GigaOm Sonar Report for Block-Based Primary Storage Ransomware Protectionv2.0

1. Summary

Ransomware is a specific type of malware that encrypts data assets on primary storage systems—including file shares, databases, disk partitions, data volumes, backup systems, and repositories—making them inaccessible unless the victim pays an extortion fee. Ransomware is highly optimized to spread across organizations via networks and infrastructure systems through methods similar to Trojan malware attacks. The ransomware payload is embedded in a file that looks legitimate and is triggered by an unsuspecting user opening the infected file. Usually, it will spread across the environment by taking advantage of user credentials, along with documented and undocumented exploits, bypassing the limited access scope of a user. Thus, ransomware protection is a transversal, cross-stack topic of discussion across organizations.

Ransomware attacks can impact file- and block-based primary storage solutions alike:

• File-based ransomware attacks are the most pervasive. Advanced file-based ransomware implementations use a combination of techniques to remain unnoticed and spread silently. For example, they may start encryption activities a few weeks or months after a system has been infiltrated, or they may first target dormant files that haven’t been accessed for a long time.
• Block-based ransomware attacks, while less common, can be even more damaging. Ransomware encrypts entire data volumes, making recovery much harder than for file-based attacks. The entire volume must be recovered, which offers less granularity and fewer recovery prioritization options than for file-based recovery activities. These attacks, however, are quicker and easier to detect because once a volume is encrypted, all read/write operations become impossible.

One Sonar report focuses on ransomware protection solutions available for file-based—or network attached storage (NAS)—primary storage systems; a sister report covers solutions for block-based primary storage.

Figure 1 shows the vendors and primary storage systems covered in each report.

Figure 1. Vendors Included in Each GigaOm Sonar for Primary Storage Ransomware Protection

Although dedicated out-of-band ransomware protection solutions exist, organizations should not underestimate the benefits of in-band ransomware protection capabilities embedded in NAS and block-based solutions. The most effective mitigations include a combination of in-band and out-of-band capabilities, but for smaller businesses or very cost-conscious organizations, NAS and block-based ransomware protection solutions constitute an important first line of defense.

Benefits of ransomware protection on NAS and block-based solutions include:

• Faster recovery from a ransomware attack than backup restores can provide, usually measured in minutes instead of hours or days, thanks to snapshots. This quick recovery is particularly crucial for mission-critical applications that can’t withstand prolonged downtimes.
• Greater ease of use delivered because reverting to a healthy snapshot takes considerably less effort than identifying and orchestrating data recovery from a data protection platform.
• Cost-effective protection and recovery operations: NAS and block-based ransomware protection solutions are usually provided at no cost and deliver a very effective protection layer. Furthermore, fast local recovery from ransomware using ransomware solutions is cheaper than recovery using data protection systems, from both an elapsed time and a human effort perspective. In addition, organizations avoid paying any potential egress transfer fees when restoring from the cloud.

These GigaOm Sonars provide an overview of file-based and block-based primary storage ransomware protection vendors and their available offerings, equipping IT decision-makers with the information they need to select the best solution for their business and use case requirements.