Datrium Ransomware Protection - VMware Cloud on AWS · AWS S3 storage. Cloud Backup can also serve as additional backup capacity for efficient storage on S3 of non-DR images. Cloud

WHITEPAPER

Datrium Ransomware Protection

RANSOMWARE PROTECTIONWHITEPAPER

© 2020 Datrium, Inc. All rights reserved Datrium | 385 Moffett Park Dr. Sunnyvale, CA 94089 | 844-478-8349 | www.datrium.com

2

ContentsIntroduction 3

What Is Ransomware? 3

Known Defenses Against Ransomware 3

Keys to Recovery from Ransomware 4

Datrium Ransomware Protection Solutions 4

Datrium DRaaS with VMware Cloud on AWS 4

DRaaS Connect: Protect any VMware Workload 6

Cloud Backup: Cost-Effective SaaS Backup to S3 6

Live Mount 7

ControlShift: DR Orchestration for Ransomware Recovery 7

Datrium DVX: DHCI Solution with Ransomware Protection 8

Massive Retention Capability Across Sites 11

Automatrix Enabling Technology 12

Examples: Recovering from a Simple Attack 12

Conclusion 13

https://www.datrium.com/



3

Introduction More than 50% of organizations have experienced a disaster recovery (DR) event in the past 24 months, according to recent research.1 Ransomware was the leading cause. There is no longer any question about the likelihood of an attack. The question is whether your business is prepared with a Ransomware Protection Solution.

Datrium can help your organization proactively mitigate the risk of ransomware. We can assist you with a multi-faceted defense that includes both prevention and mitigation. This paper provides an overview of the ransomware threat, potential defenses, and Datrium’s uniquely effective solutions for protecting against ransomware attacks.

What Is Ransomware? Ransomware is a type of malware that targets critical data and systems for extortion. That description, while accurate, fails to underscore the gravity of today’s ransomware threat.

Datrium’s research and experience with real-world businesses indicate that ransomware is more dangerous than any other type of malware. We've seen that ransomware is not merely a form of spyware or a virus that steals or destroys data and files. It's a business – with specific targets, delivery methods, and ROI goals for the attackers. And the ransomware business is booming. According to Gartner, there’s been a 700% increase in ransomware since 2016, and the cost of a successful attack today can be in the millions.

There are four major categories of ransomware:

1. Crypto – Encrypts files on the system, network storage, or local drive, preventing any access to the data.

2. Locker – Locks the device so that users can't log in or use the device.

3. Leakware – Hijacks key components such as audio, webcam, microphone, or hard drive, and it mails sensitive information back to the attacker.

4. Scareware – Shows a ransom message to the end user hoping to scare them into making payment even though all data and systems remain available.

Known Defenses Against Ransomware The most popular defense against ransomware today is to pay the attackers. From city governments to enterprises, up to 70% of infected businesses paid the ransom to recover their data, according to recent research.2

There are four major categories of ransomware defense:

1. Prevention – Firewalls, tools for scanning email and data, etc.

2. Education – Training the workforce about social engineering and other common tactics.

3. Processes – Company-wide rules and procedures to block links and attachments from unknown sources.

4. DR – The ability to recover data quickly and efficiently from backups.

The only defense that can be 100% reliable against ransomware is DR. However, DR is effective only if you have tamperproof (immutable) backups, a reliable DR site, and easy failover and failback technology at your disposal. Most companies today don't have that combination of capabilities.

Datrium’s mission is to make DR easy, fast, reliable, and affordable, enabling companies of all types and sizes to defend against ransomware attacks proactively. The next sections describe the core requirements and how our solutions deliver on the demands.

1 The State of Enterprise Data Resiliency and Disaster Recovery 20192 ITProToday, “The State of Ransomware 2019.”


https://go.datrium.com/report-state-of-enterprise-data-resiliency-and-disaster-recovery.html

https://www.itprotoday.com/threat-management/state-ransomware-2019



4

Keys to Recovery from RansomwareThere are three primary requirements for successful recovery from ransomware:

1. Tamperproof backups stored in the cloud, off-premises in a secondary data center, or on premises.

2. Restoring a clean VM image or operating system from a tamperproof backup, taken as little as five minutes before the infection was activated.

3. Ability to restart a clean VM instantly without having to copy data to your primary storage, allowing you to test various recovery points quickly.

