[viraptor]

Companies of non-trivial size often have (and should have) a system allowing for remote device management. Which means:

- It should be easy to reinstall to a known good image with all the relevant software, settings, drivers, etc. then restore the backed up data. This is relatively common in corps.

- Once you observe the malware and know how it reaches the C&C server, you can push rules blocking that host or block the bad binary network-wide.

Of course there will be companies that didn't have good enough system in place and once exploited are doomed.

[PeterisP]

"Once you observe the malware and know how it reaches the C&C server" presumes a single malware and a single mechanism for reaching the C&C server, which is unrealistic. We're not speaking about some piece of automated malware spreading on its own, which you could reverse engineer and see what it does and does not, we're talking about skilled people working for weeks to compromise your network. You should expect multiple different types of persistence, backdoors in publicly reachable systems and leaked privileged credentials.

[mr_toad]

> It should be easy to reinstall to a known good image with all the relevant software, settings, drivers, etc

It should be, but enterprise servers are often the embodiment of configuration drift.

[marcinzm]

The attackers likely compromised the computers using the remote device management system which means it's either disabled or unsafe to use.

[viraptor]

Sure, you need to make sure your AD and device management is clean before starting the process. My point was that once you're bootstraped you shouldn't need a fully manual recovery process.

[marcinzm]

And I'm pointing out that when your attacker has control of device management they can also disable device management on all the devices after their attack is deployed.