Shulou(Shulou.com)06/01 Report--

Picking up the history of blackmail virus, talking about true CDP and quasi-CDP

Before you talk about CDP, talk about blackmail virus.

According to public data, the world's earliest prototype of blackmail virus was born in 1989, written by Joseph Popp, the Trojan program in the form of "AIDS information guide disk" into the system.

Chinese mainland's first ransomware, the Redplus ransomware Horse (Trojan/Win32.Pluder), appeared in 2006. The Trojan hides user documents and package files, and then pop-up windows ask users to remit ransoms to designated bank accounts.

According to the way the blackmail virus attacks the computer and its components, the main types of extortion virus include the following types.

Virus type

Representative

Lock screen encryption blackmail virus (lock screen, encrypt files)

CryptoLocker 、 WinLocker

MBR blackmail virus (encrypted disk)

Petya 、 NotPetya

Server blackmail virus ("no file" intrusion server)

Master 、 wallet 、 Greystars

File encryption blackmail virus (encrypting file data)

WannaCry 、 Aleta

In addition, ransomware that attacks mobile devices needs to attract everyone's attention. In March 2018, the National Internet Emergency response Center found a total of 23 varieties of malicious programs such as lock screen blackmail through independent monitoring and sample exchange. This kind of virus poses a serious threat to users' property and mobile phone security by locking the screen of users' phones and extorting users to pay to unlock them. In the way mobile users are infected, browsing illegal obscene websites and clicking to download untrusted programs (such as QR code production links) have become the two biggest channels of infection.

In the mode of payment, the earliest form is to prompt the victim of the system to pay to the designated mail or bank account through a pop-up window. With the frenzied hype in the bitcoin market in 2013, ransom payments began to shift to virtual currencies, which are more difficult to track.

It turns out that the use of more sophisticated RSA encryption schemes and the emergence of virtual currencies such as bitcoin have accelerated the proliferation of blackmail software. Therefore, the global ravage of the eternal blue of WannaCry is not occasional, block chain, as a hot technology in the current information field, hides the devil side.

CDP can recover data encrypted by blackmail viruses.

The prevention of blackmail virus should be analyzed from two dimensions:

First, to prevent and resist virus attacks, antivirus software, network and database firewalls, as well as timely updates and corrections to the system and application patches are needed.

The second is how to restore data and business quickly after the system and files are infected by virus. In the past, it was necessary to back up the system and files in advance, but now the more popular scheme is to use CDP technology for data protection.

Backup is a traditional backup method, which can be divided into regular backup and real-time data synchronization. Compared with CDP, regular backup has two disadvantages: one is that backup needs a time window, and for many organizations with 24-hour business, online business does not allow too many system downtime for data backup; second, regular backup can not guarantee the minimum data loss, that is, the RPO value is close to zero.

For example, the hospital's regular backup strategy is to back up at 12:00 every Monday night, but before the next backup time, in the event of a blackmail virus attack at the hospital on Friday, data from Tuesday to Friday will be encrypted and lost.

Real-time data synchronization can solve the problems of backup window and backup cycle, but there is a disadvantage-the destruction of the extortion virus to the production side will be synchronized to the backup side, which will cause the failure of the whole disaster recovery strategy.

Continuous data protection (CDP) technology can solve this problem very well, and it greatly reduces the RPO value. The underlying technical principle of CDP is relatively abstract. From the analysis of implementation means, CDP is to automatically monitor data, continuously capture and back up data changes, and back up data in real time and accurately as long as the data changes. We can understand that it basically generates an independent data on the backup side with the node closest to real-time to ensure that there is up-to-date data for recovery, and this data is not infected by the blackmail virus.

At present, the mainstream CDP has many dimensions, including those based on storage data blocks, storage snapshots, and operating system IO layer. With different technical dimensions, the fine granularity of data recovery is also different. According to the fine-grained size of recovery, the industry divides CDP into true CDP (True CDP) and quasi-CDP (Near CDP).

True CDP technology is a continuous monitoring and backup of data changes, can be restored to any point in the past, is a real real-time backup, will not cause data loss. Quasi-CDP refers to close to continuous data protection, and there is a delay in data backup, which means that there is a risk of partial data loss. According to users' requirements for RPO and different disaster recovery strategies, the choice of CDP technology solutions has great autonomy, but with the growth of data and the acceleration of business informatization, the future trend will be based on real CDP.

In the market, there are very few manufacturers of real CDP technology solutions, and the British side in Shanghai is the representative of them. The British CDP technology is to copy the changed data to the disaster recovery center in real time without affecting the operation of the main data, but also record any changes in the data in a log to achieve traceability of the data changes; it can also quickly locate the time point that needs to be recovered according to the data change log in any case, and restore the data to the outlier with one click.

In the professional field of disaster preparedness, the application of CDP technology is not only to prevent the encryption of data by blackmail viruses, but also to prevent potential threats such as human misoperation, system crash, system upgrade failure and so on. On this basis, many industries will strictly divide the RTO and RPO of disaster recovery projects because of equal insurance requirements for local or remote disaster recovery of important data.

There has always been a debate in the industry about the performance of CDP in the two important disaster preparedness assessment indicators, RTO and RPO. The mainstream view is that within the range of general cost acceptance, RTO and RPO can not have both, and can only find the best balance between the two.

At present, there are many technical difficulties in CDP, for example, although XOR operations are directly solidified in the chip under high cost, the industry is still exploring the problem of CDP compression RTO for high-frequency write operation data.

Are you also an explorer of CDP technology? are you also interested in the test that CDP can restore the blackmail virus? welcome to follow tomorrow's article about the real CDP test of WannaCry blackmail virus in the UK.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.