How an email archive can mitigate a ransomware attack
Rackspace has been hit with a serious ransomware attack last Friday causing an outage in their Hosted Exchange service.
The incident seems pretty stark, because Rackspace is still struggling with the recovery, and even suggests customers to go to the competition, namely Microsoft 365. Rackspace pays a Microsoft E1 plan for its customers to restore service. This process involves creating a tenant at Microsoft 365 fixing some DNS entries.
Unfortunately not all Rackspace customers have the technical skills how to perform the migration, despite Rackforest provides the necessary instructions. And even worse even if a customer makes the required steps, the users can only access emails sent or received since the migration. But what about any previously existing and business critical emails?
What's a ransomware?
A ransomware is basically a malware that encrypts all files it has access thus rendering them unusable. Let’s say you have a word document. The ransomware modifies it in a way that no application, not even Word can open it, so it’s useless for you. The ransomware’s malicious activity is not limited to the local computer. It affects even the files on the mounted network shares as well. Any files that your computer can access is doomed no matter where it’s located.
The actors behind the plot usually demand a certain fee (hence it’s called ransomware) to send the decryption key to restore the original files to resume normal operations. Without it, it’s practically impossible to get the original files back. Unfortunately, paying the ransom is not always a guarantee that you’ll receive the decryption key.
What is unlikely to work
Some companies offer solutions like let the Rackspace customers’ users extract their current emails either from Rackspace Archive Service (if they were fortunate enough to order this service) or from Outlook on the users’ computers, and then import those probably hundreds or thousands of PST files manually. If you worked for the IT support, you could see clearly why this approach won’t work as expected.
Also, there are lots of articles on the Internet describing the countless issues with PST files, how fragile they are.
How an email archive can help
An email archive stores a copy of all your emails in a secure manner. The good news is that email archives are run on separated computers, and it’s difficult – though not impossible – for a ransomware to infect the archive in the first place. It’s said that Rackspace’s own archive service is not affected by this incident.
But what if a ransomware somehow manages to infect an email archive? Some archive products support storing your archived emails on an S3 object store like Amazon S3 service, Minio, etc.
An S3 bucket has several properties to mitigate a ransomware attack. For starters, you may disable any remove operations, so an attacker cannot just delete the archived files.
Then you may turn on versioning. It doesn’t stop the attacker to modify the archived files, however, such modification creates a new version of the same file. So basically version #1 of the file still has the original data, and any subsequent versions have a modified, probably the encrypted data created by the attackers.
When the company finds out the incident, they can easily revert or get rid of all modifications since the given date, thus restoring the original data, and have all your emails back. Minio for instance has a nice feature using its client application.
Other measures againt ransomware
You need a disaster recovery plan (DRP) well before such incident might happen to you. The DRP should cover not only emails, but other business realted data stored on-premise as well. Be sure to perform regular backups, and store them in redundant places. At least one copy should be off-site to limit the blast radius. And let’s not forget to educate users regularly how not to fall victim of such attacks.