Ransomware attacks have entered a horrendous phase brought on by hackers resorting to reprehensible tactics to extort money. Victims are seeing a shift towards more ruthlessness displayed by attackers when refused payment.
Stories of criminal gangs leaking graphic private medical images, and publishing stolen academic records are all over the news. The chronicles check out perfectly with the notoriety that is signature of ransomware attacks, but they also point towards a growing level of desperation and willingness to go to extremes previously unknown.
A Possible Out
The menace of attacks forces us to think whether we want to be bailing our data out of ransomware prison by paying off the bad guys when it finally happens, or stand strong in our ability to protect our data? It’s a no-brainer. Compromised, a company is fully and irreversibly at the whims of the attacker. They are bound to do as bidden before time runs out, or face brutal escalations. But armed, they can dodge a potential mishap at least damage.
We met with Catalogic Software, an enterprise data protection and DR company that recently released a feature that unlocks early detection and alerting for ransomware. Catalogic appeared at the Storage Field Day event in 2015, and so it was time for a refresher.
Ken Barth, CEO, declared that an early detection is non-negotiable, if the goal is to diffuse an attack and prevent data from getting into wrong hands.
As enterprises enter a more ominous period of cyberattacks, they need more than just backup and recovery. Without active ransomware protection, infected files can very easily wind up in the backup, corrupting entire servers. A full and complete recovery, Barth says, is only possible when a company can ensure the safety of its backup data in the first place.
“If you’ve been hacked, and you get that ransom note, the first thing you’ve to find out as quickly as possible is – Are your backups safe? When did you last back up? When can you restore to? – and then make a business decision,” he said.
One of the things that make ransomware frightening is that attackers can live off the land, weaponize data against the owner, and steal it from right under their noses. So enforcing data security before it’s copied to backup systems is key.
Catalogic – A Brief Introduction
If Catalogic Software rings new to you, here is a brief introduction. More than two decades ago, Catalogic started its journey with ECX, their flagship copy data management solution which was later acquired by IBM. As a fledgling company, the goal was to hardwire data protection into backup. In the years that followed, the company focused all its effort and energy on building two products on its portfolio –DPX, an all-purpose data protection solution, into a holistic solution that furthers that objective. The brains behind it is a heterogenous workforce based out of US, Poland and India.
Over the years, Catalogic has accrued a set of loyal customers which has grown to 400 today. Its DPX business currently has a turnover of $20 million, Barth informs. With eyes on the small and medium sector, Catalogic boasts of 95% customer renewal. A rich feature-set and an economic pricing model positions it as competitor to Commvault and Veeam .
“We offer a better feature set than Veeam without requiring the kinds of payment that a solution like Commvault wants for the features that they offer,” Barth said.
Barth clarified that data resilience is not achievable without ransomware protection. The two are in lockstep, and the latter needs to be a priority to attain resileincy.
To elaborate, he distilled down the essential features of a modern data protection solution – early detection, air gapping, reliable backup, fast and full recovery and cloud integration. Additionally, he said, a data solution must offer significant cost advantages in the form of flexible licensing structures.
Unlike many ransomware protection solutions that focus on recovery, Catalogic DPX prioritizes prevention. “What we’ve identified is that the earlier you detect the ransomware, the earlier you can block it and lower the casualties in your infrastructure,” he says.
But contrarily, early detection is not on the immediate agenda of most companies. “Not a lot of companies think about it – they just think about putting an antivirus or ransomware detection tool, but they don’t look at the data,” he added.
Trumping the Attackers
Catalogic Software adopts a divergent approach. A backup and recovery solution, Catalogic DPX generates snapshots and store them in a software-defined storage system called vStor. DPX allows these copies to be replicated to other vStor servers or to a cloud destination as well as archived to a physical tape media. Users can retrieve and restore files in a couple different ways – reclaim individual files, mount snapshots through instant access, create VMs from a snapshot, or recover a physical server through bare metal restore.
It is typical of bad actors to aim for these backup servers. Catalogic beats them to it with the new GuardMode. DPX GuardMode embeds ransomware detection right into the data. The outcome is, all anomalies are discovered, flagged and alerted about before, data is replicated and saved in the backup.
DPX GuardMode was designed to further three key objectives – early detection, rollback of infected portions and least disruption. Early detection precludes spreading of ransomware and re-infection, while facilitating rollback and recovery.
DPX offers broad workload coverage that includes OSs like Windows, Ubuntu, Oracle and Red Hat, as well as databases and applications like Oracle, SAP HANA and SharePoint.
With the introduction of GuardMode, DPX runs all file systems through it to scan for early signs of compromise, instead of hauling them straight to backup. Through a blocklist, it can block suspicious files from entering the backup system and spreading the infection to a wide scope.
In its current phase , GuardMode “will be alerting and tagging the suspicious behavior so if a restore is needed, we can greatly narrow down the potential affected areas to allow you to get your recovery done in a more efficient and timely manner,” said Barth.
Catalogic can define threshold violations and access patterns to accurately trace abnormal activities. It uses honeypots, a sacrificial technology that places booby traps in the environment to spot bad actors. Upon discovery, the honeypots alert administrators about unauthorized accesses, and suspicious file modifications. In this fashion, it renders the source server free from ransomware, making sure that files that are replicated and restored are clean and unaffected.
In the future, GuardMode will employ machine learning to guide users through the recovery process. As of today, it is available for free with Catalogic DPX.
Enterprise data is under threat. Stories of companies falling every day is a jolting reminder to how severe the situation is. It may not be in enterprises’ control to defeat every threat, and they may still have a long way to go before they can declare their data safe from harm, but with a feature like DPX GuardMode turned on, they can be sure that data is scanned at all times. GuardMode prevents bad data from entering backup systems and compromising the whole stack. That alone can make recovery less messy and inexpensive. Enterprises looking to adopt aggressive countermeasures against evolving extortion tactics will find DPX GuardMode an essential feature to beat attackers at their own game.