|
|
|
|
|
|
by PeterisP
915 days ago
|
|
|
In general, if your backups are made somewhere that your IT administrators can delete or overwrite, then ransomware operators will destroy or damage your backups before doing anything that would make it obvious that you're being attacked. And if your backups are moved offline, then they can still try to invisibly corrupt these backups and wait a week or two before triggering the ransom encryption. Many organizations make backups that would protect them from accidental destruction of hardware, but not from malicious acts from someone in your network with a privileged account, and a reasonable chance of a multimillion payout means that the ransom organizations have no qualms spending quite many hours of skilled people in ensuring the victim is more likely to pay. |
|
|
I do think it's depressingly much, MUCH harder then it should be to catch it though for normal people. This should be a turnkey thing built into all data software, NAS options like TrueNAS or whatever else, cloud services of course (though I think some now do). Ransomeware attacks, by their very nature, are extremely detectable on a technical level. Their access patterns are unique, and of course they fundamentally change the entropy of all the data on the system. This is something a watch dog should just be able to automatically detect and alert, preferably immediately freezing things. With the kind of atomic snapshots available roll back should be easy. Capabilities can separate snapshot deletion from read/write, raw storage space is quite cheap. Backups should be default pull based with a lot of controls, so that the backup system offers no administrative access over the general network at all. Etc etc. The technical ingredients are there, yet it's still hard to find stuff where someone can just click a checkbox that says "alert on ransomware pattern detection" :(. This should be a very solvable problem, or at least able to be made enormous more challenging to pull off, vs most of the security challenges in tech. It's a shame it hasn't been.