Payroll Provider gets Encrypted & Pays Ransom

black3dynamite

nadnerB

@black3dynamite said in Payroll Provider gets Encrypted & Pays Ransom:

facedesk
Hate to be the project manager on that one.

travisdh1

@nadnerB said in Payroll Provider gets Encrypted & Pays Ransom:

@black3dynamite said in Payroll Provider gets Encrypted & Pays Ransom:

facedesk
Hate to be the project manager on that one.

Yeah... words mean things people. mirror != backup

JaredBusch

@travisdh1 said in Payroll Provider gets Encrypted & Pays Ransom:

@nadnerB said in Payroll Provider gets Encrypted & Pays Ransom:

@black3dynamite said in Payroll Provider gets Encrypted & Pays Ransom:

facedesk
Hate to be the project manager on that one.

Yeah... words mean things people. mirror != backup

You are making assumptions here. No one said the site had no backups.

A live offsite mirror for disaster recovery is a very important thing for some business.

PhlipElder

@JaredBusch Heh ... gives a whole new meaning to "Garbage in Garbage out".

scottalanmiller

@black3dynamite said in Payroll Provider gets Encrypted & Pays Ransom:

I don't think that they define disaster recovery the way that the rest of us do.

DustinB3403

That is definitely a bad case of "what else could go wrong". Which to @JaredBusch point, is that if they had any backups, they clearly weren't usable.

The fact that their offsite mirror was affected, would be comparable to a dump truck driving into the main building, while the same exact dump truck crashes into the mirror.

It shouldn't be feasible with air gapped systems, this clearly wasn't/couldn't be air gapped as designed.

Paying the ransom was very likely because they had no backups and were expecting the Mirror to take the place of proper air gapped backups.

JaredBusch

@DustinB3403 said in Payroll Provider gets Encrypted & Pays Ransom:

That is definitely a bad case of "what else could go wrong". Which to @JaredBusch point, is that if they had any backups, they clearly weren't usable.

The fact that their offsite mirror was affected, would be comparable to a dump truck driving into the main building, while the same exact dump truck crashes into the mirror.

It shouldn't be feasible with air gapped systems, this clearly wasn't/couldn't be air gapped as designed.

Paying the ransom was very likely because they had no backups and were expecting the Mirror to take the place of proper air gapped backups.

WTF are all of you people talking about..

Disaster recover with live mirror is not and cannot never be designed to work as a method against crypto.

The quote bit of the article is inane at best. It was stated by the Chief Marketing Officer. Not anyone with actual knowledge of anything.

The article clearly stated that paying the ransom was the fastest way to get systems online.

There is no insinuation anywhere that there are no backups.

JaredBusch

@DustinB3403 said in Payroll Provider gets Encrypted & Pays Ransom:

That is definitely a bad case of "what else could go wrong". Which to @JaredBusch point, is that if they had any backups, they clearly weren't usable.

I 100% never implied that. I assume that there absolutely were backups.

But restoring an entire infrastructe is never a fast task.

@scottalanmiller's recent example clearly shows that. I would be interested to know how many man hours @NTG sunk into restoring that. And it was a small typical SMB office. Not a huge SaaS provider.

scottalanmiller

@JaredBusch said in Payroll Provider gets Encrypted & Pays Ransom:

@scottalanmiller's recent example clearly shows that. I would be interested to know how many man hours @NTG sunk into restoring that. And it was a small typical SMB office. Not a huge SaaS provider.

Not done yet. But ~28 to mostly recovered.

DustinB3403

@JaredBusch said in Payroll Provider gets Encrypted & Pays Ransom:

@DustinB3403 said in Payroll Provider gets Encrypted & Pays Ransom:

That is definitely a bad case of "what else could go wrong". Which to @JaredBusch point, is that if they had any backups, they clearly weren't usable.

I 100% never implied that. I assume that there absolutely were backups.

If they have backups, but can't use them because the scale of restoration required is beyond acceptable. Then the backups aren't usable.

If the restore time is in the days weeks or months, then having backups such as those don't meet any RPO and RTO objectives.

And is thus just spending money to spend money on something that clearly doesn't work.

DustinB3403

Having a mirror is perfectly fine, cut fiber, power outages, ISP issues - mundane earthly problems that can be resolved by geographic distance are where mirrors come in.

