Backup File Server to DAS

Jason

@IT-ADMIN said:

at least in our case, may other companies have data that can be sold maybe ?

Well, yeah. Many companies get hourly attempted attacks just for such a thing.

DustinB3403

@Jason said:

@IT-ADMIN said:

because even the ransom will not benefit form the data itself, his concern is wining money

Not necessarily true.

Jason the ransom demand maker generally isn't trying to sell trade secrets, they might get lucky and encrypt someone with this kind of information.

But they aren't copying the data. They're simply encrypting it locally, and passing the decryption key to their server(s).

So it is true... the ransomers' are not profiting from the data, only from the ransom.

Jason

@DustinB3403 said:

Jason the ransom demand maker generally isn't trying to sell trade secrets, they might get lucky and encrypt someone with this kind of information.

But they aren't copying the data. They're simply encrypting it locally, and passing the decryption key to their server(s).

So it is true... the ransomers' are not profiting from the data, only from the ransom.

That's not true in every case.. some have been found to upload the data.

DustinB3403

I've yet to see a Cryptoware variant that exports data off of a victims system.

Please name 1.

This malware needs to act quickly. It doesn't have time to dick around and upload potentially TB or more of data to encrypt it.

Just stop trolling, because you clearly are.

scottalanmiller

@IT-ADMIN said:

@Jason said:

@IT-ADMIN said:

because even the ransom will not benefit form the data itself, his concern is wining money

Not necessarily true.

at least in our case, may other companies have data that can be sold maybe ?

No financial data? Nothing private that the company would not want divulged? No customer data?

IT-ADMIN

OK, can a restore point decrypte the ransomed data ??

scottalanmiller

@DustinB3403 said:

@Jason said:

@IT-ADMIN said:

because even the ransom will not benefit form the data itself, his concern is wining money

Not necessarily true.

Jason the ransom demand maker generally isn't trying to sell trade secrets, they might get lucky and encrypt someone with this kind of information.

But they aren't copying the data. They're simply encrypting it locally, and passing the decryption key to their server(s).

So it is true... the ransomers' are not profiting from the data, only from the ransom.

That is generally true but not universally.

Jason

@DustinB3403 said:

I've yet to see a Cryptoware variant that exports data off of a victims system.

Please name 1.

This malware needs to act quickly. It doesn't have time to dick around and upload potentially TB or more of data to encrypt it.

Just stop trolling, because you clearly are.

Yes, I'm trolling when we have a IT forenstics team that looks into our attempted attacks. We know what goes on with these, we've looked into it heavily.

scottalanmiller

@IT-ADMIN said:

OK, can a restore point decrypte the ransomed data ??

Not decrypt! Nothing can decrypt except the key that you get when you pay the ransom.

If you roll back to BEFORE the data was encrypted AND the restore point itself was not encrypted then you are okay.

scottalanmiller

@DustinB3403 said:

This malware needs to act quickly. It doesn't have time to dick around and upload potentially TB or more of data to encrypt it.

Thats not true. It needs to encrypt quickly. Once encrypted it has free time to upload all that it can.

IT-ADMIN

@scottalanmiller said:

@IT-ADMIN said:

OK, can a restore point decrypte the ransomed data ??

Not decrypt! Nothing can decrypt except the key that you get when you pay the ransom.

If you roll back to BEFORE the data was encrypted AND the restore point itself was not encrypted then you are okay.

for this reason it is very recommended to store your system images in another physical storage not on the same machine

Jason

@IT-ADMIN said:

@scottalanmiller said:

@IT-ADMIN said:

OK, can a restore point decrypte the ransomed data ??

Not decrypt! Nothing can decrypt except the key that you get when you pay the ransom.

If you roll back to BEFORE the data was encrypted AND the restore point itself was not encrypted then you are okay.

for this reason it is very recommended to store your system images in another physical storage not on the same machine

Not just that but preferably with a system that can lock it as read-only once it's backed up. Which is great for audits as well.

scottalanmiller

@IT-ADMIN said:

@scottalanmiller said:

@IT-ADMIN said:

OK, can a restore point decrypte the ransomed data ??

Not decrypt! Nothing can decrypt except the key that you get when you pay the ransom.

If you roll back to BEFORE the data was encrypted AND the restore point itself was not encrypted then you are okay.

for this reason it is very recommended to store your system images in another physical storage not on the same machine

Correct, but it would need to be one that is decoupled, which is very difficult to do.

scottalanmiller

@Jason said:

@IT-ADMIN said:

@scottalanmiller said:

@IT-ADMIN said:

OK, can a restore point decrypte the ransomed data ??

Not decrypt! Nothing can decrypt except the key that you get when you pay the ransom.

If you roll back to BEFORE the data was encrypted AND the restore point itself was not encrypted then you are okay.

for this reason it is very recommended to store your system images in another physical storage not on the same machine

Not just that but preferably with a system that can lock it as read-only once it's backed up. Which is great for audits as well.

Decoupled or locked, as Jason points out. It needs to be read only or it will get ransomed too.

IT-ADMIN

i guess setting up an account on the backup destination so that veeam authenticate against will make the backup decoupled

scottalanmiller

@IT-ADMIN said:

i guess setting up an account on the backup destination so that veeam authenticate against will make the backup decoupled

No, if ANYTHING running on your server can talk to the storage, it is not decoupled. That is tightly coupled. Things like Unitrends appliances stand BETWEEN your systems and the backup storage. That's lightly decoupled. Tapes are fully decoupled.

StrongBad

I have heard that a lot of the ransoms are on the low side. Under $1000. Which is a lot of money, but not crippling. Generally a no brainer to a business.

Jason

Many look into Dell Appassure for backups. I don't think you pay for windows though so not sure you would for this.

scottalanmiller

@Jason said:

Many look into Dell Appassure for backups. I don't think you pay for windows though so not sure you would for this.

That's going to be an issue. Everything that does decoupled backups is going to be non-free or require virtualization at least.

Dashrender

@scottalanmiller said:

@Jason said:

Many look into Dell Appassure for backups. I don't think you pay for windows though so not sure you would for this.

That's going to be an issue. Everything that does decoupled backups is going to be non-free or require virtualization at least.

What about Veeam End Point Protection?