Hatchet & Scalpel
July 21, 2021
The frightening success of ransomware stems from an evil combination of social and software engineering. The devious minds behind the malware understand people as deeply as they understand technology, which is why these attacks are almost inevitable. The question isn’t whether your business will have to deal with ransomware. It’s what you’ll do when ransomware does strike, and what tools you will use to recover. The recovery process will either have the bluntness of an amputation or the accuracy of brain surgery depending on the tool at your disposal. Will you be using a hatchet or a scalpel?
Let’s return for a moment to the social- and software-based aspects of these attacks. The social piece is relatively simple: The goal of the attackers is to fool an end user into downloading malicious software. This might be done through threats, promises of rewards, or other means, but it only needs to work once on one person. In a large enterprise made up of thousands or even hundreds of thousands of users, these attempts could fail 99.99% of the time. All the attackers need is a single person to let down their guard and the game is over.
Once the malware sneaks in through that first social gate, the software wave of the attack begins. The code worms its way through the user’s system and into the network at large. The most advanced ransomware attacks will do this quietly, encrypting files and volumes without anyone realizing what’s happening.
The initial user may even be able to continue working uninterrupted as the malware spreads. A successful enterprise-scale ransomware attack will go undetected for around ten days. At that point, someone in the organization will try to access a file and find themselves locked out. Other users will start to experience the same problem. Eventually, someone alerts IT. They investigate, discover the problem, and sound the alarm. By then it is already too late.
The Jagged Attack Timeline
As I discussed in my previous posts in this Backup is Broken series, backup is incapable of protecting large organizations against sophisticated, enterprise-scale ransomware attacks because it fails at recovery. The question is not whether your files are safe, but how long it will take you to get your business running normally again. Colonial Pipeline paid the ransom and it still took them weeks to get back to normal.
Back to the hatchet vs. the scalpel … let’s say the attack goes undetected for ten days before IT sounds the alarm. This is when the clock starts running. People can’t get to their files and the hard work of recovery has just begun.
The hatchet approach, which is characteristic of backup, demands rolling the entire file system back to before the time of attack. Everyone loses at least ten days of work. This is equivalent to an amputation. It’s drastic and messy and it will still take a long time but it is effective in turning back the clock to the moment before the infection began.
But what about the end users who were struck on day nine? Why should they lose nine previous days of work? Ransomware doesn’t impact every file and folder simultaneously. The timeline of the attack is jagged, varying from user to user across the organization. With the backup/hatchet approach, however, users who were only affected one or two or three days before the attack was flagged have to suffer as much as the ground zero employee who clicked on the nefarious link.
Scale this to thousands of users — some of whom may not have been hit at all. Forcing everyone to roll back to the same point in time is a disaster for the enterprise, as lots of good work — healthy files — will be unnecessarily rolled back to ground zero. And you can blame that squarely on backup.
A hatchet is an effective tool. It is not a tool of precision.
Enterprise-scale Ransomware Recovery
A better enterprise level solution is to take a scalpel—a fast scalpel—and revert to healthy versions at different points in time. With an audit trail and immutable versions of your files stored in the cloud, you can follow the jagged timeline that corresponds to the penetration profile of the ransomware attack. This isn’t a slow or painstaking process, either—it enables recoveries within hours instead of days or even weeks. With this versioning-powered scalpel, the original guilty party will lose ten days of work, but everyone else will be rolled back to moments before the ransomware infected their files. The individuals impacted on day 9 will only lose one day of work.
The versioning-powered scalpel is a more effective solution for modern organizations, and a much less frustrating one for end users, especially as you scale up to enterprises with thousands of employees. The productive work that file versioning preserves—and the money it saves—is enormous, and it’s a major reason that more and more companies are reaching out to Nasuni today.
As I discussed in my post on the 3-2-1 rule, Nasuni is as durable as the best backup. But the scalpel approach touches on a larger theme that the backup vendors would rather you overlook. Nasuni doesn’t merely protect your files. Our technology is built to ensure that you can resume normal operations, with minimal disruption, as quickly as possible. The minimal disruption term gets thrown about casually by the backup vendors. Having to amputate ten days or more of work across your whole organization is hardly “minimal disruption”. You want speed and you want precision when it comes to recovery. Backup restores can offer neither.
The baseless claims being made by the current crop of backup vendors remind me of the Black Knight in Monty Python and the Holy Grail. After having lost every limb, he continues to hurl insults, crying out, “Tis but a scratch.”
We know better, and backup will soon meet the same fate as that mortally wounded knight, despite the protests of entrenched industry experts. In the age of ransomware, the end of backup is imminent.