Top Three IBM i Ransomware Solutions
September 16th, 2024
5 min read
Ransomware is the computer’s boogeyman – a nightmare that haunts the dreams of every IT and finance director around the world. Attackers deploy malware to encrypt files, and then demand a ransom (hence the name) in exchange for a decryption key. A ransomware attack derails business as usual, can jeopardize sensitive operations, cost thousands of dollars in lost revenue and time, and generally cause company-wide inconvenience.
And at the end of the day, if you don’t pay up, you’re out of luck. If you do, you’re out of money.
But if you are prepared in advance by installing ransomware prevention methods and using best practices, you don’t have to worry about either. ERP Suites has been a trusted IBM i managed services provider for nearly 20 years. We offer a number of regular checks and balances, like monitoring, security, performance maintenance, disaster recovery, AirGap solutions, and more.
Of course, malicious actors don’t care what kind of system you’re operating on when they make their move. IBM i is known for robust security features, but it’s not entirely immune to ransomware attacks. It’s important to be as vigilant as possible for your specific OS.
In this article, we’ll look at the top three ways to protect your IBM i from ransomware:
- Ransomware insurance
- Immutable copies and air gap solutions
- Third-party software and hardware-level storage monitoring
What is Ransomware?
It’s helpful to understand the enemy before launching an attack. The same goes for ransomware. Ransomware is malicious software that seeks to infiltrate a network by any means necessary, encrypting any files or databases possible so they can demand a ransom or money.
These malicious actors tend to be located in foreign countries, such as China and Russia. Often, these hackers are part of larger teams trying to break into companies and extort money, and sometimes, they’re simply looking to cause chaos.
The first signs of a ransomware attack are unmistakable: Your files may be renamed or have a strange extension, such as .crypt or .locky. A ransom note often appears on your screen, demanding payment to restore your access. Sometimes, you could be locked out of your computer altogether - it can be frozen, or inaccessible. Other signs can include disabled security software, receiving suspicious emails or attachments, unfamiliar and unusual login attempts, and unusual network traffic or slow performance.
However you boil it down, ransomware attacks are time-consuming, potentially financially draining, and a business liability.
What Are Known Security Vulnerabilities for IBM i?
In today’s current security landscape, it’s impossible to totally eliminate all potential weak spots within your system. So it’s important to know what those vulnerabilities are to be prepared for any possible attacks. By understanding how malware and ransomware can creep into your IBM i, you can be better prepared to prevent it from happening at all.
Single Sign-On Wormholes
Single sign-on (SSO) utilizes one set of credentials to access or login to multiple applications and websites, eliminating the need to manually sign on multiple times. By definition, this can present a potential security threat, because if that initial access point is not properly protected, a wormhole into the entire IBM i system can be created.
IBM i customers may be surprised by how far the ransomware can dig into their system thanks to SSO, so implementing the SSO must be undertaken carefully. In fact, some customers are taking the opposite approach: SSO is only allowed for certain things and resources, and for some, SSO has been eliminated altogether.
SMBs and QNTC Access Points
One of the primary vectors for ransomware infiltration in IBM i environments is through misconfigurations or vulnerabilities in SMB (Server Message Block) shares and QNTC.
An SMB share is a specific directory or folder on a server that is made accessible to other computers on the network. If a customer has an existing misconfigured SMB share, a ransomware network can find that misconfiguration and use it to spread across their network.
QNTC is a file-sharing protocol used on IBM i systems, allowing users to access files and directories on an IBM i system from other devices, such as Windows PCs or Linux servers, over a network. Threat actors can exploit these access points to encrypt critical data and disrupt operations.
Sometimes, though, no matter how many provisions are put into place, it’s beneficial to have a plan in place in case the worst happens.
How Ransomware Insurance Helps After An Attack
As ransomware attacks continue to escalate in frequency and force, many larger and medium-sized companies are finding ransomware insurance is now a business necessity. Just like you would purchase any other insurance, ransomware insurance protects a company’s assets and instills a sense of confidence in the company for employees and customers.
Providers typically impose strict criteria organizations must meet to maintain and even obtain their policies. These requirements can include implementing specific data protection and recovery strategies to ensure business continuity in the event of a successful attack.
Ransomware insurance can cover the cost of ransom payments demanded to decrypt sensitive files; incident response costs such as forensic investigations, legal fees, data recovery and public efforts to manage any reputational damage; business interruption losses; data restoration and recovery; legal defense and regulatory costs; and extortion costs in cases where cybercriminals threaten to release stolen data if a ransom is not paid.
Rather than serving as a single layer of protection, ransomware insurance should be part of a broader cybersecurity strategy that includes robust preventive measures, employee training, and an incident response plan. By understanding the scope of coverage and working closely with insurance providers, businesses can better prepare for and mitigate the risks associated with ransomware.
Understanding Immutable Copies and Air Gaps
Other requirements made by ransomware insurance providers include immutable copies and air gap solutions. An immutable copy is created through a partition, or a set of volumes or virtual discs that duplicate your environment. It is a data backup that cannot be altered, deleted, or changed in any way. That permanence is particularly useful in two ways.
First, having an immutable copy means that if a company experiences a ransomware attack, it is able to recover and bring their environment back online sooner rather than later. Most customers choose to have their immutable copies cover one to seven days, to aid their potential recovery process and also meet insurance requirements.
Second, an immutable copy can be particularly useful for providing a contextual snapshot of the environment at the time a ransomware attack occurs. With that information, the insurance provider and the company can identify potential security breaches that may have occurred and identify solutions for avoiding them in the future.
In the context of IBM i, an air gap refers to a physical or logical separation between your IBM i system and the external network. This means that the IBM i system is completely isolated from the internet and other external networks. There are a few methods to create an air gap solution.
You can try physical isolation, which entails physically disconnecting the IBM i system from the network. You could also try logical isolation. This involves creating a separate network for the IBM i system. Finally, you can try a data transfer method. This transfers data between the IBM i system and an external network through USB drives or virtual or physical tapes.
These physical forms function as a type of immutable copy, too, in that they also cannot be overwritten.
Using Third-Party Software and Hardware-Level Storage to ID Attacks
When a ransomware attack happens, your system’s activity skyrockets through the proverbial roof. That’s because the ransomware is trying to write to any and everything within your system, to cast a wider malicious net.
In fact, your storage capacity can be a highly useful indicator of a ransomware attack. If you find that your storage is exploding in use to a million IOPs per second, this can indicate an attack. You’ll get an alert from our system that an abnormal storage spike is occurring. This alert enables you to track that anomalous activity.
Third-party software is another tried-and-true option for beefing up your IBM i security. Just as there are options that align with your PC, there are different providers specific to IBM i. Take Fortra, for example. Fortra creates software that monitors for changes on specific files in your system.
A Multi-Tiered Approach to Ransomware Attack Prevention is Best
The best security method for your IBM i encompasses the three methods we outline above. We recommend and implement immutable copies of partitions as a rule for our IBM i customers. Backups are a familiar course of action – most of our IBM i customers still perform backups on a daily basis.
Ultimately, encryption at rest will not adequately protect you from ransomware. That’s why it’s important to understand how different methods of IBM i ransomware protection work, and how they can help you.
Want to learn more about IBM i? Attend our free webinar on September 25.
Leyla Shokoohe is an award-winning journalist with over a decade of experience, specializing in workplace and journalistic storytelling and marketing. As content manager at ERP Suites, she writes articles that help customers understand every step of their individual ERP journey.
Topics: