Table of Contents
- Considerations for Adoption
- GigaOm Sonar
- Vendor Insights
- Near-Term Roadmap
- Analysts’ Take
- Report Methodology
- About Max Mortillaro
- About Arjan Timmerman
Ransomware is a specific type of malware that encrypts data assets on primary storage systems—including file shares, databases, disk partitions, data volumes, backup systems, and repositories—making them inaccessible unless the victim pays an extortion fee. Ransomware is highly optimized to spread across networks, organizations, and infrastructure systems through methods similar to trojan attacks. The ransomware payload is embedded in a file that looks legitimate and is triggered by an unsuspecting user opening the infected file. Usually, it will spread across the environment by taking advantage of user credentials as well as documented and undocumented exploits, bypassing the limited access scope of a user. As such, ransomware protection is a transversal, cross-stack topic across organizations.
Ransomware attacks can impact file- and block-based primary storage solutions alike:
- File-based ransomware attacks are the most pervasive. Advanced file-based ransomware implementations use a combination of techniques to remain unnoticed and spread silently. For example, they start encryption activities a few weeks or months after a system has been infiltrated, or they first target dormant files that haven’t been accessed for a significant time.
- Block-based ransomware attacks, while less common, can be even more damaging. In this case, ransomware encrypts entire data volumes, making recovery much harder than it is for file-based attacks. The entire volume must be recovered, offering less granularity and fewer recovery prioritization options than for file-based recovery activities. These attacks, however, are quicker and easier to detect because once a volume is encrypted, all read/write operations become impossible.
This report focuses on ransomware protection solutions available for block-based primary storage systems, while a sister report covers solutions for file-based—or network attached storage (NAS)—primary storage systems.
Although dedicated out-of-band ransomware protection solutions exist, organizations should not underestimate the benefits of in-band ransomware protection capabilities that are embedded in block storage solutions. The most effective mitigations include a combination of in-band and out-of-band capabilities, but for smaller businesses or cost-conscious organizations, block storage ransomware protection solutions constitute an important first line of defense.
Benefits of ransomware protection on block storage include:
- Faster recovery from a ransomware attack than backup restores can provide, usually measured in minutes instead of hours or days, thanks to snapshots. This is particularly crucial for mission-critical applications that can’t withstand prolonged downtimes.
- Greater ease of use because reverting to a healthy snapshot takes considerably less effort than identifying and orchestrating data recovery from a data protection platform.
- Cost-effective protection and recovery operations: Block storage ransomware protection solutions are usually provided at no cost and deliver a very effective protection layer. Furthermore, fast local recovery from ransomware is cheaper than recovery from data protection systems, both from a recovery time and a human effort perspective. In addition, organizations avoid paying any potential egress transfer fees when restoring from the cloud.
How We Got Here
Ransomware attacks have become a prevalent and persistent threat for all organizations across all industries and sizes of business. While these attacks frequently made headlines a few years ago, they’ve now become so widespread that only the most spectacular cases are mentioned in the news media today.
Organizations assess business risk by evaluating the probability of an event occurring and correlating this probability with the impact (the extent of possible damage), usually through a risk assessment matrix. The impact can be diverse, ranging from negligible to widespread, but regardless of the physical manifestation, outcomes are generally summed up in three categories: financial (loss of revenue), regulatory (increased scrutiny, fines, and eventually the loss of license for regulated businesses), and reputational (loss of trust from customers).
Ransomware is particularly concerning for organizations because it combines a high probability of happening with a widespread impact, not only in terms of locations and systems affected but also in terms of damage. Ransomware can bring businesses and government agencies to their knees, forcing them to choose between paying a hefty ransom or risk losing production capacity and revenue for weeks, if not months.
Ransomware does not discriminate among infrastructure layers; once in, it will attempt to encrypt all of an organization’s assets within reach, which is why proper segmentation of access and networks is important. Organizations usually implement several data protection layers, including data protection (backups and disaster recovery), security at the network layer, and authentication mechanisms to reduce the attack surface. However, relying solely on backups should be avoided for the following reasons:
- Primary data is the most up-to-date data repository available in the organization. Large enterprises can have a significant delta between production data and data backups, especially if the data has elevated change rates.
- Losing primary data and having to restore it from data protection platforms is a time-intensive process, limited by the throughput of the backup media and network bandwidth, especially if protected data resides on the cloud.
- For cloud-based data protection, data retrieval could incur egress transfer fees, which can add up quickly as more data and systems need to be recovered.
Because primary data is the first point of impact for ransomware attacks, it’s advisable to implement primary storage solutions that incorporate ransomware protection. Timely identification, alerting, and mitigation are preferable to dealing with the aftermath of a ransomware attack and its severe impact from a financial, regulatory, and reputational perspective.
About the GigaOm Sonar Report
This GigaOm report is focused on emerging technologies and market segments. It helps organizations of all sizes to understand the technology and how it can fit in the overall IT strategy, its strengths, and its weaknesses. The report is organized into five sections:
Overview: An overview of the technology, its major benefits, and possible use cases, as well as an exploration of product implementations already available in the market.
Considerations for Adoption: An analysis of the potential risks and benefits of introducing products based on this technology in an enterprise IT scenario, including table stakes and key differentiating features, as well as consideration on how to integrate the new product with the existing environment.
GigaOm Sonar Chart: A graphical representation of the market and its most important players focused on their value proposition and their roadmaps for the future.
Vendor Insights: This section provides a breakdown of each vendor’s offering in the sector, scored across key characteristics for enterprise adoption.
Near-Term Roadmap: A 12- to 18-month forecast of the future development of the technology, its ecosystem, and major players of this market segment.