top of page

simplyblock and Kubernetes

Simplyblock provides high-IOPS and low-latency Kubernetes persistent volumes for your demanding database and other stateful workloads.

Writer's pictureMichael Schmidt

Ransomware Attack Recovery with Simplyblock

Updated: Sep 17

In 2023, the number of victims to Ransomware attacks more than doubled, with 2024 being off to an even stronger start. Oftentimes, together with data encryption and the ask for a ransom to be paid, data was copied beforehand to increase pressure on companies to pay the ransom and prevent the risk of the data being leaked to the internet.


Having a strong solution to Ransomware attacks is more important than ever. Simplyblock provides sophisticated block storage level Ransomware mitigation and recovery options, enabling Point-in-Time-Recovery (PITR) for any service and solution storing data.


What is Ransomware?

Ransomware is a type of malicious software (also known as malware) designed to block access to a computer system and/or encrypt the data until a ransom is paid to the attacker. This type of attack is typically carried out by cybercriminals who demand payment, often in cryptocurrency, in exchange for providing a decryption key to restore access to the data or system.


Statistics show a significant rise of ransomware cyber attacks: ransomware cases more than doubled in 2023 and the amount of ransom paid reached more than a billion dollars - and these are only official numbers. Many organizations prefer not to report breaches and payments as those are illegal in many jurisdictions.


Number of quarterly Ransomware victims between Q1 2021 and Q1 2024
Figure 1: Number of quarterly Ransomware victims between Q1 2021 and Q1 2024

The Danger of Ransomware Increases

The amount and sophistication of attack tools also has increased significantly. They are becoming increasingly commoditized and easy to use, drastically reducing the amount of skills cyber criminals require to deploy them.


While there are a multitude of best practices and tools to protect against successful attacks, little can be done once an account, particularly a privileged one, has been compromised. Even if the breach is detected, it is most often too late. Attackers may only need minutes to encrypt important data.


Storage, particularly backups, serve as a last line of defense after a successful attack as they provide means to recover. However, there are certain downsides of using backups to recover from a successful attack:


  • Latest backup does not contain all of the data, meaning that data written between the last backup and the time the attack has been performed, is unrecoverably lost. Even the loss of one hour of data written to a database can be critical for many enterprises.

  • Backups are not consistent between each other. The backup of one database may not fit the backup of another database or a file repository, so after restoration the systems will not be able to integrate correctly.

  • Latest backups may already contain encrypted data. It may be required to go back in time to find an older backup, which is still “clean”. This backup, if available at all, may be linked to substantial loss of data.

  • Backups must be protected from writes and delete operations, otherwise they can be destroyed or damaged by attackers. Attackers also may damage the backup inventory management system to make it hard or impossible to locate specific backups.

  • Human error in Backup Management may lead to missing backups


Simplyblock for Ransomware Mitigation

Simplyblock provides a smart solution to recover your data after a ransomware attack, which is a complement to classical backups.


Simplyblock, in addition to writing data to hot tier storage, also creates an asynchronous replicated write-ahead log (WAL) of all data written. Writing this log is optimized for high throughput to secondary (low IOPS) storage such as Amazon S3 or HDD pools, like AWS’ EBS st2 service. If this secondary storage supports write and deletion protection for pre-defined retention periods, as is the case with S3, it is possible to “rewind” the storage to the point immediately prior to the attack. This performs a data recovery with near zero-RPO (Recovery Point Objective). 


A recovery mechanism like this is particularly useful in combination with databases. Database systems typically have to be stopped before the attack can be started, as all data and WAL files are in use. This allows for the automatic identification of a consistent recovery point with no data loss.


Timeline of a Ransomware attack
Figure 2: Timeline of a Ransomware attack

In the future, simplyblock plans to enhance this functionality further by including a multi-stage attack detection mechanism directly integrated into the storage, the release of deletion protection after clearance from attack within a historic time window and precise automatic identification of attack launch points to locate recovery points.


Furthermore, simplyblock will support partial restore of recovery points to enable different service’ data on the same logical volumes to be restored from individual points in time. This is important since encryption of one service might have started earlier or later than for others, hence the point in time to rewind to must be different.


Conclusion

Simplyblock provides a complementary recovery solution to classical backups. Backups provide support for long-term storage of full recovery snapshots, while the write-ahead log based recovery is specifically designed for near-zero RPO recovery right after a Ransomware attack got started and enables quick and easy recovery.


While many databases and data-storing services may provide the possibility of Point-in-Time-Recovery, such as PostgreSQL, the WAL segments need to be stored outside the system as soon as they are closed. That said, the RPO would come down to the size of a WAL segment, whereas with simplyblock, due to its copy-on-write nature, the RPO can be as small as one committed write.


Comments


bottom of page