[matsemann]

What if they hacked you months before pulling the trigger? The article mentions they were hacked in December and the attack launched in March. Restoring a backup would then still leave the hackers inside.

And even if most data were backed up, most computers still have to be wiped and reinstalled. I don't think most companies backup the entire disks off all employees, it's normally just a dedicated file area. So while the data can be restored, the IT department still have to set up hundreds of computers for all kinds of different workers or machines on the spot.

Nothing is ever easy, don't be so dismissive about things you haven't thought through.

[viraptor]

Companies of non-trivial size often have (and should have) a system allowing for remote device management. Which means:

- It should be easy to reinstall to a known good image with all the relevant software, settings, drivers, etc. then restore the backed up data. This is relatively common in corps.

- Once you observe the malware and know how it reaches the C&C server, you can push rules blocking that host or block the bad binary network-wide.

Of course there will be companies that didn't have good enough system in place and once exploited are doomed.

[PeterisP]

"Once you observe the malware and know how it reaches the C&C server" presumes a single malware and a single mechanism for reaching the C&C server, which is unrealistic. We're not speaking about some piece of automated malware spreading on its own, which you could reverse engineer and see what it does and does not, we're talking about skilled people working for weeks to compromise your network. You should expect multiple different types of persistence, backdoors in publicly reachable systems and leaked privileged credentials.

[mr_toad]

> It should be easy to reinstall to a known good image with all the relevant software, settings, drivers, etc

It should be, but enterprise servers are often the embodiment of configuration drift.

[marcinzm]

The attackers likely compromised the computers using the remote device management system which means it's either disabled or unsafe to use.

[viraptor]

Sure, you need to make sure your AD and device management is clean before starting the process. My point was that once you're bootstraped you shouldn't need a fully manual recovery process.

[marcinzm]

And I'm pointing out that when your attacker has control of device management they can also disable device management on all the devices after their attack is deployed.

[bestnameever]

> Restoring a backup would then still leave the hackers inside.

Even if they could comfortably restore a backup from a year prior, they are left with hackers who know how to penetrate their network until they determine how it occurred..