Whether you leverage an old OS instance or rebuild clean OS instances with a new application deployment, the most vital asset – your data – must be recovered to pre-payload activation. It's critical to have immediate system recovery via a granular, low-RPO (Recovery Point Objective), point-in-time backup that doesn't rely on encryptable systems (backup, media servers, file mounts) or “last night’s backup.”

This approach avoids the limitations of “air gap / replicate sometimes” solutions, but more importantly, it enables IT to provision an on-demand “clean” DR environment to accelerate data and system recovery.

The ransom demand message appears days or even months after the actual attack. So in most cases, recovering from last night’s backup is not a complete solution. IT needs a long-term, immutable, granular recovery capability that can recover a pre-infection server image and the pre-payload activated data.

Datrium Ransomware Protection SolutionsDatrium has helped many organizations reduce the risk of ransomware attacks and avoid paying attackers. Our ransomware protection solutions include Datrium Disaster Recovery as a Service (DRaaS) with VMware Cloud on AWS, Datrium DVX, and Automatrix enabling technology.

DRaaS with VMware Cloud on AWS delivers a cloud-native design, built-in backup, instant RTO, and an on-demand model. DVX is a disaggregated HCI (DHCI) system with built-in Blanket Encryption, backup, and seamless integration with Datrium DRaaS. Automatrix enabling technology provides the technical foundation, which includes encryption, deduplication, and a unique filesystem that separates compute and storage. These products deliver:

• One-click DR with instant failover and failback between on-premises environments and cloud data centers, with continuous compliance checks every 30 minutes

• Up to 10x more cost-efficient DR because you pay for DR only when you need it

• Instant RTO and low RPO with the ability to restart any VMware workload from cost-effective S3 after a ransomware attack or natural disaster

• Simplified data management using familiar vCenter tools and consistent operating environments

• Always-on encryption for on-premises and cloud environments, eliminating time-consuming conversions

• Lower total cost of ownership (TCO) of up to 80% by eliminating secondary DR sites

Datrium DRaaS with VMware Cloud on AWSDRaaS with VMware Cloud on AWS provides on-demand, failproof DR for all VMware workloads. It makes DR easy and reliable with its cloud-native design, built-in backup, instant RTO, and on-demand model. Ransomware attacks don't succeed because you can instantly implement a phased recovery, with mission-critical applications reinstated rapidly in a known “clean” environment, while you clean up your everyday infrastructure.

With DRaaS, you no longer need expensive physical DR sites or always-on DR resources in the cloud, and you only pay for DR resources when you use them. The solution keeps your data safe and secure, and continuous compliance checks allow you to confidently execute failover and failback in the event of a ransomware attack or other disaster.




5

Figure 1 – Datrium DRaaS with VMware Cloud on AWS – how it works

Unlike most cloud DR approaches, DRaaS with VMware Cloud on AWS keeps VMs in their native format, eliminating brittle VM (virtual machine) conversions that slow down recovery and make failback a nightmare.

From an architectural perspective, DRaaS provides “shared nothing,” isolated, secure cloud storage and compute environments, with no cloud infrastructure sharing between customers. The AWS account hosts backup and DR orchestration services, and the VMware Cloud account hosts cloud DR targets. All DRaaS services are deployed as Amazon Machine Images (AMIs) into a Datrium-created Virtual Private Cloud (VPC) and Subnet. All components are monitored and restarted for high availability and resilience, and all “required state” information is replicated to ensure resilience.

Figure 2 – What’s happening inside Datrium DRaaS




6

DRaaS delivers:

• Failproof cloud DR with built-in Cloud Backup enables you to protect all your VMware workloads in the cloud and on premises.

• Up to 10x more cost-efficient DR because you pay for DR only when you need it, and there's no ongoing cost for hot standby DR sites.

• Instant RTO and low RPO with the ability to restart any VMware workload from cost-effective S3 after a ransomware attack or natural disaster.

• One-click failover and fully-automated failback eliminates complex VM conversions and simplifies operations.

• Simplified data management using familiar vCenter tools and consistent operating environments.

