Ransomware meets its match in Cohesity

Ransomware is the new ‘bad boy’ on the cybersecurity front. It has replaced Advanced Persistent Threat (APT) network attacks as the highest profile cyberthreat for IT departments of organizations big and small. For the purpose of this blog we define Ransomware as “computer malware that installs covertly on a victim’s computer, executes a cryptovirology attack that adversely affects it, and demands a ransom payment to restore it”(ref: wikipedia). Ransomware used to target individuals but has now firmly established itself in the enterprise arena. In these cases, valuable enterprise data is encrypted by malware and only restored in exchange for a ransom payment. Recently, several high profile Ransomware attacks have found mention in the media as in here, here and here!

In most cases, targeted companies just pay up the hush money. Since there is no data breach per say, the incident typically doesn’t even get reported to federal agencies. This, however, is not going to last long, because the FHA is already smarting from a slue of ransomware attacks on hospitals.

Ransomware succeeds because every strategy to combat ransomware has one point of failure that has no real protection – humans. We expect humans to not be humans (i.e not fall for phishing or such attacks) to truly protect ourselves from Ransomware and that simply is not going to happen. So by default, backup systems become the option of last resort to minimize the effects of ransomware attack. However, any reasonably sophisticated Ransomware attack assumes that its intended victim will have a proper backup strategy in place. Therefore it is most likely designed to find and encrypt backups or destroy them as well. Even a very conscientious backup strategy will not protect the enterprise from this kind of ransomware attack if the backup system is not built to protect against such attack.

Cohesity provides robust protection against ransomware by keeping your backup data secure. But before we go into details about the Cohesity’s ‘secret sauce’, let’s make it absolutely clear that we are not hiding behind the semantics of what constitutes additional protection – because this seems to be case for every other backup vendor that claims to provide Ransomware protection.

• We do not believe in security through obscurity doctrine. Therefore we don’t assume that backups are secure because they are hidden. In fact, we assume that machines that mount the backup will get compromised at some point.
• We assume that in the case of Cohesity Views (backup job or file volume) that are mounted as SMB / NFS mount, when the server that mounts Cohesity is compromised, the ransomware will find Cohesity Views and encrypt them as well.

So what’s different about Cohesity as a backup system that can protect against this? Well, there are few fundamentally unique things that Cohesity does that no other secondary storage vendor can do. We can do that because we have built a completely new kind of file system, the Cohesity file system, designed for secondary storage workflows from the ground-up. Few of its key salient points are:

• Cohesity is a scale-out storage platform that exposes itself via standard protocols such as NFS and SMB
• The file system can take unlimited snapshots very quickly and store them with extremely low overhead
• The file system allows you to have very large number of Views and clone these Views instantly with almost zero cost in terms of storage

We protect your backups via time-based snapshots. The original backup job is kept in an immutable View. That View is never made accessible or mounted by an external system. Only clones of that original View can be mounted externally. If worm burrows into the system, the best it can do is encrypt a clone of these snapshots. Extending this further, when we restore a snapshot, we clone it and only the clone is mounted on the server. So internal snapshots are never exposed.

The upshot: The system always has a clean copy. The Ransomware can delete the files in the View, but it cannot touch the immutable snapshot. And restoring a view that has been encrypted by Ransomware is as simple as restoring the snapshot!

Let’s tie all this up with a couple of concrete examples.

In the first example we consider Cohesity protecting DB servers:

• Every 4 hours, the DB server dumps to a Cohesity View and we have one View per database (because we can have large number of Views without adding to the overhead).
• The View is also scheduled to have a snapshot taken after every backup. This is a quick operation that takes only milliseconds to complete. This is also extremely space-efficient because it employs redirect-on-write technology.
• The ransomware somehow finds the backup repository and encrypts the Cohesity View where DB server dumps are stored.
• As the ransomware writes, Cohesity performs Redirect-on-Write and writes the data to a new place, not modifying the last immutable snapshot.
• The admin can now simply restore the View to the last available snapshot just before the Cohesity View was encrypted and from the Cohesity View, restore the primary DB. But before doing that, the admin takes a snapshot of the encrypted View to be used as the forensic evidence of the incident which is again quick, painless and zero-cost.
• Lastly we pre-empt any issues with the backups by indexing them. Indexing implicitly verifies the validity of a backup.

This is how we can easily recover from the ransomware attack without missing as much as a beat! We have also explained through a short video below.

The second example considers Virtual Workloads:

• Cohesity also talks VADP API’s to backup VMware environments.
• The Cohesity software again utilizes the Cohesity file system to clone and keeps the VMs fully hydrated in the backend even when doing incremental backups. Whenever a VM is to be restored, it is cloned and the clone is made available to ESX. When a ransomware somehow finds this and destroys the VM backup via NFS, it can only destroy the clone and the admin can easily clone the backup from the master copy and restore the VM.
• Again Cohesity saves the day because we have proper and frequent backups and we also verify that the backups are OK by doing indexing on the VMs. Moreover the backup copies cannot be accessed by outside entities and we use the fast cloning to clone before exposing them.

To summarize what key features in Cohesity protected the company from the worst of Ransomware is:

1. Cohesity has exteremely low RTO and RPO and enables proper backups by allowing a large number of them.
2. Cohesity has fast snapshotting capabilities that is space and time efficient. This allows backups of backups.
3. The snapshots are protected because they cannot be directly mounted and tampered with.

A well designed system assumes failures at various levels including (and most certainly) from humans. No matter how much a company invests in security products, the relentless nature of malware attacks almost guarantees that it will fall victim at some point of time. Backups are the only sure shot way to provide protection from catastrophic consequences. Cohesity’s unique approach to backups enabled by the Cohesity file system, purpose-built for secondary storage, presents a formidable foe to all ransomware attacks.

Authors: Vivek Agarwal and Ganesh Shanmuganathan