How WEKA Powers Ransomware Protection and Business Continuity
Shimon Ben David. March 29, 2022
Ransomware attacks have been growing increasingly frequent in recent years. From oil pipelines being shut down and automotive companies locked out of their data, to the computers and data of police departments and healthcare organizations being held “hostage,” attackers are targeting organizations across nearly every industry and causing significant, costly disruptions to operations.
The United States Federal Bureau of Investigations (FBI) recently reported that organizations lost upwards of $6.9 billion to ransomware attacks in 2021 – up 7% from 2020. A staggering number to be sure, but even more so when you factor in the true cost to businesses, which although difficult to quantify is certainly much higher. Attacks typically impact them in variety of ways, including sustained operational downtime, which can slow or even halt revenue generation, destroy productivity and erode customer confidence, as well as loss of intellectual property, reputational damage, and in the case of healthcare systems, even loss of human life.
Common Ransomware Situations
A ransomware attacker typically uses malware to encrypt an organization’s data, which may include operational data, financial data, personnel, or customer data; the encrypted data then cannot be accessed by the organization until decrypted by the attacker. In some cases, the attacker may make a copy outside the target organization and delete the original data until the ransom is paid, at which time they restore all or part of it. The organization’s challenge here is to detect when their data has been breached, which is cumbersome given that these attacks usually take weeks to fully encrypt and delete the data. An additional challenge is identifying which backups, if any, an organization can use to recover their data from tape or nearline once a breach has been identified. In sophisticated attacks, the attacker can even delete remote copies of the data that are intended for backups.
Organizations are now implementing strict processes and procedures to thwart and prevent these types of attacks, such as frequent password changes, two-factor authentication, virus, malware, and phishing detection mechanisms and more, but in many cases, threat actors are still outmaneuvering them.
The WEKA Data Platform offers organizations additional layers of security that make it harder for would-be attackers to lock users out of their data and helps to ensure that the data can be recovered quickly and easily, including:
The WEKA Data Platform enables admins to create multiple separate organizations on a single system. Sub-organizations are allowed only to manage their own provided namespaces; the admin of the sub-organization cannot access other filesystems across the organization, thereby limiting the potential scope of an attack even if a sub-organization is compromised.
Admins can generate tokens that must be provided before mounting the filesystem. These tokens determine whether the client has permission to read/write and for how long before access is revoked prior to validating the permissions models on the filesystem, which provides an added layer of protection. Even if an attacker did manage to access a client system as an approved user, without these tokens they cannot mount any filesystem.
The WEKA Data Platform supports encryption inline and at rest for all data while on the wire, as it lands on NVME storage, and when sent to backend object storage buckets. An attacker posing as a middleman to eavesdrop on the traffic will not be able to decipher the file data. Furthermore, the WEKA system is connected to the organization’s Key Management Service, which constantly generates new keys as required, so that there is no single key that can be used to unlock all an organization’s data. It is then encrypted as it lands on object storage for complete security.
WEKA supports instantaneous snapshots for all its filesystems, which is unique at Exabyte scale. These snapshots are immutable and can always be used to instantaneously roll back a filesystem to its previous state within seconds – and without the need to even unmount or remount clients.
The WEKA Data Platform also supports sending immutable snapshots to both local and remote object storage buckets. These snapshots can be used to send a copy to a remote version and/or write-once-read-many (WORM) bucket, where encrypting or deleting data is nearly impossible. A WORM bucket is an object storage bucket that is configured so that every dataset it contains has a retention period – once the dataset has been placed in the bucket it cannot be removed or changed before its retention period has expired. It is remarkably simple to periodically mount these WORM remote data copies and validate that the data is correct to catch a threat actor mid-attack. For example, once a week, provisioning a short-lived WEKA system that can mount the WORM remote data copy and confirm its accessibility and validity.
Diagram A: The WEKA system sending data to a remote WORM bucket in another cloud.
Data security is a multi-layered challenge. Organizations must be vigilant about adding effective layers of protection to prevent ransomware attacks and take steps to ensure that recovering backup data is a streamlined process should an attack occur. The WEKA Data Platform provides enhanced security to reduce the risk and potential scope of ransomware attacks with advanced security features such as multitenancy segregation, authenticated mounts, and inline encryption, as well as protected backups to simplify recovery even in a worst-case scenario. WEKA simplifies the backup and recovery process with our snap-to-object capability regularly sending copies of the data to a remote WORM bucket in a different datacenter or cloud (and periodically validated that it is still good).
As with other types of cyber threats, careful planning, the right tools, employee education, and multi-layer protection are all key to combatting ransomware attacks – and WEKA’s security and data protection capabilities can play an important role in helping to protect your organization’s data.