Protecting Against Ransomware with Cohesity:

As most of you are aware, 2020 has been especially riddled with Ransomware attacks against large corporations. However, large corporations are not the only ones under attack. These attacks are against all types of businesses from the largest corporations all the way down to the small mom and pop businesses. Government agencies to include federal, state, and local are under constant attack as well.

The most notable ransomware attacks that most have heard about include Garmin, Travelex, University of California San Francisco, Honda, and Canon USA. Click on the appropriate company name to go to an article specific to that companies attack.

NOTE: For 2021 statistics on Ransomware attacks, see the first link at the bottom of this blog called “Ransomware Statistics“.

Most of the data protection solutions on the market (especially the legacy solutions) today have fallen pray to the above list of recent Ransomware attacks as well as many others.

To this day, not one Cohesity customer has had a successful ransomware attack to where they gained access to their Cohesity backups to delete or encrypt them and where they have followed our security hardening guidelines. That means that our customers have been able to detect, prevent, and/or recover and not have to pay any ransom whatsoever.

Here is an example of what can happen in your typical ransomware attack of today:

• Employee clicks on link in an email and hackers gain access to your network.
• Hacker then installs a key logger and gets an administrators credentials to systems (including your data protection system) on the network.
  • Hackers delete your backups of systems to ensure you can’t recover from backups and have to pay them the ransom.
• If they don’t get administrator credentials to backup solution, they encrypt the backs first to again make sure you can’t recover any systems from backups and force you to pay the ransom.
• If the company has any CCPA, GDPR, or other compliance related requirements and associated data, they collect that data.
• They then encrypt the systems on the network.
• Hackers notify the company that they have encrypted their systems and tell them they must pay a ransom to get the encryption keys to decrypt their systems. If they obtained any compliance related data, they also tell the company that they will publicly post the private data. If they do that, the company by law then has to publicly announce that they had a data breach. They then can be fined a very large amount of money for breaking compliance itself. This is a separate cost from the ransom.
• Hackers typically give the company a certain time frame to pay the ransom or lose everything after that date as well as post any compliance related information on the internet.
• If the company pays the ransom, it typically requires payment in Bitcoin because it is private and untraceable. Most companies don’t have a Bitcoin account, so they will need to pay a 3rd party company to convert the payment to Bitcoin in which the hackers will accept.
• Once the ransom is paid, the hackers will provide all the decryption keys for every system that was encrypted.
• The customer then has to randomly associate each decryption key to each server which can take days to do. The hackers don’t tell them which key goes to what specific server. If you have thousands of servers, that is a painfully long process all while your IT systems are still down.
• Each virtual machine has to have twice the size of space on it in order to decrypt the system. Otherwise if there is not enough room on drive, decryption will fail until additional drive space is added. The time to go through this process can be painfully long based on how many systems need to be configured with additional storage.
• At this point, this entire process from start to finish could be from days to weeks or more for a company to fully recover IF they pay the ransom.

For the company that has been attacked, if they have to pay the ransom due to being unable to restore from backups, this could mean a huge revenue loss for the company long term.

There are numerous costs associated to the attack:

• The ransom itself.
• The cost for 3rd party company to convert payment to Bitcoin.
• Potential fines for breaking compliance due to leaked data if ransom not paid.
• The associated cost of lost revenue due to systems being down for days, weeks, or more due to attack and recovery time frame of IT internal and externally facing services.
• The associated cost of lost revenue due to bad reputation after personal data leaked.
• The associated cost of massive increased hours worked by IT staff and any other employees to recover systems until they are back to normal operations.
• Cost of new hardware/software implementation and associated man hours to implement new security measure to keep from being attacked again.
• Legal actions against company for personal data leaked and other various reasons.
• NEW (10/5/20) – US Department of the Treasury’s Office fines!

There are numerous precautions that can be taken to minimize the risk of your organization being attacked as well as recover easily and quickly to get your IT services up and running again. With that, securing your data protection (backup) solution becomes critical to protecting yourself against ransomware attacks.

How Cohesity Protects You Against Ransomware:

Cohesity takes security very serious and has extensive integrated cybersecurity in our solution. Listed below are the ways in which we protect your backups in our platform with the below principles and capabilities.

