Payroll Provider gets Encrypted & Pays Ransom
-
@scottalanmiller What happened?
-
@PhlipElder said in Payroll Provider gets Encrypted & Pays Ransom:
@scottalanmiller What happened?
Are you asking about one of the NTG clients who was hit with ransomware and they were back up and running in a few hours, or are you asking scott to exposit about this topic?
-
@DustinB3403 said in Payroll Provider gets Encrypted & Pays Ransom:
@PhlipElder said in Payroll Provider gets Encrypted & Pays Ransom:
@scottalanmiller What happened?
Are you asking about one of the NTG clients who was hit with ransomware and they were back up and running in a few hours, or are you asking scott to exposit about this topic?
Asking about the 28 hour recovery.
-
@DustinB3403 said in Payroll Provider gets Encrypted & Pays Ransom:
Having a mirror is perfectly fine, cut fiber, power outages, ISP issues - mundane earthly problems that can be resolved by geographic distance are where mirrors come in.
Ransomware is not one of those, and thus a BDRP needs to be developed and tested to ensure that recovery from such an event doesn't mean rewarding the people who are ransoming them.
If a BDRP can't be developed and meet the RTO and RPO objectives the business must then re-evaluate if the data is at all worthwhile.
As for paying the ransom, the business reputation is in the dumps, they've spent however much out of pocket (will likely hit their insurance), and still need to design a BDRP that actually works and meet the RTO an RPO objectives.
Hopefully there is a CYA email that their IT department/MSP has so they are covered when proper backups that would work within the above RTO/RPO guidelines - but likely refused to spend. (If such a conversation actually occurred, and that the IT department actually did their jobs).
RTO = Recovery Time Objective
RPO = Recovery Point ObjectiveBDRP = Building Disaster Resilience in Pakistan ?
CYA = CYa when things go blotto ? -
Even paying the ransom didn't work as expected!
-
@PhlipElder said in Payroll Provider gets Encrypted & Pays Ransom:
@DustinB3403 said in Payroll Provider gets Encrypted & Pays Ransom:
Having a mirror is perfectly fine, cut fiber, power outages, ISP issues - mundane earthly problems that can be resolved by geographic distance are where mirrors come in.
Ransomware is not one of those, and thus a BDRP needs to be developed and tested to ensure that recovery from such an event doesn't mean rewarding the people who are ransoming them.
If a BDRP can't be developed and meet the RTO and RPO objectives the business must then re-evaluate if the data is at all worthwhile.
As for paying the ransom, the business reputation is in the dumps, they've spent however much out of pocket (will likely hit their insurance), and still need to design a BDRP that actually works and meet the RTO an RPO objectives.
Hopefully there is a CYA email that their IT department/MSP has so they are covered when proper backups that would work within the above RTO/RPO guidelines - but likely refused to spend. (If such a conversation actually occurred, and that the IT department actually did their jobs).
RTO = Recovery Time Objective
RPO = Recovery Point ObjectiveBDRP = Building Disaster Resilience in Pakistan ?
CYA = CYa when things go blotto ?BDRP = Backup and Disaster Recovery Plan
CYA = Cover your ass
-
In the same article,
The FBI is telling people to not pay the ransom, but Cyber Security experts are telling clients to pay the ransom.
Um. . . fire those experts and get someone in there who once you're are up to fix your systems, that meet real RTO and RPO objectives. . .
-
@DustinB3403 said in Payroll Provider gets Encrypted & Pays Ransom:
Even paying the ransom didn't work as expected!
Or DID work as expected, who actually expects that to work?
-
@DustinB3403 said in Payroll Provider gets Encrypted & Pays Ransom:
The FBI is telling people to not pay the ransom, but Cyber Security experts are telling clients to pay the ransom.
Different goals.
-
@scottalanmiller said in Payroll Provider gets Encrypted & Pays Ransom:
@DustinB3403 said in Payroll Provider gets Encrypted & Pays Ransom:
The FBI is telling people to not pay the ransom, but Cyber Security experts are telling clients to pay the ransom.
Different goals.
