All insights

Using “Thin” Digital Twins to Gang-Up on Ransomware

Michael Zimmerman Michael Zimmerman
Managing Editor, Insights, Hitachi Vantara

October 17, 2022

For most cybersecurity professionals, the idea of ransomware “protection” is a nonstarter, a misnomer.

That’s because as long as there are employees who fall prey to phishing schemes, disgruntled ones who are happy to dispense with vital information, and IT departments who are overwhelmed by increasingly complex security postures, enterprises will be breached, and data will be encrypted and held for ransom. And as hybrid multicloud environments grow more complex, the list of vulnerabilities will only grow.

It wasn’t always this way. Ransomware, had more humble beginnings, starting, some say, when so-called “script kiddies” hacked into corporate websites to vandalize homepages, sometimes unwittingly and other times coerced to leave open the backdoors for real cybercriminals.

Twenty years later, ransomware is now an industry unto itself in which everyone from lone hackers, to privateers for hire, to international crime syndicates and state-sponsored hit squads, research, target and attack with precision and success, so much so that ransomware is now projected to inflict damages of more than $30 billion in 2023.

At this point, failsafe protection is not an option. But predictable recovery is.

Enter VM2020

That’s where 10-year-old software developer, VM2020 Solutions, comes in. Founded with the goal of making “disaster recovery business as usual,” the company has had a front row seat to the advent and evolution of ransomware.

“Around 2016, 2017, we started seeing that the most common type of ‘disaster’ was no longer a power outage or a flood; it was starting to be ransomware,” according to company CTO, Elias Benarroch.

For Benarroch and founder, Bernardo Starosta, this presented an easy pivot. The digital twin technology the company had developed and used for the past several years to help customers optimize the performance of their IT infrastructures, speed recovery times, and automate dev-test environments, could easily assist in the exploration of system vulnerabilities and ransomware recovery efforts.

“You can use digital twins to model the behavior of complex systems, to run simulations, and to carry out ‘what-if’ scenarios and data analysis,” as Starosta wrote in his 2020 blog. “By performing in-depth descriptive, diagnostic, predictive, and prescriptive analytics you can gather insights, answer questions, and make data-driven decisions.”

Although, simulation is not new to the field of IT management, dev & test, VM2020’s twist with its CyberVR platform is in its use of ‘thin’ digital twins. Unlike traditional digital twins that need ample storage capacity to run, thin digital twins can map zero-footprint snapshots of the data – or clones of the data – to hypervisors, software defined networking, and container platforms. And while traditional digital twins can sometimes be obsolete by the time they’re ready for use – due to the lengthy copy and configure process – the integrated automation engine within CyberVR can fully simulate the production IT environment almost instantly and at much less cost.

Adapting for Ransomware

VM2020 adapted this extremely lightweight simulation to one of the most impactful aspects of ransomware mitigation – the recovery of vast amounts of immutable backup data. When a ransomware attack occurs, one of the only recourses an organization has, outside of paying the ransom, is to revert to a safe “point-in-time” in the backup data of immutable snapshots, prior to the attack, and then rebuild the enterprise with that data.

But the length of time for such a “recovery” using traditional methods depends on a variety of factors, including the size and scope of the business, the amount of data involved, and not the least of which – the length of time it takes investigators to determine the point-in-time just prior to the breach.

“Most organizations have some sort of data immutability, but it still takes them two to three weeks to recover from a ransomware attack,” said Benarroch. “That’s because it is impossible for most organizations to test at scale because of the required additional resources and heroics involved. Things like automation, predictability, data copy, data efficiency, isolation, hardening eradication are just a few of the things IT and security organizations face every day.”

Wishing You a Speedy Recovery

In other words, speed is the name of the recovery game. When VM2020 joined forces with Hitachi Vantara recently, it achieved record-breaking speeds. Integrating CyberVR with Hitachi Vantara’s Ops Center Protector enabled the companies to achieve the recovery of more than 1,500 VMs with over 100TB of data, allowing for the resumption of production – in 70 minutes – fully protected.

Indeed, Hitachi Vantara has designated the solution the “world’s fastest ransomware recovery from immutable snapshots.”

“This is an example of two complementary innovations coming together to dramatically improve a specific and debilitating challenge for businesses and governments across industries and around the world,” Starosta said. “We build off each other’s strengths to give the Hitachi core data protection of immutable storage a new level of usability for ransomware recovery.”

For Benarroch, it has a lot to do with the time spent fine-tuning and optimizing their solution during the days when disasters had more to do with extreme weather. “It’s only possible because of the eight years we spent figuring out how to parallelize and optimize storage operations,” he said. “We then combined the benefits of the storage with all the automation layers between the three key silos of storage, hypervisor (VMware), and the network. We stitched them all together with our automation and arrived at the fastest solution available.”

Real-World Ransomware Simulating

But ransomware mitigation doesn’t end with recovery for VM2020. Increasingly, CyberVR is being used to simulate attacks. Leveraging the thin digital twin technology, the platform enables organizations to be proactive and simulate compromises, determine the threat levels of individuals, estimate possible damages, and more. It allows all of this on top of gaining visibility into technical vulnerabilities including unpatched systems and software.

The thin digital twin of the enterprise takes on the role of the ethical hacker in a way. However, in this case, the system is using actual data in an isolated risk-free environment.

“With ethical hacking you're simulating a war scenario using NERF guns,” said Benarroch. “With thin digital twins, people can practice with live ammunition – real data.”

As Benarroch likes to point out, backup solutions were never designed for ransomware recovery. Business continuity and resiliency demand speed. The shorter the distance between an attack and the resumption of business, the better. 


Michael Zimmerman

Michael Zimmerman

Mike is managing editor of thought leadership, including Hitachi Vantara Insights and corporate Newsroom. Before joining the company, he spent +25 years in journalism and communications, working  with edit teams and business leaders to craft stories of import and interest.