Advice for CIOs: Protect Your Data from Different Ransomware Attacks


    May 26, 2023

    When ransomware strikes, it steals and encrypts valuable data that can only be decrypted by paying a ransom. According to the Global Cybersecurity Outlook 2022 released by World Economic Forum, ransomware is the biggest concern for cyber business leaders.

    Trend analysis

    Ransomware targets large enterprises and infrastructure, with enterprise data facing sharply increased risks

    In 2021, the US oil pipeline company Colonial Pipeline was the target of a ransomware attack, causing the company to halt all operations and pay a ransom of US$4.4 million. In the same year, the American insurance corporation CNA Financial experienced encryption of 15,000 devices, costing the company US$40 million to re-access the data. In April 2022, ransomware was the cause of 1.4 TB data leakage from multiple Toyota suppliers, forcing Toyota to cut its production capacity that year by 500,000 vehicles.

    These are just some of the many examples of how hackers are targeting large enterprises and infrastructure. In fact, ransomware attacks are now low-cost and simple. Specifically, ransomware attacks can now be customized and commercialized, made into available products for malicious users through memberships and subscriptions. This has pushed the threat of ransomware everywhere.

    A typical ransomware attack steals and deletes all data copies stored in your local and even disaster recovery (DR) centers, which not only means data is hard to recover but also causes leakage of private and confidential data. Then the enterprises are blackmailed with not just ransom, but risk damage to brand image, loss of business opportunities, legal proceedings, and labor costs. This collateral damage can be huge to a company – in some cases, these collateral losses are as high as 23 times that of the initial ransom.

    A Cybereason report shows 49% of enterprises that have paid the ransom from an attack only retrieve part or none of the lost data, while 80% of enterprises that paid the ransom are targeted by ransomware a second time.

    Storage: Part of the ransomware protection process and the last line of defense for data security

    Traditional causes of data security risks include natural disasters and system hardware faults, such as fire, flood, and disk damage. These threats can be easily handled with DR solution and disk wear detection technology.

    However, currently, the number of human-caused damages represented by ransomware attacks keeps increasing and causes enormous economic losses. This necessitates the construction of comprehensive data security protection covering both network and storage.

    Figure 1: Comprehensive data security protection

    Ransomware exploits zero-day vulnerabilities (a system or device vulnerability that has been disclosed but not yet patched), phishing emails, and physical attacks to embed your system with ransomware. The network functions, while designed to prevent, block, scan, and eliminate ransomware, are rendered useless if your system is infected with a virus.

    In our modern digital age, data storage needs to do more than just storing data – it needs to protect data. Specifically, storage uses technologies such as pattern recognition and machine learning to identify ransomware, and uses data security features such as ransomware detection, secure snapshot, data isolation, and data recovery to provide logical and physical protection for data.

    As the final stop of data, storage is the last line of defense and is key to building protection capabilities.

    Figure 2: Data storage ransomware protection overview

    Ransomware protection with primary storage: After data enters the production storage, a safe zone is created inside the storage to prevent data from being tampered with or deleted through the secure snapshot and Write Once Read Many (WORM) features of the storage. An independent physically-isolated zone is also created, combining with air gap technology to automatically disconnect replication links and replicate data to the isolation zone for enhanced protection.

    Ransomware protection with backup storage: Similar to primary storage, the encryption, secure snapshot, and WORM features of backup storage ensure the data in the storage system is clean. An isolation zone is also established to ensure data security, allowing operators to quickly restore secure data and services in the event of an attack.

    When countering the ransomware attack, the ransomware protection appliance not only detects ransomware, it also helps simplify system deployment. It is critical that storage accurately detects ransomware. The leading detection strategy in the industry is as follows:

    A baseline model is established based on historical data to check for abnormalities in the changed feature values of the metadata of copies; abnormal copies are further compared to determine the file size change, entropy value, and similarity; the machine learning model is used to determine whether file changes are caused by ransomware encryption and mark them accordingly.

    What we suggest

    1. Combine resources of the storage and data security teams, for a comprehensive data security protection system

    Typically, enterprises data security teams comprise network experts who are responsible for imposing strict security policies on network security devices, such as firewalls, to protect high-risk ports and reduce exposure to threats. But even mainstream solutions alone are insufficient for handling ransomware attacks. One option is to include storage experts in the data security team to establish a comprehensive data security protection system. The importance of storage experts and a storage protection layer in a system cannot be understated. Data protection measures such as secure snapshots and data isolation technologies prevent data from being tampered with, while detection and analysis technology accurately and quickly identifies ransomware, helping recover data from ransomware attacks as soon as possible.

    2. Protect the last line of defense with a comprehensive ransomware protection storage solution

    To build a comprehensive ransomware protection storage solution, enterprises need to:

    • prioritize protection for key data assets based on their application service level agreement (SLA) requirements
    • implement antitampering and offline protection for data copies on production and backup storage, retaining a clean data copy for restoration.

    Pre-event (before a ransomware attack): Two features – ransomware interception and identification of ransomware characteristics – prevent the ransomware from damaging data, intercepting ransomware before it launches strikes.

    In-event (data being encrypted by ransomware): Real-time ransomware detection monitors the I/O behaviors of ransomware. Once a ransomware attack is identified, the secure snapshot feature is immediately enabled to protect the file system under attack, reducing your data loss.

    Post-event (data encrypted by ransomware): The intelligent ransomware detection feature detects whether data copies are infected by ransomware or not, ensuring the data copies used for recovery are clean.

    In addition, enterprises also need to select high-performance all-flash as the production and backup storage, as it can quickly recover services and reduce service downtime loss in the event of ransomware attacks.

    Learn more about Huawei’s Data Storage solutions.

    Disclaimer: Any views and/or opinions expressed in this post by individual authors or contributors are their personal views and/or opinions and do not necessarily reflect the views and/or opinions of Huawei Technologies.


      Leave a Comment

      Posted in


      Posted in