Connect with us


‘Modern data’ is answer to SA’s ransomware scourge

By DANIEL TEIXEIRA, Systems Engineering Manager South Africa, Pure Storage.



The cyber-threat landscape is ever-evolving, and undoubtedly one of the biggest current threats is ransomware. Ransomware is a type of malicious software that threatens to publish the victim’s data, or perpetually block access to it, unless a ransom is paid. For modern organisations that rely on data to operate and thrive, this kind of attack can be catastrophic. We’ve seen high-profile attacks on the City of Johannesburg, Virgin Active and the Civil Aviation Authority all making headlines, and unfortunately, it’s a trend, which shows no signs of slowing down. In fact, according to a Sophos report, 24% of the organisation’s in South Africa were hit by ransomware in the last year. 

Organisations that face these attacks have to decide how to respond to demands for hefty fees to recover their data. Last year, McAfee reported that ransomware attacks had more than doubled in a year. While according to Sophos, in South Africa, the average cost of dealing with ransomware attacks and rectifying their impact is approximately R6.5 million (or $450 000).

Increased Threat Landscape

The Covid-19 pandemic has caused a huge amount of disruption for businesses and created a new normal for how many organisations operate. Workforces are still working remotely, and this may remain the case for quite some time.

While this has been a necessity, it has created new opportunities for hackers. They can exploit the fact that many employees may be working on insecure home systems and networks, holding more business-critical calls and meetings virtually, with security gaps left open to attack. It’s therefore unsurprising that Covid-19 has resulted in a surge of ransomware attacks, and as such many security firms are offering advice and new protective measures to customers. However, one area that is not often discussed in relation to ransomware is the vital role that storage can play in mitigating the risk.

Prevention is No Longer Enough

As part of a robust cybersecurity strategy, companies can no longer rely solely on anti-intrusion systems. While having the proper precautions in place to prevent an attack is vital, organisations must also plan for recovery if an attack does occur. This means implementing a strategy that takes into account the necessary recovery processes through which data can be restored as quickly as possible.

In most cases, once a business has been infected with ransomware, it’s already too late to stop it. According to Kaspersky, 4 out of 10 victims of ransomware in South Africa eventually pay the ransom, but they have no guarantee that their data will be recovered. Alternatively, if a company decides not to pay the ransom, the data, once encrypted, is unrecoverable. IT teams must then try and restore data from backups, which may be out of date, resulting in data loss. This approach also assumes that backups are available and haven’t been encrypted or deleted by the ransomware attack itself.

Attackers have increasingly been targeting backups with the goal of deleting them, acknowledging backups as an organisation’s last line of defence. Data recovery is then impossible, forcing companies to pay a ransom or resign themselves to the loss of data, which could do irreparable damage. Even if a ransom is paid, this doesn’t guarantee recovery of data, or protection from future attacks and extortion. Remember that these attackers are hardened criminals.

Using Snapshots to Combat Ransomware

This is where advanced SafeMode snapshots come in. Snapshots are a key security feature designed to protect data in the same way as backups, but with the goal of minimising data loss and restoration times. Once enabled, automated system-wide snapshots are taken and kept for a customer-specified period of time. These unique, read-only snapshots are immutable meaning they cannot be encrypted or deleted by attackers, or even admins with access to the system or backup software. Snapshot policy can only be modified by authorised company personnel working directly with Pure Storage. Therefore, even if the company’s administrator account is compromised, hackers will not be able to touch the snapshots. These snapshots protect backup data sets and metadata so, in the event of a ransomware attack, data can be easily restored.

Restore speed – the underappreciated difference-maker

Even with immutable snapshots in place, companies will be limited by the speed at which they can restore data to get them up and running again. Restoration speed is critical in today’s fast-paced business environment. Imagine a major online retailer being down for even one hour – it could cost them many thousands or even millions in revenue. If hit with ransomware, that retailer will want to restore its secure data as rapidly as possible.

Organisations should insist on a backup solution that can restore data at a rate of hundreds of terabytes per hour for maximum speed to resolution, and near-complete peace of mind against ransomware attacks. The average competitor cannot restore at over 20 TB/hour, whereas Pure FlashBlade delivers breakthrough data protection performance, with up to 90 TB/hr backup performance and up to 270 TB/hr recovery performance. With a solid cybersecurity strategy reinforced with advanced snapshots and a rapid restore solution, the restoration phase after a ransomware attack can be reduced from several weeks to just a few hours, enabling business resilience and continuity.