An idea on inexpensive automatic local disconnectable storage to mitigate ransomware attacks
After being asked to think about protecting a client against future ransomware attacks, and seeing that more and more they’re done in such a fashion to destroy all data, backups, ESXi hosts, etc it got me to wondering how to best protect data from being destroyed, while still maintaining ease of use and not requiring a subscription to someone else’s computer.
TL;DR – an idea using a very low tech method to make a storage location only occasionally visible and rotate it out with other storage locations.
So, I’d like to steer away from the cloud as a primary backup location just due to it being someone else’s computer, bandwidth required for restore, and that this is just an idea I’m playing with, not a full blown solution. The scenarios I always deployed were local backup first, replicate to the cloud second. But I’m old, who knows.
When that Dharma variant hit my client, everything that computer touched became garbage. Backups deleted. File history deleted. Every share it had access to deleted. A computer I have no idea how it accessed, everything deleted (probably local admin account at one point.) Apps deleted. As far as I know backup software taken over to remove subscriptions to backups, you know, basically like someone with full access was attempting to wipe anything of use.
So what happens when your backup server/app/storage/accounts gets taken over and all your backups that it can touch are wiped? Where are you at? Sure, paying for a lot of cloud storage is an option. It’s a good one I’m not putting down, but it’s also one that not every company can afford or has the bandwidth to support. How soon are we going to see ransomware wiping your cloud backup accounts, or perhaps directing so much traffic that off-site backups never actually make it off site?
My first thought was just the old rotating backup scenario. Plug in a drive, walk said drive out when backups are done and swap with another drive for the next set. Simple, works, whoever is in charge of it has to remember it every single day or the whole thing fails. What happens when someone’s out sick for a week and in comes the data wipe with the same drive attached that’s been there all week? That’s all gone.
Plus what happens if your person in charge of moving data out gets in a wreck, fired, or is sick and can’t get the data back… or just forgets for weeks, months, etc?
So I got the idea for a little device that has a few hard drives in it, only one hard drive works and is accessible at any given time. Any connected computer cannot change which hard drive is active, and for all intents and purposes whichever drive is connected will look the same to the machine it’s plugged into.
So, an example would be drive 1 working Monday and Thursday, Drive 2 works Tuesday and Friday, Drive 3 works Wednesday and Saturday. Etc. The idea is to automate this local backup so a human is not required, but it’s not controlled by a compromised system. Infected computer cannot bring up a drive. Nothing can except time.
Bring out the low tech
For this idea, I’m hypothesizing using 3x 10TB USB-3 drives for on-site backup storage, each plugged into a non-connected digital timer such as this one. Schedules set so that only one of these has power at any given time, and for extra measure probably only has power during the backup window. No reason to leave attackable data on the table longer than is needed.
Each of the drives is plugged into a USB-3 hub, and each drive as it comes online will assume the same drive letter (say G.) It gets connected before the backup starts, and disconnected sometime after the backup ends. Drives only have power and an attack surface for maybe an hour or two a day during backup windows, so unless you’re dealing with a long term ransomware attack chances are you’ve got data from the day or two before sitting there on a drive that’s not capable of being accessed until plugged in.
That’s it, just a rotating not always online local storage solution that would take any remote hacker 3 days to destroy as they cannot, without physical access, turn another drive on. I mean, add hard drives to increase that time, and back it up to the cloud, but that’s the idea.
The cost of course goes up or down depending on what you want to rig, how much storage, etc. I’m a big fan of the cheap-o digital timer that’s not connected in any fashion to the internet.
