Protect Your Data from Ransomware with Pure Storage

By Keith Thuerk | SCIFI Future | 10 Jan 2022

Protect Your Data from Ransomware with Pure Storage



Ransomware has been around for more than a decade, however, it has really taken its toll on the US Critical Infrastructure this year (Oil and Gas delivery and Food Industry are just a few public examples.) Know, it’s not a matter of IF, but WHEN you are attacked!

According to Gartner, by 2025, at least 75% of IT organizations will face one or more ransomware attacks. What’s worse - it is not uncommon for an attacked Enterprise to be hit by another attack perhaps via a different uncovered exploit.  Ransomware attacks were up 700% in '20, and we expect to see these attacks rise as Digital Transformation efforts increase attack surfaces and potentially unsecured offerings.


Fourth Industrial Revolution

Data is powering the Fourth Industrial Revolution. Are you playing data driven defense or are you guilty of not modernizing your Data protection offering and architecture? Stealthy attackers will take their time and probe until they gain the right access.

Are you still utilizing the old 3-2-1 Data protection methodology to protect your data? Are you aware that Data protection model has been updated to 3-2-1-1?  Which translates to 3 copies of data, 2 media types, 1 copy off-line and 1 copy off-site in an immutable state.  How many of these can you ensure are being successfully performed each day/week/month for your enterprise?

I would add one more: You need to audit your online backups to make sure they are secured and have not been modified. When was the last time they were validated by performing a data restore operation?


Effective Protection

A layered defense against attackers has always been the rule from IT Security, and it applies to Ransomware defense too.  How many layers of defense do you have applied to your enterprise data?  Does your data protection methodology apply to all your data or just SAP, Oracle, and SQL data… or does it include all your data?


Are you leveraging Pure Storage data protection layers for your data? If not, you should be. They have a series of storage capabilities which put them in a leadership position for companies offering effective protection against ransomware. Here are the basic data protection foundations offered by Pure and performed exceedingly well.

  • Data Encryption at Rest (aka D@RE) protects data so that if it is exfiltrated it cannot be directly read by anyone. Pure’s D@RE function is always on, and it auto-regenerates keys every 24 hours. More importantly any time a drive failure occurs, or a drive is pulled a key change event takes place. Pure Storage FlashArray deploys industry leading AES-256 standard for data-at-rest encryption. All the algorithms used for data encryption, key generation and key protection are NIST certified. Additionally, the FlashArray's crypto module is FIPS-140-2 certified. Additionally, it supports KMIP (Key Management Interop Protocol) so it works with your external Key Manager if you choose.


  • Immutable Snapshots are essential for protecting data from modification and deletions. These point in time (PiT) recovery points can be leveraged for rapid restores for mitigating business or disaster scenarios. The Snapshots are thin provisioned (TP) as well and consume no space until the primary data is deleted and only a pointer remains.  Then it starts consuming capacity. Another use case of immutable snaps is restoration to other volumes instead of source volume for further forensic analysis, which is critical after a ransomware attack.
  • Replication – As you know Replication is table stakes for all storage vendors at this point in the IT industry. However, sending your data to a Disaster Recovery or Colo location is vital to protecting enterprise data. I would add, ensure you are using a set of restricted user IDs only for Replication and turn on auditing for replication too.
  • ActiveCluster (aka Metro Cluster) – is a Sync replication offering within a metro area and provides a local set of copies in the same geographic area although off-site from the primary copies. Perhaps the metro cluster is the hub for your replication strategy out of the region to another power grid? Or you leverage these copies for Dev/Test operations. The flexibility is nearly limitless.
  • Snap to FlashBlade – Sending Snapshots to the Pure Storage’s Unified Fast File and Object platform is a great landing zone for warm or cold data storage. Again, copies are off the primary storage on another target.
  • Snap to NFS - is another Pure tiering function allowing data tiering to S3 target(s) or Pure Storage FlashBlade. Supporting NFS V3 and V4 brings another layer of security to NFS offerings from the tested Network Lock Manager (NLM) feature.
  • CloudSnap which is a self-service cloud offering allowing you to send data to the Cloud quickly. Copying your snapshots in the Cloud(s) equates to off-site data storage and adds another layer of security to your protected copies as they are typically sent via a different protocol and credentials. Also, it is important to point out that Cloud snaps are sent to the Cloud in an encrypted format and thus not directly readable by anyone without the keys.


