Ransomware is practically a fact of life. Criminals, script kiddies and other malfeasant individuals make a living from Ransomware. Businesses are routinely crippled from the effects of this crypto-plague, and one of the regular complaints is “it encrypted our backups”.
But did you know there’s a way to have backups that don’t get encrypted by ransomware?
Aside: Why not use tape?
- Have you ever done a complete datacenter recovery from tape?
- I’ll bet $50 that by mid-2020 there’s ransomware that clobbers tapes, too.
There’s two elements to the secret sauce:
- Data Domain
- Data Domain Boost
Let’s run through what they deliver.
1 – A Boost Backup is Off-Platform to Your Backup Server
First, let’s consider the simple issue that we hear of from time to time: “our backups got encrypted by ransomware, too”, or “our backups got targeted by the ransomware”. The problem there is that those backups were permanently visible to an operating system vulnerable to ransomware. They were written to a local filesystem for the OS (e.g., a Windows D:\ drive), or to a standard SMB or NFS share. Any process running on the operating system could see the files, and any infected process with administrator privilege could scramble the content.
When you’ve done a Boost backup (e.g., via Avamar, NetWorker, Boost for Databases/Apps or PowerProtect), neither the client, the server or (with NetWorker) the storage node directly mount the storage. The Boost API allows the accessing host to get details of a particular file path they can send data to, but the path is never mounted.
So it doesn’t matter if your Windows (or even, egads! Linux) backup server gets infected with Ransomware — the backups are not there to get impacted.
2 – Data Domain Does Not Have an Accessible Filesystem
When you login as say, the sysadmin user on Data Domain, you don’t get to see the underlying filesystem. Data Domain as a protection storage platform is a true appliance. So a nefarious virus can’t just drop a payload onto a Data Domain – it just doesn’t work that way.
3 – Using a Backup Appliance Gives You Even More Protection
If you want further protection than the above, you’ve got the option to work within a backup appliance. Avamar is natively an appliance, and so too is PowerProtect. NetWorker can be deployed as an appliance, too. At that point, yes, there’s an underlying Linux operating system (as is so often the case with appliances), but it’s not for general consumption. You can’t just log remotely in as the root user, for instance. Your traditional Windows ransomware can’t impact the system, the systems have pretty tight security just from the install, let alone before you do any hardening. (Check the individual product security guides for additional details on how you can do that hardening.)
4 – Data Domain Hardening
Data Domain supports a variety of hardening techniques. This gives you an added layer of protection. For that extra protection, work through the Data Domain OS security guide.
5 – You can use Retention Lock
Data Domain retention lock allows you to set rules on stored data preventing deletion or modification even by the application that stored it until a specific period of time has expired. That way even if something issued a delete instruction to the backup server, retention lock will prevent it from taking place. (Turns out the computer really can say no.)
6 – Cyber Recovery
And then there’s the big guns. A full cyber-recovery solution gives you vaulted protection for your critical data, held not just under retention lock, but also featuring options to automatically test and analyse the transferred data. The data copy placed in the cyber-recovery vault is outside the visibility and control of your regular backup environment, essential in providing another layer of protection.
Wrapping Up
Virus scanning, firewalls and other forms of end-point protection clearly don’t provide sufficient protection against ransomware. You can guarantee that practically every company that’s been hit by ransomware has had virus scanners and firewalls in place, after all. But when ransomware hits, it hits fast, and there’s always a period between when the ransomware first makes it into the wild and when virus definitions are updated.
So one of your first phases of planning ransomware defence is to plan to recover, and Data Domain and Boost will provide you the bedrock underpinning for that recovery.
We use SMB and NFS shares on Data Domain for some Oracle and SQL backups. This means the backup files are visible to users on the Oracle and SQL servers, but the backup files are still safe because of retention lock on the DD. I understand we could use Boost instead of SMB and NFS, but with retention lock in place, safety-of-backups is not a compelling reason to do so. The backups are already safe because of retention lock. Would you agree?
Applying retention lock to those backups will certainly give you a base level of protection, since once retention lock has been applied, those backups can’t be corrupted or deleted.
I’d suggest considering looking at switching to BoostFS for those mount points for some added benefits: source-side processing of the deduplication (reducing network traffic), and the option for compressed read back from the Data Domain (speeding recovery).