224 It’s official: Ransomware is now the most significant cyberthreat facing organizations worldwide. Cybercriminals are becoming increasingly sophisticated, launching targeted attacks that can cripple businesses and disrupt critical operations. “Even with a war raging in Ukraine, the biggest global cyber threat we still face is ransomware. That tells you something of the scale of the problem. Ransomware attacks strike hard and fast. They are evolving rapidly, they are all-pervasive, they’re increasingly offered by gangs as a service, lowering the bar for entry into cybercrime.”Lindy Cameron, CEO, National Cyber Security Centre In response to growing threats, experts have urged organizations to adopt a security paradigm known as cyber resilience. Unlike traditional cybersecurity strategies that focus on preventing attacks, cyber resilience principles instead emphasize the ability to quickly recover from incidents and minimize their impact. The most promising technology for achieving cyber resilience is immutable backup storage. Data immutability makes it impossible for attackers to encrypt, modify or delete backup data, ensuring organizations always have a clean backup to restore from. With quick access to a clean backup, an attacker’s ability to extort their victim for a ransom is neutralized. 3 critical flaws in today’s immutability-focused cyber resilience paradigm The promise of “ransomware-proof” data has seen immutable storage emerge as the central pillar of cyber resilience strategies around the world. In fact, a recent survey found that 94% of IT professionals now rely on immutable storage to defend against ransomware. But despite widespread adoption of supposedly “ransomware-proof” storage solutions, ransomware payouts doubled to more than $1.1B in 2023. That point bears repeating: “Ransomware-proof” solutions are now widespread and ubiquitous, yet ransomware itself has never been more profitable. If you’re thinking something doesn’t add up, you’re right. It turns out there are three critical flaws in today’s immutability-focused cyber resilience paradigm that have allowed ransomware actors to continue to flourish despite the widespread adoption of immutable backup storage solutions. Problem 1: Not all “immutable” storage systems are truly immutable Immutability is great — in theory. Unfortunately, in practice most “immutable” storage solutions fall far short of delivering on the promise of truly ransomware-proof protection. The reasons for these failures are varied. Some systems make data immutable with scheduled, periodic snapshots that leave open windows of vulnerability. Other solutions fail because they implement immutability only at the API level, but not in the underlying architecture. Simply put, they’re attempting to build an immutable backup system at the software level, but implementing it on top of a core architecture that isn’t itself intrinsically immutable. This creates multiple viable avenues for a skilled attacker to bypass the system’s defenses using common tactics like privilege escalation and time-shift attacks. You can find a deep dive on these issues in this blog post, but here’s the main takeaway: True immutability can only be achieved by solutions that disallow overwriting and deleting of data at the most fundamental level. Anything less leaves openings a sophisticated attacker can exploit to bypass your defenses and hold your data hostage. As storage systems that offer flawed immutability continue to proliferate in the market, threat actors are becoming more and more adept at exploiting their weaknesses. Problem 2: The rise of exfiltration attacks While traditional ransomware attacks focus primarily on encrypting data, modern ransomware gangs have added a new twist to their playbook: Data exfiltration. Also known as “double extortion,” these attacks involve stealing sensitive data from an organization’s network and threatening to publish it or sell it to the highest bidder unless a ransom is paid. Today, a staggering 91% of ransomware attacks involve data exfiltration While rarely seen in the past, exfiltration attacks have exploded in prevalence over the last few years. Today, a staggering 91% of ransomware attacks involve data exfiltration. This meteoric rise can be seen as a direct attempt by threat actors to sidestep the protections afforded by immutability. Because exfiltration attacks don’t rely on encrypting, modifying, or deleting data to extort a ransom, immutability alone is not enough to stop them. Mitigating the threat of data exfiltration requires a multi-layered approach that secures sensitive data wherever it can be found — in an organization’s production data, in transit over a network, and even in stored backups. Unfortunately, most backup storage vendors have been slow to react to this emerging threat, failing to harden their solutions against common exfiltration techniques. Problem 3: AI-fueled ransomware is raising the stakes The issues we’ve identified above in problems 1 and 2 are now being dramatically amplified by problem 3 — the rise of AI-fueled ransomware threats. In cybercrime, AI is a force multiplier. Authorities like the UK’s National Cyber Security Centre warn that AI will allow threat actors to attack more targets more effectively, with greater speed and with increasing sophistication. Specific use cases include the use of large language models (LLMs) to greatly increase the volume and precision of phishing attacks, the development of adaptive malware that alters its own code to evade detection algorithms and mask malicious network traffic, and even the development of AI-powered tools that can guess passwords from seemingly innocuous data like the sound of you typing on your keyboard. AI will allow threat actors to attack more targets more effectively, with greater speed, and with increasing sophistication. This isn’t just academic, either — the year following the public release of ChatGPT saw a stunning 1,265% increase in phishing activity and a 95% jump in successful ransomware attacks. The era of AI-powered ransomware isn’t on the horizon, it’s here now. Introducing CORE5: A new standard of cyber-resilient storage Given the issues described above, it’s clear that immutable backups alone are no longer sufficient to protect against the full range of current and future ransomware threats. That’s why we’re calling