn more about TimeJump and ImmutableBoot, core capabilities of Nebulon’s cyber-resilient smartInfrastructure portfolio, register for our on-demand webinar.
*Cybercrime to Cost the World $10.5 Trillion Annually By 2025, Cybersecurity Ventures, Dec 2021