DRaaS Connect: Protect any VMware Workload DRaaS Connect, an integral feature of DRaaS, is a downloadable, lightweight VM that allows you to protect any VMware workload in just minutes with no new software or infrastructure to install. DRaaS Connect enables DRaaS to orchestrate failover from a VMware Cloud SDDC in one AWS Availability Zone (AZ) to another AZ, or from any on-premises vSphere infrastructure, including SAN, NAS, HCI, and DHCI to a Datrium-managed VMware Cloud on AWS.

Snapshots of running VMs in the active AZ are stored in the DRaaS repository on AWS S3. If there's a disaster, these snapshots can be restarted on ESX hosts in a different AZ with instant RTO, all based on well-defined runbook policies.

Cloud Backup: Cost-Effective SaaS Backup to S3Cloud Backup is a key component of DRaaS. It provides an on-demand, secure, offsite datastore for backup and DR images on low-cost AWS S3 storage. Cloud Backup can also serve as additional backup capacity for efficient storage on S3 of non-DR images.

Cloud Backup provides forever incremental, fully deduplicated, and compressed data transfers for straightforward and automated recovery of VMs, guest files, or whole data centers.

With Cloud Backup, you can keep your backups offsite in the cloud, storing data in a separate S3 storage layer. That enables long-term offsite retention of low-RPO snapshots for further protection. Cloud Backup can support more than 1PB of protected, usable storage per customer on AWS, storing compressed and deduplicated VM and container PV (persistent volume) snapshots.

Cloud Backup also takes full advantage of Automatrix universal deduplication. That means storage costs are minimized across sites replicating to it, and it ensures that the least amount of data will need to be transferred back to on-premises data centers when recovering from an attack. That ensures lower egress costs, lower bandwidth consumption, and faster recovery from an attack.

Specifically, Cloud Backup provides:

• Rapid recovery from ransomware and disasters – enables instant recovery of VMs directly from AWS S3 to VMware Cloud on AWS. VMs are stored in their native format, eliminating brittle VM conversions and lengthy rehydration periods. Each instance of Cloud Backup can manage over a million backups, allowing a deep set of recovery points for ransomware protection.

• SaaS built-in backup – eliminates the need for point backup solutions, which simplifies operations and reduces cost. Backups can be scheduled every few minutes, every hour, every day – whatever frequency makes sense for your business.

• Cost-effectiveness – always-on data reduction (deduplication and compression) and forever-incremental backups reduce S3 storage costs per month and egress recovery costs. Only changed blocks are transferred across the WAN when storing and retrieving data.

• Flexible protection – scales to petabytes of capacity, and you can retain backups for months or years in low-cost AWS S3. Plus, you can easily retrieve backups from your SaaS backup catalog.




7

Live MountLive Mount instantly turns the backups stored in S3 into a live NFS datastore mounted by the ESX hosts in the SDDC. Unlike legacy backup-only solutions, there’s no time wasted waiting for backup data to be copied into an SDDC before the VMs can be restarted.

ControlShift: DR Orchestration for Ransomware Recovery ControlShift is a cloud-based workload and DR orchestration service that simplifies ransomware recovery and other DR use cases. It’s a core component of DRaaS and also supports failover from one physical site to another. With ControlShift, it's easy and fast to recover from attacks with recent snapshots or backups from minutes, months, or years ago. This recovery point depth is critical for ransomware recovery because it often takes months for the attack to become apparent.

Figure 3 – Modern ControlShift SaaS app user experience

ControlShift is driven by the same policy and snapshot system as Cloud Backup which uses Automatrix enabling technology. Your organization can execute failover to a secondary physical DR site or on-demand to the public cloud using DRaaS with VMware Cloud on AWS. You can create recovery plans and run them for testing, planned, and unplanned recovery of workloads. Plus, ControlShift delivers:

• Full runbook orchestration for a data center VM to restart correctly in a different data center, with fully enabled IP mappings, pre- and post-scripting, and more.

• The ability to restart from current data or older backups. Unlike many DR systems, ControlShift is built to incorporate both current and old VM snapshots, so it's ideal for ransomware recoveries.

• Recovery Compliance Objective (RCO) of 30 minutes. ControlShift automates the process of performing compliance tests of all required failover/failback resources every 30 minutes. It also offers a full test bubble system and more.

• External monitoring of data center availability. Services that monitor systems in a data center and rely only on sensors in that data center can go blind if a network is down. External monitoring with ControlShift complements those sensors by providing an external view.