Pure Storage Ransomware Protection – SafeMode

What is SafeMode? Data Protection offerings alone are not enough to stop Ransomware you need a powerful tool in your toolbox. SafeMode is that tool!

  • SafeMode is a separation of control functions (aka Permissioned Air-Gap) necessary for a defense in depth strategy.
  • SafeMode works by preventing rogue admins and attackers from deleting backups, snapshots. Another huge benefit SafeMode prevents attackers from encrypting backups, snapshots, or logs to cover their tracks while making your life miserable.
  • Put another way, SafeMode is an Out of Band (OOB) management construct empowered by Multi-Factor Authentication (MFA) access for up to five (5) enterprise ID's and restricted access to your backed up and snapped data sets combined with an additional layer of control.
  • The additional layer of control comes from restricting access to these data points by requiring direct assistance from Pure Storage Support. Pure Support can enable restore or delete efforts in conjunction with your approved Id’s.
  • SafeMode is built into FlashArray and FlashBlade platforms and available at no additional cost. Additionally, it is one less skill to develop while managing day to day operations and protecting enterprise data from Ransomware attacks.

How does SafeMode work?

  • Working together via two (2) enterprise Id’s and Pure Support concurrently, to perform any actual delete functions against backups or snapshots. Think of the military requiring two sets of keys to turn on nuke silo functions.
  • Manual eradication is disabled preventing attackers and rogue admins from hiding their tracks
  • Under the covers in SafeMode the native Pure Storage eradication timer is configurable allowing extension from 24-hours all the way out to 30-days.

What is protected by SafeMode?

  • Backups – integration with most modern data protection solutions.
  • Snapshots and snapshot retention
  • FlashArray Files (recall as of V6.0 Purity OS enabled multi-protocol support (SMB and NFS) on FlashArrays.
  • ProtectionGroup targets (pgroup targets)
  • SafeMode is integrated with backup and snapshot functionality and has fully customizable values for your enterprise requirements.
  • If a restore is required, rest assured restores will be fast as it’s all designed and integrated into the Pure Platforms and will take place at Flash speeds.

How to manage SafeMode?

  • Manage SafeMode from Pure1 console. No need for additional tools or skills, reinforcing Pure Storage simplicity from Day 1.

SafeMode Best Practices?

  • I highly recommend you keep the five (5) enterprise ID’s ultra-secret as well as their assigned pins. As I would not overlook Hackers seeking out this information to try and spoof your identities and attempt to work with Pure Support and gain delete rights over your protected data.
  • Recall, enabling SafeMode does not eliminate the need for basic data protection layers. SafeMode is an additional layer of protection for your data.


What is the cost of inaction? According to a recent industry survey shows the average cost for Ransomware recovery was $1.85M in 2021 (up 2x from 2020 costs of $761,106). So, the cost of doing nothing is immense.  Understanding your enterprises per minute or hourly outage costs are essential for your enterprise to fully understand and plan for restore timeframes.  If a restore event takes you months your enterprise might not recover due to damage to reputation, lost opportunities, etc.  How long is too long for you to be down just recovering data? Did you know, the average ransomware attack restore timeframe is 16.2 days long? How will your enterprise handle being down that long? Pure Storage data protection and Ransomware mechanisms are vital to protecting your backup data sets and your enterprise in a rapid and simple manner.


These forms of attack require planning and preparation and your approach must be the same in-order to protect corporate Gold, your data!  Having the ability to rapidly restore clean and protected data (immutable) is essential in today’s fast paced business environment. Pure Storage and their Ransomware protection combined with their data protection methods provide you with the layers of protection to be successful in the battle against Ransomware. How many critical points did you learn from this piece today?  How long before you adopt them for your Ransomware plan?

How do you rate this article?


Keith Thuerk
Keith Thuerk

Currently learning about Crypto & DeFi to combat the Inflationary Tidal wave coming our way!

SCIFI Future
SCIFI Future

Quantum Computing In Bite Size Pieces & SCIFI items

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.