Ransomware attacks are no longer alarmist. Some time ago, Lockbit, a world-renowned cybercriminal organization, said that they successfully used ransomware to invade the U.S. subsidiary of the Industrial and Commercial Bank of China, and successfully obtained a ransom after causing the paralysis of multiple business systems, including transaction clearing and email. As explained in our article How to Strengthen Ransomware Protection with Microsegmentation and Backup Products? detailed ransomware, a new cybersecurity threat that "hijacks data to make it easier for businesses", and the news gives us a first-hand feel for the cost of ransomware to businesses – not only financially, but also due to data leaks and business disruption.
To help enterprises better protect data security, SmartX Hyper-Convergence 5The 1 version portfolio upgrades ransomware response capabilities with an observability platform (based on SmartX management platform CloudTower), software-defined networking and security components Everoute, and SMTX backup and disaster recoveryBased on the SmartX hyper-converged architecture, users can actively detect ransomware attacks, block virus spread with one click, and recover lost data safelyto provide targeted coping strategies for different stages of viral infection.
Unlike traditional viruses, ransomware uses encryption algorithms to hijack critical data in an organization, making it difficult for even professional cybersecurity technicians to crack it completely. This means that to be effective against ransomware attacks, organizations need to stop the virus from entering and spreading before hackers launch an attack (encrypting it), or reduce or avoid the cost of data encryption after a virus attack. However, in a virtualized hyperconverged environment, the number of virtual machines is large and highly mobile, and it is difficult to achieve strict protection of the entire environment by relying only on traditional "south-northbound" firewalls and network security products with virus detection and killing functions. So, as Gartner highlights in How to Prepare for a Ransomware Attack,Responding to ransomware attacks is a systematic project that requires organizations to deploy solutions at both the application and IT infrastructure levels for different phases of ransomware attacks
What capabilities do you need to have at the IT infrastructure level to deal with ransomware attacks? Based on a number of authoritative reports and guidelines*, we have sorted out the characteristics of each stage of a ransomware attack and how to deal with it (see the table below). In general, there are three stages of ransomware "invasion, spread, and attack".IT infrastructure needs to be "quickly identified, horizontally isolated, and securely recovered."and help users make further security reinforcements after the fact. This is also the core of SmartX's hyper-converged ransomware attack response**.
Combined with the traffic visualization capabilities of SmartX observability, Everoute distributed firewall, and SMTX backup and disaster recovery, users can identify, isolate, and recover ransomware based on SmartX hyperconvergence, providing comprehensive ransomware response capabilities at the IT infrastructure level.
CloudTower Network Traffic Visualization: Proactively alerts to abnormal traffic and quickly identifies ransomware attacks
CloudTower Enterprise Edition provides network traffic visualization that visualizes the data flow of hosts and VMs in a cluster in the form of graphs and charts. The graphical topology map can clearly show which endpoints have tried to connect to the protected object, helping administrators quickly identify attacks or anomalies in the network. For an in-depth look at this feature, read: Illuminating the "Blind Spot" of Virtual Network Traffic: Hyperconverged Network Traffic Visualization ExplainedFor example, if a hacker attempts to compromise through brute force, the number of connections will skyrocket in a short period of time. CloudTower Enterprise Edition allows you to set a threshold for the number of connections related to a virtual machine, and an alarm will be automatically triggered once the number of connections exceeds the threshold. At this time,Users can see which VMs have abnormal connections through the network traffic visualization interface, and with everoute, you can further isolate suspicious VMsto prohibit service traffic and allow administrators to kill and restore it. At the same time, these observations can be exported and used by the Security Operations Center (SOC)**, which can be combined with security mechanisms such as NDR SMDR to achieve comprehensive security detection and response to virtual cloud networks.
Everoute Distributed Firewall: Isolate suspicious VMs with one click to prevent the lateral spread of viruses
Based on the whitelist model and the security policy that automatically follows the virtual machine, everoute provides micro-segmentation security protection for virtual machines in line with the principles of zero trust, preventing the lateral spread of ransomware in virtualized environments. To learn more about our product capabilities, read: How SmartX Everoute Enables Zero Trust with Microsegmentation Sharing Review, SmartX HCI 51. Release: Hyper-convergence, but also a unified architecture for virtualization and container production - everoute 20。Based on the whitelist pattern: A whitelist-based security policy ensures that east-west access between VMs complies with the principle of least privilege.
"One-click" isolation of suspicious VMs: Suspicious and infected VMs can be isolated with one click, and special access policies can be set for VMs in the Isolated state for O&M operations such as scanning, killing, and restoration.
Tags and Security Groups simplify access control policies: You can use Tags and Security Groups to identify VMs as a service, and the security policies are clear at a glance. VMs can be dynamically divided into "security groups" based on tag combinations, simplifying security policies for discontinuous IP addresses.
Smart strategy stickiness: Security policies can be automatically migrated between different hosts and clusters following virtual machines without the need to reset them.
Visualized observation, policy execution at a glanceCombined with network traffic visualization, users can observe and audit security policies in the visual interface to monitor whether the implementation effect of security policies meets expectations and meets the requirements of security audits.
In addition, with the Everoute Container Plugin, users can extend the distributed firewall capabilities to containers managed by SMTX Kubernetes Service (SKS) to achieve flat container network connectivity and Kubernetes network policies, further enhancing the virtual network security of container environments.
SMTX Backup and Disaster Recovery: Securely restore backup data to maintain production and reduce losses
SMTX backup and disaster recovery products combine legacy SMTX backup and recovery with asynchronous replication built into SMTX OS to provide comprehensive data protection and disaster recovery capabilities for virtual machines running in SMTX OS (ELF) clusters. To learn more about the product capabilities, please read: SmartX Launches Data Protection Product SMTX Backup & Recovery - SMTX Backup & Disaster Recovery. For ransomware scenarios, users can use the backup and recovery module to back up VMs running on the ELF platform to NAS storage outside the cluster (support custom execution periods, time windows, and retention policies). After a virus attack,Users can rebuild VMs based on local (scheduled) snapshot recovery and use everoute's "one-click isolation" method to put the recovered VMs in isolation;After cleanup and validation, it is confirmed that the clean, secure virtual machine is recovered from isolation and put into production. At the same time, you can also choose to use the replication and recovery module to rebuild the virtual machine in the off-site environment, and you can also clean and verify the virtual machine in an isolated state, and then put it into the off-site production environment or move back to the original environment.
None**: No intrusion is required on the guest VM and does not affect the customer's business.
Easy to manage: Configure and use three components on a unified CloudTower interface.
No dependency: The three functions can be enabled separately, but they can be used together to achieve better anti-ransomware attacks.
In addition to ransomware protection, SmartX Hyper-Converged 5Version 1 also comprehensively improves the capabilities of product components such as virtualization, distributed storage, system O&M, disaster recovery, migration, and Kubernetes management. For more product features and technology upgrades, please readSmartX Hyper-Convergence Technology Principles and Characteristics Analysis Collection (51 Update)" :
Reference report:1Ransomware Security Protection Manual, China Academy of Information and Communications Technology, 2021
2. how to prepare for ransomware attacks,gartner,2022
3.Ransomware Prevention Guidelines, National Computer Network Emergency Response Technical Coordination Center, 2021
4.2023 China Enterprise Ransomware Attack Situation Analysis Report, Qianxin, 2023