• Encryption. Data is encrypted from host memory to the cloud using Automatrix enabling technology.

• Comprehensive resource mapping and sequencing for DR plans, including mapping for sites, PGs, datastores, VMware vCenters, and IP addresses.

• Flexibility to support many different types of topologies between protected sites, backup sites, and failover sites.




8

Datrium DVX: DHCI Solution with Ransomware ProtectionDVX is a disaggregated HCI (DHCI) solution that includes backup and DR protection with instant RTO for ransomware protection. It also protects data with blanket encryption, and it runs virtualized workloads up to 10x faster while saving money with always-on data efficiency.

Under the hood, DVX separates application data from recovery copies, increasing protection in ransomware situations. When data is stored in DVX, the virtualization layer stores that data in an NFS share with the industry’s highest aggregate performance for consolidated VM storage. We call that namespace a datastore.

Datastores can be explicitly exported to different hosts by IP range, and those hosts can't access files in a separate datastore. Inline and lower in the stack, data is stored in a shared data pool that is globally deduped, compressed, and encrypted by the hosts, and it's saved with no overwrites of good data ever. DVX snapshots can't be reached through this process, and they aren't accessible to applications, so ransomware can't ever encrypt these snapshots and lock you out of your systems.

Immutable Backups: Isolated and Stored in Snapstore The Snapstore is a separate global, searchable namespace that stores and catalogs immutable snapshots and their policies. The Snapstore is only accessible through separately authenticated APIs and Datrium management applications. That provides an important level of isolation from the hypervisor when dealing with ransomware situations.

Figure 4 – Immutable backups are isolated and stored in Snapstore

As mentioned, Automatrix includes both primary and data protection storage. There are no traditional media servers to encrypt, and there are no accessible file systems, NFS mounts, or other vectors available to an external actor to mount, scan, or access DVX primary or snapshot storage. Even though we're presenting NFS datastores to VMware, the NFS datastore itself is only accessible via the protected user space of the ESX host – with no public-facing or open attack vector NFS system to be scanned, searched, or infected.

While many storage systems have primary storage snapshots that are read-only and immutable, DVX snapshots act as backups, so they have additional properties that enhance ransomware protection.




9

Figure 5 – Snapshots have additional properties that enhance ransomware protection

Autonomous recovery validation daily – Automatrix includes a content-addressed filesystem. Unlike traditional storage systems with volumes and offset addresses, DVX block-granularity data clumps are addressed by cryptographic hashes generated by the data itself. This variable-length data clump can be re-hashed and will always come up with the same ID; it's authoritative. All data is verified multiple times per day as part of the DVX space reclamation process.

Granular, with a searchable catalog of workload snapshots and policies – Protection Groups (PGs) contain policies for groups of VMs, not for LUNs. There are no LUNs – just VMs or containers. As with a subsequent search in the Snapstore, snapshot policies can be set against wildcard regular expressions.

Protection Group Policies

Snapshot Copies Available on DVX

Figure 6 – Snapstore includes a real catalog database to store relationships across VMs




10

Discrete catalog of policies and snapshots for high retention and high I/O – A traditional storage system might have snapshots, but a traditional filesystem namespace can’t store relationships across VMs for easier policy setting and global search. For that, you need a real catalog database, which Snapstore includes.

Figure 7 – More than 1M snapshots can be stored on a single DVX

All snapshots are metadata of the whole file content, not just delta changes. They don't rely on other snapshots, and there are no chains of snapshots that slow things down as they grow. DVX snapshots can be deleted in any order. More than 1M snapshots can be stored on a single DVX.

Writer history included – If the snapshot is replicated to a different DVX or Cloud Backup, the Snapstore catalog includes the name of the system that wrote it, time, date, etc., providing important audit information.

App-consistency alternatives – By default, all DVX snapshots are crash-consistent. A DVX VSS (Volume Shadow Copy Service) agent is available for Windows to ensure app-level consistency (e.g., Exchange and SQL Server). For other app-level backup features, Datrium partners with many leading backup vendors.

Guest file recovery for specific application files – For the most important guest files, DVX snapshots offer guest file recovery – the ability for an operator to select certain guest files from a prior point in time and offer them to live VMs. DVX includes software to open the most common Windows and Linux guest filesystems, select files, and move them into an ISO image. The ISO can be mounted to a running VM, so the operator can easily copy it back.