on the storage industry to move beyond the paradigm of simple immutability and embrace a new, more comprehensive standard of end-to-end cyber resilience. This approach encompasses not only the strongest form of true immutability but also robust, multi-layer protections against data exfiltration and other emerging threat vectors like AI-enhanced malware. It means building in safeguards at every level of the system — from API to architecture — to close the door on as many threat vectors as possible. At Scality, we’ve identified five critical levels of safeguards necessary to achieve this ambitious standard of cyber resilience. We call these the CORE5. API-level resilienceThe 2018 launch of Amazon’s immutability API (AWS S3 Object Lock) turned the storage industry on its head. Not only did it provide top-level defense against encryption-based ransomware attacks by implementing the write-once-read-many (WORM) model, it also created a de facto standard interface for popular data protection applications like Veeam Data Platform. What’s more, the fine-grained control the S3 API provides over data immutability allows organizations to comply with even the most stringent industry data retention regulations. These impressive capabilities are simply non-negotiable in a modern storage system. That’s why API-level immutability sits at the top level of the CORE5 cyber-resiliency framework, and why every Scality product boasts full S3 Object Lock compatibility. Data-level resilienceLevel 2 of the CORE5 framework is laser-focused on one goal — preventing data exfiltration. This means implementing stringent data security protocols everywhere sensitive data can be found. A suitably hardened storage solution should be designed with multiple layers of data-level security, including comprehensive identity and access management (IAM) and cryptographic features, to ensure that backup data cannot be intercepted or accessed by unauthorized parties. At Scality, that means a zero-trust architecture, AWS-compatible authentication and AWS-style IAM features, secure S3 endpoint termination, automated configuration of firewall rules, and AES 256-bit data-at-rest encryption. Storage-level resilienceIf a sophisticated attacker is able gain root access to a storage server, higher-level protections implemented at the API level can be bypassed, allowing unrestricted access to all data on the server. Advanced, AI-powered methods for defeating authentication controls — such as discerning passwords using only the sound of keystrokes — threaten to make such attacks increasingly difficult to thwart.To provide resilience in the face of these fast-evolving threats, a storage system must ensure that data is secure even if an attacker is able to penetrate the deepest level of your storage system. Scality solutions solve this problem with distributed erasure coding technology. This advanced technique not only renders storage-level data incomprehensible to attackers (and thus worthless if exfiltrated), it also provides the ability to fully reconstruct any data that is corrupted or lost in an attack, even if multiple drives or an entire server are physically destroyed. Geographic-level resilienceData stored in a single location is particularly vulnerable to cyber threats. By attacking high-value targets like datacenters, cybercriminals seek to extort multiple organizations simultaneously, thereby increasing their chances of successfully collecting a ransom. To protect against single-site vulnerabilities, current storage best practices call for multiple, geographically separated offsite backups. A modern, cyber-resilient storage solution must make this not just possible but practical. That’s why every Scality product is designed from the ground up to make geographic redundancy across multiple sites simple to administer and affordable to implement. Architecture-level resilienceJust as a building is only as strong as its foundation, a storage system is only as secure as the architecture it’s built on. That’s why the fifth and final level of the CORE5 framework focuses on eliminating vulnerabilities found in the core system architecture.In an active ransomware attack, one of the attacker’s first priorities is to escalate their privileges. If they can successfully obtain admin credentials, the attacker can then use those credentials to disable or otherwise circumvent API-level immutability protections. If your storage system is built on an inherently mutable architecture like a traditional file system, that means your data will be left completely exposed. Given the rapid proliferation of AI-enhanced hacking tools and malware, any storage system built on such vulnerable architectures is increasingly at risk for architecture-level ransomware attacks. In contrast, Scality’s solutions are built on native object storage architecture. This means data remains intrinsically immutable, even to an attacker with superadmin privileges, due to the way the system handles data writes to the drive. The effect is simple — no deletes or overwrites, ever. Additionally, all Scality products disallow root access by default, reducing exposure to common vulnerabilities and exposures (CVEs) and a wide range of threats. To become unbreakable, we must go beyond immutability Fueled by advances in AI, ransomware attacks continue to rise in frequency and sophistication. At the same time, attackers have adopted new strategies like data exfiltration in an attempt to circumvent the protections offered by current immutable backup solutions. The CORE5 framework is Scality’s answer to these emerging threats. But CORE5 is more than just how we do things here at Scality — it’s how we think everyone should do things. The new era of ransomware demands a new standard of cyber resilience. Organizations around the world are fighting every day against bad actors who want to steal their secrets, hold their data hostage, and grind their operations to a halt. And frankly, the good guys are losing. The new era of ransomware demands a new standard of cyber resilience. If we want to turn the tide in the fight against ransomware, we need to go beyond immutability. That’s why we’re challenging the storage industry to step up their game and meet the CORE5 standard. If they can manage it, we can make the entire internet a safer place to do business. Consider the gauntlet thrown.