Ransomware is not one of those, and thus a BDRP needs to be developed and tested to ensure that recovery from such an event doesn't mean rewarding the people who are ransoming them.

If a BDRP can't be developed and meet the RTO and RPO objectives the business must then re-evaluate if the data is at all worthwhile.

As for paying the ransom, the business reputation is in the dumps, they've spent however much out of pocket (will likely hit their insurance), and still need to design a BDRP that actually works and meet the RTO an RPO objectives.

Hopefully there is a CYA email that their IT department/MSP has so they are covered when proper backups that would work within the above RTO/RPO guidelines - but likely refused to spend. (If such a conversation actually occurred, and that the IT department actually did their jobs).

PhlipElder

@scottalanmiller What happened?

DustinB3403

@PhlipElder said in Payroll Provider gets Encrypted & Pays Ransom:

@scottalanmiller What happened?

Are you asking about one of the NTG clients who was hit with ransomware and they were back up and running in a few hours, or are you asking scott to exposit about this topic?

PhlipElder

@DustinB3403 said in Payroll Provider gets Encrypted & Pays Ransom:

@PhlipElder said in Payroll Provider gets Encrypted & Pays Ransom:

@scottalanmiller What happened?

Are you asking about one of the NTG clients who was hit with ransomware and they were back up and running in a few hours, or are you asking scott to exposit about this topic?

Asking about the 28 hour recovery.

PhlipElder

@DustinB3403 said in Payroll Provider gets Encrypted & Pays Ransom:

Having a mirror is perfectly fine, cut fiber, power outages, ISP issues - mundane earthly problems that can be resolved by geographic distance are where mirrors come in.

Ransomware is not one of those, and thus a BDRP needs to be developed and tested to ensure that recovery from such an event doesn't mean rewarding the people who are ransoming them.

If a BDRP can't be developed and meet the RTO and RPO objectives the business must then re-evaluate if the data is at all worthwhile.

As for paying the ransom, the business reputation is in the dumps, they've spent however much out of pocket (will likely hit their insurance), and still need to design a BDRP that actually works and meet the RTO an RPO objectives.

Hopefully there is a CYA email that their IT department/MSP has so they are covered when proper backups that would work within the above RTO/RPO guidelines - but likely refused to spend. (If such a conversation actually occurred, and that the IT department actually did their jobs).

RTO = Recovery Time Objective
RPO = Recovery Point Objective

BDRP = Building Disaster Resilience in Pakistan ?
CYA = CYa when things go blotto ?

DustinB3403

Even paying the ransom didn't work as expected!

DustinB3403

@PhlipElder said in Payroll Provider gets Encrypted & Pays Ransom:

@DustinB3403 said in Payroll Provider gets Encrypted & Pays Ransom:

Having a mirror is perfectly fine, cut fiber, power outages, ISP issues - mundane earthly problems that can be resolved by geographic distance are where mirrors come in.

Ransomware is not one of those, and thus a BDRP needs to be developed and tested to ensure that recovery from such an event doesn't mean rewarding the people who are ransoming them.

If a BDRP can't be developed and meet the RTO and RPO objectives the business must then re-evaluate if the data is at all worthwhile.

As for paying the ransom, the business reputation is in the dumps, they've spent however much out of pocket (will likely hit their insurance), and still need to design a BDRP that actually works and meet the RTO an RPO objectives.

Hopefully there is a CYA email that their IT department/MSP has so they are covered when proper backups that would work within the above RTO/RPO guidelines - but likely refused to spend. (If such a conversation actually occurred, and that the IT department actually did their jobs).

RTO = Recovery Time Objective
RPO = Recovery Point Objective

BDRP = Building Disaster Resilience in Pakistan ?
CYA = CYa when things go blotto ?

BDRP = Backup and Disaster Recovery Plan

CYA = Cover your ass

DustinB3403

In the same article,

The FBI is telling people to not pay the ransom, but Cyber Security experts are telling clients to pay the ransom.

Um. . . fire those experts and get someone in there who once you're are up to fix your systems, that meet real RTO and RPO objectives. . .

scottalanmiller

@DustinB3403 said in Payroll Provider gets Encrypted & Pays Ransom:

Even paying the ransom didn't work as expected!

Or DID work as expected, who actually expects that to work?