The FBI's goal is to stop the act entirely. The SCE's goal is to get paid as much as possible and save face with their people.
-
@DustinB3403 said in Payroll Provider gets Encrypted & Pays Ransom:
@scottalanmiller said in Payroll Provider gets Encrypted & Pays Ransom:
@DustinB3403 said in Payroll Provider gets Encrypted & Pays Ransom:
The FBI is telling people to not pay the ransom, but Cyber Security experts are telling clients to pay the ransom.
Different goals.
The FBI's goal is to stop the act entirely. The SCE's goal is to get paid as much as possible and save face with their people.
Well, and the FBI's goal is to protect "everyone", they don't particularly care about the company that has been hit. The consultants job is to protect the company that has been hit and no concern about others.
-
@scottalanmiller said in Payroll Provider gets Encrypted & Pays Ransom:
@DustinB3403 said in Payroll Provider gets Encrypted & Pays Ransom:
@scottalanmiller said in Payroll Provider gets Encrypted & Pays Ransom:
@DustinB3403 said in Payroll Provider gets Encrypted & Pays Ransom:
The FBI is telling people to not pay the ransom, but Cyber Security experts are telling clients to pay the ransom.
Different goals.
The FBI's goal is to stop the act entirely. The SCE's goal is to get paid as much as possible and save face with their people.
Well, and the FBI's goal is to protect "everyone", they don't particularly care about the company that has been hit. The consultants job is to protect the company that has been hit and no concern about others.
The consultant is the protect their customer? They are already infected, not much to protect them from.
-
@Dashrender said in Payroll Provider gets Encrypted & Pays Ransom:
@scottalanmiller said in Payroll Provider gets Encrypted & Pays Ransom:
@DustinB3403 said in Payroll Provider gets Encrypted & Pays Ransom:
@scottalanmiller said in Payroll Provider gets Encrypted & Pays Ransom:
@DustinB3403 said in Payroll Provider gets Encrypted & Pays Ransom:
The FBI is telling people to not pay the ransom, but Cyber Security experts are telling clients to pay the ransom.
Different goals.
The FBI's goal is to stop the act entirely. The SCE's goal is to get paid as much as possible and save face with their people.
Well, and the FBI's goal is to protect "everyone", they don't particularly care about the company that has been hit. The consultants job is to protect the company that has been hit and no concern about others.
The consultant is the protect their customer? They are already infected, not much to protect them from.
that's not true. Protecting them from data loss or financial loss.
-
What I find most interesting about this article is how nonchalant the Marketing person is about this. "We paid and it sucked."
-
@JaredBusch said in Payroll Provider gets Encrypted & Pays Ransom:
But restoring an entire infrastructe is never a fast task.
Couple ways...
- Snapshots plus an orchestration system that can recall and mount them (SRM, Veeam).
- Not being a Muppet and keeping backup, and infrastructure management on a different domain (or just off the domain if some small shop and use local SSO database for vCenter, and local user accounts for Veeam/backup servers).
- Use a DRaaS service provider that has immutable retention that can't be restored (A lot of Veeam partners will do this for you). Fairly certain this is an option from iLand and some others.
-
@DustinB3403 said in Payroll Provider gets Encrypted & Pays Ransom:
Um. . . fire those experts and get someone in there who once you're are up to fix your systems, that meet real RTO and RPO objectives. . .
You realize that the consultants who get brought in to clean up these messes are almost never the same muppets who built this out, or let this happen?
-
@scottalanmiller said in Payroll Provider gets Encrypted & Pays Ransom:
@JaredBusch said in Payroll Provider gets Encrypted & Pays Ransom:
@scottalanmiller's recent example clearly shows that. I would be interested to know how many man hours @NTG sunk into restoring that. And it was a small typical SMB office. Not a huge SaaS provider.
Not done yet. But ~28 to mostly recovered.
I"ve seen everything from 1 billable hour of labor (kicking off Veeam restore of 4 VM's and coming back when it was done) to 200 hours (rebuild from scratch, and recovered core ERP database from a developer clone on someone's laptop).