Let’s face it, we’ve all been affected by Ransomware in some way or another. Perhaps you’ve helped your Mum or Auntie recover their precious vacation pictures off their compromised PC. Too bad they thought that the email from Xena Princess Warrior was real. Perhaps you accidentally clicked a rogue link on a webpage and were infected this way? Worse off, there’s been an immense increase in Ransomware that’s affecting businesses around the world. The attack vectors are dreadfully large, from end-users all the way to IT Administrators are being targed, attempting to find a way to deliver the payload. The truth is that it WILL cost productivity time for users but also it WILL impact the overall bottom line. In fact some companies will never recover from the tragedy. Last year (2017) I delivered quite a few sessions on Ransomware Preparedness and what organizations should be doing to begin preparing – it’s only a matter of time.
<em>I hope this letter finds you well. If you have not already been, you'll be infected with Ransomware - soon. You can either pay now or pay later - you decide.</em>
Ransomware: Pay Now or Pay Later
As I just mentioned, you can either decide to pay now or pay later…but what’s this really mean? By paying up front you’re putting measures in place that will not only prevent ransomware from ever being able to penetrate the castle you’re building. By paying later, well you better get your wallet ready because if you want to decrypt your data, you’re going to be paying a hefty amount! I vote for paying up front.
What can you do?
- User Education – This is often overlooked. Place simple education plans in action will help mitigate the overall risk.
- Backup, Backup, Backup and MORE BACKUP! Use off-site locations with disconnected backups (Anton Gostev calls this Air-Gapped Protection)
- Practice RECOVERY! This is very often overlooked as other things get in the way and take “priority”
- Mix operating systems (Linux and Windows) and credential types
- Mission Critical servers that don’t require domain connectivity, should NOT be on the domain.
- Secure all your file shares / servers with local credentials and not domain!
For the sake of this conversation we’re going to focus on option 2 and 3 in the list – backup, backup, backup, more backup and Recovery (test often).
Frequent Protection and Recovery Options Mean Everything!
How fast can IT recover from problems, issues or in this case Ransomware? In talking with the community over the last 13 or so years of my professional career (as an end-user and on the vendor side) it has become obvious that organizations do not have well documented business continuty designs. Typically these documents highlight when things go awry, how can IT recover, correctly. Documentation is very important in this process. In the heat of the moment it’s quite hectic making things even more complicated, leaving IT stricken with figuring out what’s affected, how do we get back up and running AND what do we bring up first?!? This leads to the point of testing. As an end-user at a large Fortune 500 retail organization, Disaster Recovery was taken very seriously – practice tests were conducted multiple times per year.
Backup Software is able to recover data back in to the environment and they’re great at it too. They’re also really fantastic at shipping data off-premises in alternate formats than what the computer was at the source – think out of band protection. Datrium DVX is able to augment and work in tandem with every piece of backup software on the market today to provide ultimate flexibility, quick recovery options all with near zero RTO. Datrium operates at the individual Virtual Machine level, not a LUN or Volume and allows Administrators the ability to create policy based snapshot and replication schedules.
Protecting individual machines is cool, but what about an entire application suite? Protection Groups are a collection of VMs which is either defined by a list of static or dynamic objects. Datrium provides the ability to snapshot and replicate entire application suites at the exact same moment in time. This means that in failure scenarios, when you restart (Yes, I said restart – not recover) your application suite all pieces of the Protection Group are being brought online at the exact same moment in time. So, no more going in to applications and having to make application edits to make things consistent. Datrium also ships with a VSS provider for Windows-based operating systems and applications.
Imagine a tier 1 application that requires an RPO of an hour with a strict RTO of minutes? In practice, customers would utilize their backup product to protect the workloads once per day and then rely on storage based snapshots and replication to an alternate data center or to a Public Cloud provider. Traditional SANs, as I mentioned, operate at the LUN or Volume – so recovery of a VM or application isn’t quick – it requires remounting the LUN / Volume and then re-importing the VM into the target vCenter and powering on. It’s a multi-step process that’s quite cumbersome.
Ransomware Meet Datrium
Datrium supports 2,000 virtual machine snapshots per protection group and a total of 1.2 million virtual machine snapshots on a DVX in either Application-Consistent or Crash-Consistent states. These VM or Application Group level snapshots contain all of the files necessary to power on the virtual machines. Snapshots and Protection Group policies are stored in a completely segmented namespace on the DVX Data Node called the Snapstore. Pretty cool!
When it comes time to recover we’re simply powering off the source VM, replacing the corrupted blocks and powering the virtual machine(s) back on. In a complete site down situation, you can use replica snapshots that are hosted on a secondary DVX to resume normal operation. This process too is simple and involves just a few clicks to promote the replica protection group add the VMs to inventory and power-on. Furthermore, what about the Public Cloud?!? Enter Cloud DVX which will ship with Datrium 4.0 (aka Beryllium). Above is a demo I recorded that leverages on-premises Datrium, Protection Groups and Cloud DVX to recover quickly from Ransomware. I hope you enjoy!