With these snapshots safely off the guest-access grid and stored in the Snapstore, recoveries can be faster, more consistent, and more secure from ransomware attacks.

No third-party or additional backup software or media servers – Unlike other more traditional storage systems that rely on risky media servers or NFS-based backup appliances, our all-in-one approach eliminates the need for additional Windows or Linux servers that need to be patched and managed. That reduces the attack vector for all ransomware variants.




11

RTO, RPO, Consistency Across Backups, and Encryption Restarting from a DVX snapshot includes two options. It starts with transferring the snapshot image from the Snapstore namespace (which is invisible to vCenter and ESX, for example) to a Datastore with ESX visibility. Because that's just creating a reference, not a data copy, it happens in seconds. At that point, you can start it immediately because DVX is both a backup store and a primary store, so you can:

• Restore to an existing VM name in vCenter

• Clone (which also copies no data, it’s just a new named reference) and restore to a new VM name

When hit by ransomware, many organizations have to provide the ISO image of infected systems to law enforcement (e.g., FBI) or keep it for their forensic investigation later. However, because the priority is to recover from an attack, copying the infected files for forensics is often overlooked. The storage cost required to copy and keep these infected files for weeks or months further compounds the problem.

DVX has a native capability to automatically create a forensic snapshot of the infected workload with a default 7-day retention schedule when you recover (overwrite) a VM. That allows you to focus on recovery efforts, which are nearly instantaneous and very easy with DVX. And you still have copies of infected files for forensics. DVX not only automates this process but also makes it happen with no additional space requirements.

RPO – Another key attribute of a sound ransomware mitigation strategy is the ability to generate snapshots at very short intervals to enable low RPO. DVX policies allow intervals as little as five minutes so that you can keep deep backups of your workloads with very frequent snapshots. That results in a much better outcome than you generally get with traditional backup systems – typically, you get backups once every 24 hours.

Point-in-time consistency across backups – With DVX, it's easy to select an entire PG and restore multiple VMs from the same I/O moment. All the contents (VMs and vDisks) are snapped at exactly the same I/O moment across hosts for fully crash-consistent snapshots covering your entire environment.

Once you’ve found the point at which the ransomware infected your environment, you can quickly and easily restore all the affected VMs to exactly that point in time, so RTO is as low as possible. If you find that the point in time you chose was too recent and the systems are still infected with an active ransomware payload, you have the option to select another point and restore all the affected VMs to that point in time. Because DVX snapshots don't have dependencies and can be started/restarted within minutes and in any order at any point in time, you can run multiple iterations of restarting VMs from different points in time until you're satisfied with the state of your workloads and data.

Massive Retention Capability Across Sites Retention – If you’re using DVX when ransomware strikes, you have more target snapshots to use for recovery. The ability to keep a deep history of backups is important – you need to have a retention policy that ensures you can go back far enough to pre-date the attack. According to analysts, many attacks aren't detected for an average of 170 days. DVX and Cloud Backup datastores have petabytes of effective capacity in compressed, globally deduplicated storage, including primary and protection copies.

Replication for readiness – Elastic replication offers a broad range of options for sending your protected snapshots to alternate locations. DVX can support many-to-one and one-to-many replication topologies. When a snapshot of a PG is complete, Hosts become a distributed set of data movers for the new unique data transmissions to different sites. That's highly scalable and fault tolerant, so replication will proceed even if many of the hosts fail. Replication typically also sends newly written changes, which are in each Host’s flash cache, so it isolates that workload from the DVX persistent Data Pool.

If the WAN has a failure, the Automatrix model ensures the most recent snapshots catch up first, followed by older ones. Because many recoveries require the most recent data, that's a powerful optimization, which is very different from traditional storage and HCI systems.




12

Figure 8 – The Automatrix model ensures the most recent snapshots catch up first, followed by older ones

Automatrix Enabling TechnologyWe built our ransomware protection solutions on Automatrix enabling technology. Its capabilities extend far beyond traditional backup and DR methods, and its effectiveness has been proven in many companies across all major industry sectors.

