We Need to Talk About Immutable Storage

Stu Palmer

According to a host of authorities on IT security, ransomware attacks are now universally considered one of the single most dangerous threats for any organisation.

Image of colourful modular building block system representing immutability

We want to talk to you about this because one way that hackers have made their attacks more sophisticated is by penetrating networks and deleting all backups - something few businesses could survive.

Ransomware attacks are concerning for all organisations but particularly perilous for those which don’t understand the new risks posed. If that’s you, please take a few minutes to read this article so that you can protect your business going forward.

Data shows that ransomware attacks were the largest contributor to data breaches in April 2021, and in total, responsible for a third of all data breaches – approximately 350,000 so far this year.

In March, the NCSC sent an alert warning the education sector that there had been a sharp rise in attacks on schools and universities, and Ireland’s Department of Health and HSE has also been hit this month with hackers claiming to have been in the HSE system for two weeks prior to detection, although this has yet to be substantiated. So it’s not just an issue for large enterprises, but rather everyone’s problem.

The new threat has arisen from a tactical change in the way attacks are delivered, perhaps due to employees being savvier around issues like phishing or because some organisations have managed not to pay ransoms.

Image of a laptop infected with Ransomware

The old way was to send an email and have a trusting employee open an attachment, giving access to the business and its data. The hacker would then make their demands and cause disruption, potentially threatening to release data, but eventually, victims would restore from backup, and get going again. Injured but still standing. The new version is less automated, involves far more activity from the hackers themselves and far more dangerous for organisations. Rather than sending an email, they now look for different ways to penetrate a network, poke around, and access admin permissions.

Without a solution like SIEM alerting the IT team of abnormal activity, hackers can take their time getting to know their victim’s IT estate, before identifying the most valuable assets and using admin permissions they’ve secured, to delete all backups before making their demands. ALL BACKUPS. There is no way back from that.

Whilst no single solution can stop ransomware attacks, security experts like ourselves are now heavily pushing a concept called immutability -a simple, affordable solution which does not stop ransomware (although we are happy to talk about that separately) but does save your back-ups, by making at least one copy which cannot be deleted or altered for a set period of time by anyone (not even admin, or a hacker posing as them).

Whilst the industry standard was once considered to be 3+2+1 - three backups on two different types of media with one kept off site - advice is quickly changing to 3+2+1+1, with the addition of one backup copy being immutable

This is the last line of defence in a ransomware attack, but it’s the defence that can save most organisations. VEEAM has it embedded in its solution and can be used on premise with the correct server in place. An alternative and more affordable option for some is the immutability which has been added to private clouds like ours.

There are a variety of options for making your backups immutable - make certain that you choose one. As security experts, we want to avoid reading about businesses that didn’t. By 2025, Gartner predicts a sevenfold increase in ransomware attacks with 75% of companies experiencing one or more. If those companies can retrieve their back-ups they are going some way to winning the fight.