Imagine you're the enterprise admin for your company and your CIO has just informed you that a new application server is needed for the HR department. So, what do you do? Create a new virtual server, of course—it’s automatic today.
Within a 15-year period, enterprises have abandoned the practice of purchasing bare metal servers and adapted the convenient practice of spinning up VMs in less time than it takes to drink your morning coffee. Server admins are programmed now to virtualize everything they can. Unfortunately, that often includes the server that hosts the backup system.
Virtualizing your backup-managing server may not be a good idea today. The objective of a ransomware gang is to inflict as much pain as possible on your enterprise to maximize the probability of a ransom payout. The more servers and data stores they can encrypt, the greater the likelihood of a profitable payday. This makes your virtual server infrastructure a prime target.
The proposed battle plan goes something like this. First, they shut down all your virtual servers. Then they encrypt all the virtual data stores. If you use VMware, the final step is to destroy your vCenter server. With everything encrypted, the only means of remediation is to restore your backups, but that will prove impossible if your backup system resides in the same virtual environment that was just taken out.
While it may seem outdated, it’s recommended to use a physical server for your backup system management machine, rather than a virtual one. This will give you greater resiliency in the event of a ransomware attack.
The bare metal server needs to be isolated in a separate zone that’s partitioned by a next generation firewall (NGFW) to scrub incoming traffic of viruses and suspicious code. Sometimes it’s tempting, for the sake of convenience, to leave the localized OS firewall on a server disabled if you’re unfamiliar with the open port requirements for an application such as a proprietary backup system.
Resist this temptation. Convenience is what ransomware feasts on. Make sure that the local firewall is properly configured to allow only traffic that originates from stated IP addresses and destined for specific ports. Whether you use a SAN, NAS, or the internal drive space of a hyperconverged infrastructure appliance, store your backups on a separate, secure repository. You can’t recover the data stored on your SAN if your backups are encrypted, too.
Whether you use VMware or Microsoft Hyper-V, chances are it took a little (or a long) while to create your virtual infrastructure from scratch. Odds are that in the aftermath of a ransomware attack, you’ll need to do it again.
This makes it crucial to have a recovery checklist on hand that includes all the IP addresses of the involved infrastructure components as well as other pertinent configuration notes. If the ransomware attackers manage to take down your vCenter, you’ll need to know the root passwords of your ESX servers. For Hyper-V, you’ll need to have the local admin credentials documented. Do not reply on a password manager that might be inaccessible after the attack.
While it’s unusual to prioritize a physical server in today’s digitally connected world dominated by virtualization and cloud computing, using an old-school approach can prove highly effective when protecting your fleet of virtual servers and the infrastructure that encapsulates them from ransomware.