To quote a recent analyst report, “Converging primary, backup, and DR enables IT to protect data at enterprise scale. Historically, IT would have to choose either a high-cost performance architecture or a lower-cost protection architecture. Newer converged storage technology like Datrium’s offers both.”3

Cloud Backup and DVX are built on Automatrix enabling technology:

Blanket Encryption encrypts data at the point of host origin while maintaining full data reduction and verification. Most ransomware is injected from Guest applications, so Blanket Encryption offers further protection against alternative points of entry. Data is encrypted in use, e.g., on host flash, in flight at all times, and at rest. No other data platform offers this protection.

Replication for recovery with WAN optimization. If a snapshot is in a replica system, it can be restarted there directly, or it can be copied back to the originating Cloud Backup or DVX with a minimum amount of time and bandwidth. Because Cloud Backup and DVX systems are globally deduplicated using content addressing, replication can also use this information for WAN optimization, replicating only the unique data that doesn't exist at the destination.

Examples: Recovering from a Simple Attack When an attack is discovered, the goal is to minimize further infection and restore to a safe state as quickly as possible (low RTO). Here are summaries of how the process works using DRaaS with VMware on AWS and with DVX.

Using DRaaS1. Set up backup policies and DR runbooks with whatever timeframe you need

2. Backups are stored in native VM format on AWSS3

3. Compliance checks run automatically every 30 minutes

4. When disaster strikes, you execute failover to the cloud

5. Backups are immediately powered-on for instant RTO

6. Use familiar vCenter tools for cloud management

7. When the disaster is over, failback is fast and easy

3 ESG: “Taking Convergence to the Next Level with a Self-protecting Enterprise Cloud,” May 2019.


https://go.datrium.com/resources-whitepaper-esg-taking-convergence-to-the-next-level.html



13

Through a simple UI, you set backup policies and DR runbooks. Tamperproof backups can be created every few minutes, every hour, every day – whatever frequency makes sense for your business. Backups are then deduplicated, compressed, encrypted, and stored in their native-VM format in low-cost S3 storage on AWS. When disaster strikes, you execute failover to the cloud.

The stored backups are instantly powered-on via a live cloud-native NFS datastore mounted by ESX hosts in that SDDC, resulting in instant RTO. Unlike legacy backup-only solutions, there’s no time wasted waiting for backup data to be copied into an SDDC before the VMs can be restarted.

Plus, there's no learning curve for IT teams. They use the same vCenter tools to manage their on-premises storage and cloud resources. Once the disaster is over, failback is easy too – deduplicated, changed data is compressed and encrypted, which minimizes egress charges, and then it's automatically sent back to the data center.

Ransomware attackers are discouraged by DRaaS built-in security and instant recovery capabilities. Attackers can't extort money if they can't steal your data, corrupt your systems, or disrupt your operations.

Using DVX1. Identify snapshot candidate

2. Restore candidate snapshot

3. Check for infection

4. If not infected, that's likely very close to the point-in-time snapshot needed for recovery

5. If not, move to the next snapshot candidate

6. Once the pre-infection, point-in-time snapshot is identified, restore the workload to that point in time.

7. Full recovery is complete.

You can use several strategies, but all include a loop similar to the one above. You need to determine the point at which the infection took place.

With DVX, moving to the next snapshot is simple, and restoring data is easy with Instant RTO. There's no need to copy data from a backup silo, so restores are virtually instant. With the built-in catalog capability, it’s also easy to implement different search algorithms to find the right point-in-time snapshot quickly and efficiently to ensure minimal data loss.

Conclusion With the increasing volume and sophistication of ransomware attacks, organizations urgently need a smarter, faster, more effective ransomware protection solution. Disaster Recovery (DR) is the best approach, but traditional DR solutions are too slow, complex, expensive, and unreliable, which all too often results in successful ransomware attacks.

Datrium is uniquely capable of delivering a DR process that works 100% of the time. We offer one-click, failproof DR – on a pay-as-you-go model that eliminates the need for secondary DR sites and expensive physical infrastructure.

Learn more about Datrium's ransomware protection solution by visiting www.datrium.com, where you can request a demo.


https://www.datrium.com

https://www.datrium.com/request-a-demo/

Documents

Datrium Ransomware Protection - VMware Cloud on AWS · AWS S3 storage. Cloud Backup can also serve as additional backup capacity for efficient storage on S3 of non-DR images. Cloud