FAQ: Microsharding and Ransomware
Q: How significant is the threat of cloud ransomware?
A: The impact of cloud ransomware is just beginning to be measured, but ransomware is a major concern.
- YL Ventures’ Ransomware Risk in 2022 report stated that, while data on cloud storage ransomware was “sparse,” 75% of the experts they surveyed expected that such attack had or would happen in 2022.
- Cloud ransomware still operates largely under the radar, but threat actors like Rocke and TeamTNT are known to target unsecured cloud environments. At least one cloud service provider and one large incident response company have experienced verified cloud ransomware attacks.
- Although it does not distinguish between cloud-based and on-premises ransomware, the FBI’s Internet Crime Report recorded $49 million in total ransoms paid in the United States in 2021 — nearly a 70% increase from 2020.
- Globally, Check Point Research discovered a 24% increase in ransomware attacks this year, with one in 53 organizations affected in 2022. The average ransom payment is now at an all-time high of $812,360.
- A report from Cybersecurity Ventures estimates that ransomware will cost the economy around $265 billion annually by 2031, with over two dozen attacks happening each minute. by 2031, with over two dozen attacks happening each minute.
Q: Aren’t cloud environments more secure than on-prem environments?
A: Yes. Prevailing opinion is that cloud environments are more secure, but there are a few things to keep in mind:
- The potential impact of a breach of a cloud service provider (CSP) is the major concern. Ransomware launched against an on-prem environment affects just that victim organization. A compromised storage admin account at a CSP could impact many, many data owners, and therefore, have a much greater impact.
- Mistakes happen. In December of 2021, AWS accidentally exposed every S3 bucket to every AWS S3 support administrator for just over ten hours. And in October of 2022, a misconfigured Microsoft Azure blob exposed sensitive customer data. The point here is that when the rare mistake by a CSP does happen, the scale of the potential impact is far greater than the same mistake on-prem.
- The above example also illustrates that the shared security model leaves a gap in protection for data owners. CSPs are responsible for securing their infrastructures while data owners are responsible for securing access to their data. But what happens when the CSP makes a mistake that opens up backend access to customer data? What happens when a storage admin’s credentials have been compromised?
- Server-side encryption, where the cloud service provider maintains the encryption keys, is one way that data owners can have their data protected without the overhead of key management, key rotation, etc. This does require trust on the part of customers that the cloud provider will use a sufficiently strong algorithm and properly manage and protect the keys, which in parts of the world, such as Europe, is too much to ask.
- Client-side encryption leaves control of data protection in the hands of the data owner independent of the CSP. That is an attractive option for those organizations that have the resources and proficiency to properly manage their keys. For many organizations, that isn’t an option, so they will either go with server-side encryption provided by their CSP(s) or, frighteningly enough, go without any kind of data protection.
- Microsharding was originally invented specifically to neutralize these issues.
Q: Do backups protect organizations against ransomware?
A: No. While it is important to maintain secure backups to help protect against the effects of data loss, backups were not designed to stop cybercrime.
- Backup systems offer no innate protection against ransomware. They are an important component of data recovery plans, but they are not a viable defense.
- Keep in mind that restoring from backup is typically an option of last resort after everything else has failed, so they are really should not be considered a defense mechanism. They are a key part of a disaster recovery plan.
- Backups do not protect against the increasingly common data exfiltration and extortion components of cloud ransomware.
- Ransomware has evolved to target backup systems as well. Some ransomware now has the ability to identify, locate, and contaminate backups for a more damaging attack. Some organizations have employed offline tape-backup as a solution, but this can be slow, costly, and labor-intensive.
Q: Does microsharding make backups unnecessary?
A: No. Backups are a critical component of disaster recovery. Microsharding can be used to protect backups but is not an alternative to backups.
- A ransomware attack is just one scenario. There are many other scenarios for which viable backups are critical.
- There is no one technology or technique that solves all problems. Therefore, a defense-in-depth approach is still your best approach to protecting your data and operations.
Q: Does microsharding mitigate the impact of data encryption in cloud ransomware?
A: Yes. Microsharded data is self-healing and that enables neutralization of ransomware.
- The microsharding process includes multiple data integrity checks when data is microsharded (fragmented) and when data is reconstructed. If there any data integrity discrepancies during reconstruction, we use parity data to reconstruct the affected data to its unaffected state.
- Self-healing happens in real-time and transparently, so users continue to operate normally.
- Failed data integrity checks trigger alerts that may be sent to a third-party application such as a SIEM, a SOAR, Slack, etc., and may help to serve as a form of early detection of a ransomware attack.
- Customers have the option to configure secondary storage locations and failed data integrity check thresholds. The purpose of this is to facilitate the automatic movement of data from one storage location to another should X number of integrity checks fail in Y timeframe.
Q: Does microsharding mitigate the impact of data extortion in cloud ransomware?
A: Yes. Microsharded data is effectively desensitized of no value to attackers.
- When data is microsharded, the final step is to distribute it across multiple customer-owned storage locations. Therefore, each storage location only contains an unintelligible fraction of the entire data set.
- An attacker has an extremely low likelihood of discovering and compromising every storage location to which data has been distributed, so the challenge for attackers is not just a technical challenge, but one of knowledge.
- Should an attacker be able to compromise every storage location, the difficulty in detecting which chunks of microsharded data go together to constitute an entire file and to then successfully reassemble the microshards is virtually impossible.
Q: Does microsharding prevent ransomware?
A: No. Microsharding protects data at rest by making it unintelligible to unauthorized users.
- Microsharding was created to help ensure that, should an attacker gain access to your data at rest, that the effort was completely wasted.
- We are strong proponents of defense-in-depth and see microsharding as a strong defense layer for data.
- It’s our position that traditional security has focused no building walls around data, but not actually securing the data, itself. That doesn’t mean you should take down these walls. Rather, if and when those walls are breached, microsharding helps to ensure there is no value in your data for unauthorized users.
- Yes, encryption is a strong technology, but we also believe that it has its limits and microsharding is the next step in the evolution of data protection.