Garmin paid, reportedly millions. Do you sleep well at night knowing that the scourge of ransomware is rampant and ever threatening your business. Is your storage safe enough or have you invested in a storage which was the economical (also to be known as cheap) to your pocket?
I have highlighted this before. NAS (Network Attached Storage) has become the goldmine for ransomware. And in the mire of this COVID-19 pandemic, the lackadaisical attitude of securing the NAS storage remains. Too often than not, end users and customers, especially in the small medium enterprises segment, continue to search for the most economical NAS storage to use in their business.
Is price the only factor?
Why do customers and end users like to look at the price? Is an economical capital outlay of a cheap NAS storage with 3-year hardware and shallow technical support that significant to appease the pocket gods? Some end users might decided to rent cloud file storage, Hotel California style until they counted the 3-year “rental” price.
Here is a table I did in March 2020 for a potential customer who has the idea of using cloud file storage with 20% infrequent access. So
- The capacity is about 250TB
- The egress and API request fees are not included. Only storage costs
- The exchange rate (today: Aug 10, 2020) is USD$1.00 = MYR$4.20
Holy smokes, Batman! That is a lot of money because end users are not Bruce Waynes. A 250TB FreeNAS™ storage crafted with enterprise-grade components using Supermicro servers would probably cost MYR150,000.00 or less. The end user was in a bind.
According to Gartner, the average cost of an IT downtime is USD$5,600 per minute. From the Malaysian businesses point of view, that figure seems relatively big. Let assume that from the Malaysian context, the downtime is USD56.00 per minute, just 1 percent of the Gartner figure. That is about MYR225.00 per minute, MYR324,000.00 per day.
When we contrast the price of a good, hardened NAS storage versus the cost of downtime – MYR150,000.00 vs MYR324,000.00 (per day), it is a no-brainer, right? But why do customers and end users continue to skimp and be stingy with their storage technology investment?
It won’t happen to me
The society worships superiority. Superman makes sense and we see ourselves as invincible. We are played to that tune “It won’t happen to me” over again and over again. We have been conditioned by our society to frown upon vulnerability and the weak, until ….
Let me share a story from 2 years ago. A rather large 3D Animation studio in Malaysia was running QNAP for more than 6 years. Yeah, QNAP was cheap and it was at its limit of 30TB for that particular model. They got hit by ransomware and all their production files were encrypted. They chose not to pay, and decided to redo the entire length of the movie. That took them about 30 days, with about 60 CG artists, video editors and other authors of the content.
In my mind, I did a mental calculation. I am assuming
- The average salary in the 60 people is MYR4,000.00 per head
- So, for the work of 30 days, MYR4,000 x 60 = MYR240,000.00 (~USD60,000.00)
Was it worth is? In Garmin case, paying the ransom seems to be the better option. The ransomware may have brought the USD$3 billion business to its knees and may have decimated the organization as well.
QNAP (and other economical NAS) vulnerabilities
Since that conversation with the 3D Animation studio 2 years ago, I become more aware and acute to security vulnerabilities of economical NAS storage solutions out in the market. Here are a few newsworthy reports:
- eCh0raix Ransomware Found Targeting QNAP Network-Attached Storage Devices – July 2019
- Thousands of QNAP NAS devices have been infected with the QSnatch malware – October 2019
- Attackers Are Wiping Iomega NAS Devices, Leaving Ransom Notes – July 2019
- Ransomware crooks hit Synology NAS devices with brute-force password attacks – July 2019
Naturally, all the affected NAS companies issued their statements that they have fixed the CVE (common vulnerabilities and exposures) but there are probably thousands of economical NAS storage out there unpatched, and not updated to combat ransomware.
Targeting these economical NAS storage does not negate the fact that even the more advanced and higher end NAS storage are free from ransomware. That is why we have to continue to advise businesses and enterprises to remain vigilant. Cyber resilience is one of the key “weapons” to defend against this scourge but not all storage protection solutions are the same.
Was the cost saving worth it?
There are many NAS storage technology companies out there who claimed resiliency and superiority over ransomware. But a good investment is a hardened storage is not enough. Cyber security and cyber resilience are in an ecosystem. The people, processes and technology mix in a constant flux of Tom and Jerry cat-and-mouse game along with the cauldron mix of hell boil and bubble of the 3 witches in MacBeth. And it has to have many layers, just like what Shrek said.
Always remember that there is no such thing as “It won’t happen to me“. In the end, if the value of NAS storage is worth a good night sleep, that is value well spent.