• Reduce Attack Surface –
  • Zero trust architecture.
  • Bank-grade encryption (FIPS 140-2, NIST certified).
  • Single global platform.
  • No Windows or Linux front-end server.
• Assess Security Posture & Vulnerabilities –
  • Vulnerability Management:
    • CyberScan App – Uncover cyber exposures and blind spots within your production environment by running on-demand and automated scans on backup snapshots against known vulnerabilities.
  • Advanced Threat Detection:
    • SentinalOne App – AI-powered prevention engine to Cohesity storage clusters, delivering the highest efficacy, lowest false positives, and most performant prevention technology. 100% signature-free and relies on machine learning models to deliver next-generation prevention. 
  • ClamAV App – Scan the files stored in the Cohesity DataPlatform directly, without sending the files to an external scanner.
  • Configuration analysis.
  • Marketplace (Apps): https://marketplace.cohesity.com/
• Access Management & Auditing –
  • Web UI, CLI, REST API’s all use SSL with TLS 1.2 and above.
  • Self-signed X509 certificates or company CA/certificates can be used.
  • Microsoft Active Directory integration and (RBAC) Role-Based Access Control.
  • (2FA) Two Factor Authentication (CAC / SAML).
  • (SSO) Single Sign-On Integration with SAML-based standards:
    • Active Directory
    • LDAP
    • Azure Active Directory
    • Okta
    • Ping
    • Duo
    • Shibboleth
  • Operational & file level accounting.
  • System & product level auditing.
  • Exportable granular audit logs.
  • Send logs to external syslog server.
  • Global whitelists network segments, individual IP’s, etc.
• Data Governance / Compliance –
  • SEC 17a-f (f)
    • (WORM) Write Once Read Many & Data Security
  • FIPS 140-2 level 1
  • PCI DSS
  • Common Criteria EAL2+
  • Secure Government Clouds
    • AWS Govcloud
    • Azure Govcloud
    • C2S
  • (TAA) Trade Agreements Act
  • (ATO) Authority to Operate
  • GDPR / CCPA Governance –
    • Global actionable search.
    • We reduced copies of data on average from 8-10 copies to potentially 1-2 copies.
• Defend –
  • Immutable file system –
    • Inaccessible from outside Cohesity cluster
    • Back ups stored in Read-Only state
  • DataLock / (WORM) Write-Once-Read-Many –
    • Unable to delete/modify snapshots until the set retention time has passed
  • LegalHold –
    • Unable to delete snapshots until LegalHold removed only by Data Security role
  • Provides a virtual “air gap”
• Detect –
  • Helios machine learning driven anomaly detection.
    • Daily change rate on Logical data.
    • Daily change rate on stored data.
    • Pattern based on historical data ingest.
• Respond –
  • Google-like global actionable search.
  • Instant mass restore – Recover hundreds or more virtual machines and have services up and running in the matter of minutes.
  • Salable file system to store years worth of backup copies.

Additional Resources – Cohesity & Ransomware Protection:

• Ransomware Statistics:
  • https://www.comparitech.com/antivirus/ransomware-statistics/
• Counter Ransomware Attacks with Cohesity (Whitepaper):
  • https://www.cohesity.com/resource-assets/solution-brief/Counter-Ransomware-Attacks-with-Cohesity.pdf
• Comprehensive Anti-Ransomware Solution: Prevent, Detect and Respond (Video):
  • https://www.youtube.com/watch?v=WnR4n4e_FaY
• Guarding Against Ransomware Requires More Than Just Detection (Blog):
  • https://www.cohesity.com/blog/guarding-against-ransomware-requires-more-than-just-detection/
• Cohesity Public Site – Ransomware:
  • https://www.cohesity.com/solution/ransomware-recovery/
• Cohesity Technical Guides: https://docs.cohesity.com/HomePage/Content/TechGuides/TechnicalGuides.htm
• Cohesity Documents – Ransomware:
  • https://docs.cohesity.com/WebHelios/Content/Helios/RansomewareAlert.htm
• Cohesity’s Solutions for Air-gap Data Protection (Whitepaper):
  • https://info.cohesity.com/air-gap-data-protection-with-cohesity-dataplatform-wp.html
• CyberScan App (Video):
  • https://www.youtube.com/watch?v=R1upyfXRtbQ
• CyberScan App (Blog):
  • https://www.cohesity.com/blog/new-app-uses-backup-data-to-combat-cyber-threats/
• (CCPA) California Consumer Privacy Act:
  • https://oag.ca.gov/privacy/ccpa
• Streamlining GDPR Compliance (Solution Brief):
  • https://www.cohesity.com/resource-assets/solution-brief/Cohesity_GDPR-Solution-Brief.pdf
• Cohesity DataPlatform Security Whitepaper:
  • https://docs.cohesity.com/HomePage/PDFs/Cohesity-White-Paper-Security-DataPlatform.pdf