Spectra Logic, a provider of secondary storage, is known for its tape libraries, such as TFinity, and data management approaches with StorCycle and BlackPearl solutions. The company, founded by Nathan Thompson more than 40 years ago in Boulder, Colorado, covers 80 countries with over 20,000 installations. It is a well established company in the storage industry, but its story illustrates that ransomware targets any company of any size in any sector.
On May 7th, 2020, some people within the company noticed that something wasn’t working as usual, and received some new messages stating that files were starting to be encrypted by Netwalker. Server after server, developments moved in the wrong direction, the data centre didn’t send any positive answers, and things were only getting worse. Later in the day, Spectra Logic management decided that major action must be taken, and turned to the FBI for help, advice and recommendations, but also to share its experience.
The company received the order to pay a $3.6 million ransom to stop the damage and start recovering from the attack. Four days after the attack was first discovered, following the provision of expertise from Spectra’s cyber insurance company, Spectra management decided not to pay up, and set some actions in motion to at least continue its deep investigation.
Fungible plans to shake up the data centre infrastructure landscape
About a week later, around the 18th May, Spectra’s IT team had carried out enough recovery actions to allow the company’s infrastructure to become fully operational once again. It took three more weeks to finish the process, and declare that the impact was over.
Clearly, how Spectra protected, recovered and re-started its business invited them to consider how these lessons and actions could benefit its customer base and others. From this, the company realised that it’s about people and technology, coupled with key decisions at the right moment.
This attack has generated lots of ideas for the company, which resulted in a program named ‘Attack Hardened’, which involves the review of all products, and addition of specific features that could help in such similar situations.
In their three-product line – tape libraries, BlackPearl and StorCycle – these new capabilities listed below were added that strengthen their behaviour in such threatening moments:
- Tape libraries: the addition of a media isolation zone within the library, to maintain a soft air gap and prevent attacks to ‘touch’ cartridges in that zone, as well as a stronger air gap if needed. Additionally, all tapes are to be encrypted at-rest without any additional charges for the customer.
- BlackPearl: snapshots are scheduled, for immutable storage to improve recovery point objective (RPO) and limit potential data divergence. Multi-factor authentication was added to complexify penetration, and a snapshot mechanism was implemented, with backup software like Veeam and Commvault, among others on request. In addition, various replication/remote copies are offered to increase data redundancy and limit threat proliferation on the data surface.
- StorCycle: encryption was added, and snapshots are now able to be stored on BlackPearl NAS; disk, tape and cloud are all supported to make things seamless, more comprehensive and simpler. A data mover engine was also added, for moving data to avoid keeping it on the same media, or in the same location or storage unit, thus creating an isolation zone.
This demonstrates a very positive reaction from Spectra Logic: firstly, the company shared its story and lessons learned, before immediately considering the addition of specific features to enhance its protection against ransomware threats.