How to Use Continuity Engine For Ransomware Mitigation

How to Use Continuity Engine For Ransomware Mitigation

Summary

In this knowledge base article, we will explore the value of using Continuity Engine for ransomware mitigation. It will explain the current market conditions, why hardening adds more value to your deployment and the recommendations on you need to do ensure your applications are fully recoverable from ransomware.

More Information

Ransomware, A Growing Global Problem


We live in a time that cyber criminal are using their ever improving stills to make money off organizations that have not taken cyber security seriously.  Ransomware continues to explode on the world stage at an alarming rate. According to KnowBe4, a ransomware attack happened ever 14 seconds in 2019 and is projected to be every 11 seconds in 2021.  Bitdefender also noted that ransomware attacks increased 485% in 2020 globally alone. For those who are affected by this the average downtime is 7 days. Our team here at Neverfail has heard numbers in the range of 14-20 days depending on what region of world it is. Clearly despite these threats, many organizations have not put the needed effort into mitigating the risk. Instead, the mentality is them is "it wont be me" until it actually happens then they are faced with a dilemma.

The losses every year to ransomware continues to grow. Cyber Crime Magazine did an article entitled "Cyber Crime To Cost the World $10.5 Trillion Annually By 2025" they estimated that global ransomware damage costs to reach $20 billion in 2021 — which is 57X more than it was in 2015.  So the cost of ransomware is staggering. The cyber criminals are racking up spoils in the 10's of millions in revenue. 

Organizations like Darkside are using legitimate software distribution methods to grow a global business for ransomware with a network of small channel partners (cyber criminals) who distribute ransomware to the unsuspecting while using multiple methods to penetrate networks to harvest privileged identities to carry out their nefarious scheme. These downstream partners only have to infect an organization, and when the organization pays, they get a percentage of the profits from their software distributor, Darkside. So now we see the commercialization of cyber crime is well underway.

We only have to look at Colonial Pipeline to see how expensive it can get and the impact it can have on national infrastructure. They paid $4.5 million USD to cyber criminals. The good news is the FBI was able to reclaim some of those bitcoin payments but most organizations will not have the support of the FBI so mitigation must be to be the primary method of reducing risk especially for organizations and supply chains that are part of the nations fabric.

What if Mitigation Efforts (PLAN A) Fail


Even in the best cases where organizations have heavily invested into cyber-security, mitigation efforts could still somehow fail due to the crafty nature of the hackers. So organizations have to make a very important business decision, pay the ransom or wipe systems clean and start again which could be extremely painful and costly especially if systems affected are mission critical! 

Traditional clustering technologies are simply not built for this type of use case. They were designed for datacenter failure, hardware failure and maybe operating system failure.  Backup and recovery technologies work better for ransomware because they have developed workflows that enable safe recovery. The downside is it will take a while to do those recoveries from backup and then run them through isolated environments for interrogation (cyber hygiene), than reattach them to the network. Simply put, the tradeoff is RTO (Recovery Time Objective) because of the recovery time  and each system has to be handed separately. This puts immense pressure the on IT staff to get systems back up and running. Many simply don't have the money invest in these tools or the skills to deal with this type of outage.

The good news is, as a Continuity Engine customer you have the tools you need for almost immediate recovery from ransomware. How is that possible? Its in Continuity Engine's architecture. Continuity Engine uses a TRUE cloned based architecture which provides and exact copy of original servers as passive nodes. This adds value for three distinct reasons:
  1. Continuity Engine only assigns the public IP address to the appropriate interface at the time of failover. Therefore, ransomware can't use the "front door" to spread to any of the passive nodes as these systems are not available to the end users.
  2. Each node is firewall isolated so ransomware would find it very difficult to jump between the nodes. This means ransomware can't spread via a "back door" into the passive nodes. Each node in the cluster can only communicate over the Neverfail Channel which is port restricted. So only Continuity Engine services can communicate over the channel. This ensures that the passive nodes OS's are protected.
  3. Real-time replication can replicate encrypted files from the primary to the passive nodes. However,  with Continuity Engine's Snapshots feature (Data Rollback Module or Shadows feature) organizations can roll back the dataset to before the incident happened thus restoring the protected application server to full operating conditions in minutes. Snapshots feature configuration details: How to Setup Snapshots / Data Rollback for Neverfail Continuity Engine


To validate this, Neverfail conducted a simulation of ransomware using Knowbe4’s RanSim to simulate ransomware attacks. We were not only able to validate that our architecture provides these protections but we have the data to support it. For Continuity Engine customers, Neverfail has removed the stress and complexity of recovery from the IT staff for mission critical applications. Organizations can focus on cyber hygiene and cleaning up the sources of the problem and understand what happened and why. Recovery should only take a only a few minutes when an organization is ready to do so. So now organizations don't have to held be hostage to cyber criminals when Continuity Engine is deployed. IT teams are able to restore in minutes without having to restore from backups or even pay a ransom.

Recommendations for (PLAN B) Hardening Continuity Engine

Here are some recommendations for hardening a Continuity Engine deployment against ransomware. These recommendations describe a hardening practice. They do not need to be implemented but do add more protections than just the out of the box configuration of Continuity Engine and improves your recovery posture.

  1. Implement the Neverfail Channel on a separate NIC and IP address. Doing so further isolates the traffic a certain NIC that can be hardened without interfering with user traffic. If your currently running on a single NIC configuration, you can get assistance from Neverfail Professional Services to reconfigure your channel to support a dual NIC configuration.
  2. Implement IP address restrictions on the channel. Out of the box, engine restricts the channel based port numbers. This further restricts traffic and cuts off another route into protected application server.
  3. After implementation, disable SMB2 if possible. If its a file and print server, this may not be possible but for many application servers, they could be done safely. Please note, disabling this feature can trigger unintended consequences for some applications', up to and including a complete suspension of all network services, so careful testing and though should go into implementing this step.
  4. If you are using 3rd party configuration management, backup or remote desktop on a management IP address. make sure the nodes are configured to restrict port numbers and IP addresses on management IP addresses.
















This diagram shows how ransomware can enter the front door of the primary server but with proper hardening, can not enter through back doors. This also shows how the windows firewall plays a big part in protecting the channel ransomware leveraging the channel to jump onto passive nodes during virus propagation.

Conclusion


Continuity Engine provides a powerful recovery tool that liberates organizations from being held hostage to cyber criminals by ensuring that passive nodes in the cluster can be recovered. If the recommendations are implemented properly, propagation of ransomware is further mitigated between the nodes by strengthen the Continuity Engine deployment.

Organizations need to treat ransomware as a continuity event and not just a cyber security event. Having a plan for quick recovery using this proven technology will pay dividends in the event PLAN A fails.

Due to the use of vaccines, we are now stopping COVID-19 pandemic propagation. However, no such solution is available for the IT pandemic of our time, ransomware. It is projected to continue massive growth for at least the next decade until a solution if finally found. So its not an if, its when....so make sure your prepared and leverage your investment in Continuity for ransomware recovery!

For more information on how Continuity Engine can help with ransomware, please view the global webinar entitled "How to Recovery From Ransomware" or contact the Neverfail sales team at sales@neverfail.com.
    • Related Articles

    • Continuity Engine Product Architecture

      Learning objectives At the completion of this session, you should be able to: Identify major components of the Neverfail Continuity Engine product architecture. Describe major component configuration. Identify advantages of the Neverfail Continuity ...
    • Continuity Engine Troubleshooting - Synchronization Failures

      Neverfail Continuity Engine provides protection to your applications by replicating data to a passive server. Continuity Engine attempts to synchronize protected data on all servers and continually replicates changes to that data. This article ...
    • When to Use Neverfail Patch Management Options

      The challenges associated with patching passive nodes with Engine's true clone based architecture Neverfail Continuity Engine employs a clone-based architecture in order to create exact copies of production servers and incrementally synchronize ...
    • Continuity Engine Switchover/Failover Processes

      This article discusses Switchovers and Failovers, their similarities and differences. It also discusses a condition called False Failover, which can result in a Split Brain Syndrome. Learning objectives At the end of the session you should be able ...
    • Continuity Engine Troubleshooting - MaxDiskUsage Errors

      This artucke introduces you to MaxDiskUsage errors when using Neverfail Continuity Engine. Continuity Engine generates MaxDiskUsage errors when either the send or receive queues are full.  MaxDIskUsage Errors Learning objectives  At the completion of ...