[pc86]

That doesn't help. The system is already infected when the backups are taken, therefore the backups are infected. That's why these criminal organizations wait months until actually locking your system down, so that your oldest backups are deleted by retention policy. If they have access to your system and can figure out what your backup retention policy is, they'll set it to go off at the point when all your backups are infected.

[jowea]

Can't they check their backups once every few months from an isolated infrastructure?

[vkou]

If they could check the backups for evidence of an intrusion, they would be able to check production for evidence of an intrusion.

[jowea]

I meant check for evidence of corruption not an intrusion itself. How do you hide the fact that the data is unreadable?

[jabroni_salad]

Ransomware is often not triggered quickly. They will compromise a box, install a back door, and hang onto it for months. You also have to consider that once they pop it, they can check other vulns that are available and will still be present after the restore.

When I do remediation I usually recommend restoring only business state but installing and configuring all OSes and applications from scratch with latest freshly downloaded versions. You can't trust any executable or dll that has been laying around.

That is not the restore dream that the backup provider sold them but reinfection is common. Once the bad guy has a privileged credential it is trivial for them to investigate for other vulns to use in the reinfection phase and nobody has just one critical vuln. If a business is susceptible to ntlm relay it's also going to have unsigned smb and non encrypted ldap traffic for the same root cause -- it was the default in 2005 and never got modernized.

[zmgsabst]

Infected how?

Our backups were the data, not code or systems (which were IaC and rebuilt as needed).

[xur17]

For a concrete example, someone could infect an image storing service with code that encrypts (and silently decrypts) the data when it's stored / retrieved. When the hacker removes the decryption key from the running service, the backups will also be inaccessible because they are also encrypted.

[Workaccount2]

Wouldn't this be a bright red flag that is trivial to check for?

[pixl97]

Are user accounts data or systems? Compromise of AD is a very common means. This said this can still be fixed before putting it back where it could reach the internet and cause trouble.