[prirun]

Object Lock may be useful to protect backups from deletion, but ransomware is now relying on the threat of data exposure more, where Object Lock makes no difference:

https://www.theregister.com/2022/06/25/ransomware_gangs_exto...

"Increasingly, however, cybercrime rings still tracked as ransomware operators are turning toward primarily data theft and extortion – and skipping the encryption step altogether. Rather than scramble files and demand payment for the decryption keys, and all the faff in between in facilitating that, simply exfiltrating the data and demanding a fee to not leak it all is just as effective. This shift has been ongoing for many months, and is now virtually unavoidable."

https://www.theregister.com/2022/06/03/fbi_cisa_warn_karakur...

[gregwebs]

There is a difference for the business though – although the data may be exposed, the business may still be able to maintain continuity. I believe it is the lack of business continuity that has made ransomware so powerful – when a business can no longer function it will do anything to get that back. If the business could continue to operate they would be in a much better position to refuse to pay the ransom. If all businesses refused to pay the ransoms, ransomware would stop.

Obviously it’s still really bad if sensitive information is exposed. But also consider that some of the information essential for business continuity would be less sensitive in a public exposure scenario.

So in some cases it is just as effective, but in many cases it is not. As I understand it, most ransomware providers still attempt both encryption and exfiltration. Exfiltration is now standard not because it is easier but because more companies are able to restore operations from backup.