WORM, the last line of defence against ransomware

WORM, the last line of defence against ransomware

They say that lightning never strikes the same place twice. However, ransomware threats do, and they can leave you without your data. Sometimes for good, other times only until you pay the ransom. Still, even when you pay up you are continuously exposed to risks, because there is no guarantee that the vulnerabilities that were exploited once would not be used again and you are never certain that data confidentiality has not been compromised. In this case you are also liable for a GDPR fine, if the security breach is discovered.

Even ransomware isn’t what it once was!

In order to understand how you could end up in such a critical position, you need some catching up.

The first one is that hackers have realized a few years ago that backups can easily nullify the effects of ransomware attacks. Any company that uses the 3-2-1 backup policy could restore an uncompromised copy of the data and get rid of the threat. The policy involves having three copies of the data, on two different storage media and one offline copy, which should be preferably off-site.

Ransomware has been the most profitable malware in the history of computer threats, and hackers could not give up such a gold mine. As the result they refined their attacks, targeting backups directly!

The logic of this is clear - backup data is compromised first, and then the attack starts on the production data, which is encrypted and/or copied, and then the ransom request is sent. More recently, such requests are published on "public shaming" sites.

Hackers also use more subtle methods, aiming to compromise the data in the long term by placing malware files onto the storage media for the production data. And since most backup solutions do not perform a detailed analysis on the data they copy, all backup copies made after the penetration are compromised. Thus, when the attack is triggered and the victim tries to restore the data using existing backups, the malware file is activated again and compromises the data again.

A company trapped in this manner has no way out without paying the ransom. Unless it uses WORM backups.

WORM, an ancient technology that is still relevant

The WORM technology – Write Once Read Many – is associated with the early days of the IT industry, its first appearance dating as far back as the age of punched cards. Later, in the 70s, punched cards were replaced with magnetic tape libraries, which are still in use among companies that handle large volumes of data that need long-term archiving.

In the modern age, when prices dropped, HDD-based backup systems rose to prominence, and cloud-based solutions are now preparing to take off. An example would be the AWS S3 Object Lock storage services.

All the above methods fulfil two basic requirements: they are air-gapped, meaning that the storage media is isolated in one form or another from the production media (thus fulfilling the last requirement of the 3-2-1 policy) – and are immutable, meaning that the data, once written, cannot be modified for a given period. Nobody can change it - not even IT administrators with privileged rights, a professional category that tends to be a preferred target for hackers.

The air gapping requirement - whether it is magnetic tape or cloud storage - is necessary, but not sufficient. On the one hand, because as we have mentioned, an attacker that has managed to bypass the security systems, can afford to be patient until the infiltrated malware compromises all backups. On the other hand, because the malware can propagate itself, it can affect the entire company. This is why the immutability requirement is essential - it guarantees that the stored data is protected against any possible change, preventing ransomware from overwriting it with an encrypted form.

In order to have full protection, the WORM backup solution must employ a versioning system, i.e. each backup should create a new version and not incrementally add the changes over what already exists, and the copy must be stored for a certain time. In this way, if the hackers go for the long-term compromising method, you can go back in time to a version that had not been affected.

Specific Challanges

The implementation of a WORM-type solution requires competences and experience in the field of backups. You need to determine which categories and volumes of critical data must be copied periodically, how frequently, what restore parameters must be kept. Additionally, in order to keep costs under control, you need to identify the backup storage media (tape, HDDs or cloud media) that is adequate for your business needs and the optimum time to keep the versions, in order to save storage space. You must also be able to detect when a ransomware attack has managed to penetrate your security systems, so that you may quickly identify the uncompromised copy that can be restored without any risk. Last, but not least, you need to know how to harmonise your solution with the requirements of the applicable regulations, such as the GDPR.

The choices you make must take all the above into account, so that the solution ensures the desired protection level, while at the same time matching your available budget.