Ransomware has seen a sizable industry growth rate in the US market. According to Forbes Magazine, “the average number of cyberattacks and data breaches doubled in frequency in 2021,” and “ransomware complaints saw a 62% year-over-year increase.” Furthermore, “41% of executives don’t think security initiatives have kept up with digital transformation.” With so many ransomware products on the market, companies need a solid solution that is easy to manage. That’s where Nfina-View management software with immutable snapshots comes to play. So, what’s a snapshot? Think of snapshots like a camera.
Snapshots take a recoverable image of your current IT Ecosystem at a particular instant in time. Immutable snapshots are read-only (unchangeable) – providing air-gap quality functionality to disaster recovery plans to stop ransomware intruders from moving or deleting snapshots. Hence, customers know they can restore clean copies of data anytime.
In addition to protecting against malicious Ransomware data corruption, having an immutable backup helps you conform to regulatory data-compliance requirements—ensuring the retention of accurate copies of data
Ransomware Attack Phases and Why Snapshots Help
There are several key phases to a ransomware attack, namely the initial intrusion, a period of reconnaissance inside the victim’s systems, followed by the execution of encryption and corruption of data. Once they breach, the pervasive use of network share techniques throughout enterprise computing elevates the risk of spreading malware to any system connected to your network. Then the ransom demands arrive.
Adding Immutable Snapshots to your backup and DR plan allows customers to roll back to uncorrupted copies of their data before the execution of code introduced by the attacker. If the customer has immutable snapshots, they can ignore ransom demands, purge their systems of the effects of intrusion, and continue business as usual. Snapshots are not backups in that they are not just copies of data. They are a record of the state and location of files and blocks that make up files at a specific time to which a customer can roll back. The record comprises more than just a record of state it includes metadata, deleted data, parent copies, and so on, retaining everything that previously existed. Nfina has also added features such as AES encryption that locks snapshots from being viewed across the internet, moved, or even mounted externally, with multi-factor authentication (MFA) required to manage them. No one – not even administrators, but certainly not ransomware attackers – can access snapshots to move or delete them. Customers will always have access to clean copies of their data following a breach, providing a powerful tool in IT resilience of backup and disaster recovery solutions for IT folks.
Frequency of Snapshots vs. Backups
Typically, backups are intrusive and only run after hours performing a single rollback point per day. If the backup pool is not large enough, it is overwritten every day, creating a recipe for a Ransomware disaster. The backups can get corrupted along with the production data if the files are reachable from the production storage unit. A key benefit of snapshots over backups is the frequency in which they can run. Nfina’s storage, hyperconverged, and hybrid cloud solutions can frequently run snapshots because it is Copy-on-Write technology based. Snapshots are also non-intrusive and do not slow down production. Many Nfina customers run snapshots every 15 minutes, creating numerous restore points throughout the workday. Figure 1 illustrates how Copy-on-Write file systems track changes in the file system. The first snapshot records the baseline, before any changes. This is the Original Block Tree, containing the original version of the file system, while the live file system contains the changes made since the last snapshot. No additional space is consumed on your system. As new data is written to the live file system, new blocks are allocated to store this data. This is shown below where block C has been modified, creating C+. When blocks are updated, added, or deleted, the indirect or parent blocks are also modified in the live file system. At this point, a New State (Block Tree-1) is created by combining the previous snapshot with the live file system plus the updated block(s). The process repeats at defined intervals.
Furthermore, it can be cumbersome to restore VM’s and OS’s from ISOs, then restore the data from backups. This method of recovery is slow and fraught with error and potential inconsistencies. You may never be able to get data back from exactly where you were prior to the event.
Conversely, Nfina’s Snapshots can be cloned, tested, and rolled back with a click of a button at the Nfina-View orchestration layer. This allows one to restore snapshots in minutes (not hours or days it takes to restore systems from conventional backups).
Also, Nfina’s snapshots are typically taken at the Lun or file-share level, meaning you don’t have to designate which files, folders, or VM’s you want to include. However, the restoration process level does provide the granularity to restore the VM, folder, or file, if you so desire.
In all Nfina clustered systems, the snapshots have completely programmable policies with respect to frequency and retention of the data that can be sent to multiple geo-redundant restoration locations simultaneously. In Nfina’s standard hybrid cloud offering, we recommend 4-way mirroring for both the on-prem and cloud production systems. Figure 2 below shows how in the geo-redundant Nfina hybrid cloud, 12 copies of data are stored any point-in-time a snapshot occurs. This redundancy provides 99.999% uptime and ensures that your IT Ecosystem can be recreated almost instantly when disaster strikes – when you need it the most.
12 copies of your data, 4 copies on-prem and 4 copies at each geo-redundant cloud location