Payroll Provider gets Encrypted & Pays Ransom

JaredBusch

@DustinB3403 said in Payroll Provider gets Encrypted & Pays Ransom:

That is definitely a bad case of "what else could go wrong". Which to @JaredBusch point, is that if they had any backups, they clearly weren't usable.

The fact that their offsite mirror was affected, would be comparable to a dump truck driving into the main building, while the same exact dump truck crashes into the mirror.

It shouldn't be feasible with air gapped systems, this clearly wasn't/couldn't be air gapped as designed.

Paying the ransom was very likely because they had no backups and were expecting the Mirror to take the place of proper air gapped backups.

WTF are all of you people talking about..

Disaster recover with live mirror is not and cannot never be designed to work as a method against crypto.

The quote bit of the article is inane at best. It was stated by the Chief Marketing Officer. Not anyone with actual knowledge of anything.

The article clearly stated that paying the ransom was the fastest way to get systems online.

There is no insinuation anywhere that there are no backups.

JaredBusch

@DustinB3403 said in Payroll Provider gets Encrypted & Pays Ransom:

That is definitely a bad case of "what else could go wrong". Which to @JaredBusch point, is that if they had any backups, they clearly weren't usable.

I 100% never implied that. I assume that there absolutely were backups.

But restoring an entire infrastructe is never a fast task.

@scottalanmiller's recent example clearly shows that. I would be interested to know how many man hours @NTG sunk into restoring that. And it was a small typical SMB office. Not a huge SaaS provider.

scottalanmiller

@JaredBusch said in Payroll Provider gets Encrypted & Pays Ransom:

@scottalanmiller's recent example clearly shows that. I would be interested to know how many man hours @NTG sunk into restoring that. And it was a small typical SMB office. Not a huge SaaS provider.

Not done yet. But ~28 to mostly recovered.

DustinB3403

@JaredBusch said in Payroll Provider gets Encrypted & Pays Ransom:

@DustinB3403 said in Payroll Provider gets Encrypted & Pays Ransom:

That is definitely a bad case of "what else could go wrong". Which to @JaredBusch point, is that if they had any backups, they clearly weren't usable.

I 100% never implied that. I assume that there absolutely were backups.

If they have backups, but can't use them because the scale of restoration required is beyond acceptable. Then the backups aren't usable.

If the restore time is in the days weeks or months, then having backups such as those don't meet any RPO and RTO objectives.

And is thus just spending money to spend money on something that clearly doesn't work.

DustinB3403

Having a mirror is perfectly fine, cut fiber, power outages, ISP issues - mundane earthly problems that can be resolved by geographic distance are where mirrors come in.

Ransomware is not one of those, and thus a BDRP needs to be developed and tested to ensure that recovery from such an event doesn't mean rewarding the people who are ransoming them.

If a BDRP can't be developed and meet the RTO and RPO objectives the business must then re-evaluate if the data is at all worthwhile.

As for paying the ransom, the business reputation is in the dumps, they've spent however much out of pocket (will likely hit their insurance), and still need to design a BDRP that actually works and meet the RTO an RPO objectives.

Hopefully there is a CYA email that their IT department/MSP has so they are covered when proper backups that would work within the above RTO/RPO guidelines - but likely refused to spend. (If such a conversation actually occurred, and that the IT department actually did their jobs).

PhlipElder

@scottalanmiller What happened?

DustinB3403

@PhlipElder said in Payroll Provider gets Encrypted & Pays Ransom:

@scottalanmiller What happened?

Are you asking about one of the NTG clients who was hit with ransomware and they were back up and running in a few hours, or are you asking scott to exposit about this topic?

PhlipElder

@DustinB3403 said in Payroll Provider gets Encrypted & Pays Ransom:

@PhlipElder said in Payroll Provider gets Encrypted & Pays Ransom:

@scottalanmiller What happened?

Are you asking about one of the NTG clients who was hit with ransomware and they were back up and running in a few hours, or are you asking scott to exposit about this topic?

Asking about the 28 hour recovery.

PhlipElder

@DustinB3403 said in Payroll Provider gets Encrypted & Pays Ransom:

Having a mirror is perfectly fine, cut fiber, power outages, ISP issues - mundane earthly problems that can be resolved by geographic distance are where mirrors come in.

Ransomware is not one of those, and thus a BDRP needs to be developed and tested to ensure that recovery from such an event doesn't mean rewarding the people who are ransoming them.

If a BDRP can't be developed and meet the RTO and RPO objectives the business must then re-evaluate if the data is at all worthwhile.

As for paying the ransom, the business reputation is in the dumps, they've spent however much out of pocket (will likely hit their insurance), and still need to design a BDRP that actually works and meet the RTO an RPO objectives.

Hopefully there is a CYA email that their IT department/MSP has so they are covered when proper backups that would work within the above RTO/RPO guidelines - but likely refused to spend. (If such a conversation actually occurred, and that the IT department actually did their jobs).

RTO = Recovery Time Objective
RPO = Recovery Point Objective

BDRP = Building Disaster Resilience in Pakistan ?
CYA = CYa when things go blotto ?

DustinB3403

Even paying the ransom didn't work as expected!

DustinB3403

@PhlipElder said in Payroll Provider gets Encrypted & Pays Ransom:

@DustinB3403 said in Payroll Provider gets Encrypted & Pays Ransom:

Having a mirror is perfectly fine, cut fiber, power outages, ISP issues - mundane earthly problems that can be resolved by geographic distance are where mirrors come in.

Ransomware is not one of those, and thus a BDRP needs to be developed and tested to ensure that recovery from such an event doesn't mean rewarding the people who are ransoming them.

If a BDRP can't be developed and meet the RTO and RPO objectives the business must then re-evaluate if the data is at all worthwhile.

As for paying the ransom, the business reputation is in the dumps, they've spent however much out of pocket (will likely hit their insurance), and still need to design a BDRP that actually works and meet the RTO an RPO objectives.

Hopefully there is a CYA email that their IT department/MSP has so they are covered when proper backups that would work within the above RTO/RPO guidelines - but likely refused to spend. (If such a conversation actually occurred, and that the IT department actually did their jobs).

RTO = Recovery Time Objective
RPO = Recovery Point Objective

BDRP = Building Disaster Resilience in Pakistan ?
CYA = CYa when things go blotto ?

BDRP = Backup and Disaster Recovery Plan

CYA = Cover your ass

DustinB3403

In the same article,

The FBI is telling people to not pay the ransom, but Cyber Security experts are telling clients to pay the ransom.

Um. . . fire those experts and get someone in there who once you're are up to fix your systems, that meet real RTO and RPO objectives. . .

scottalanmiller

@DustinB3403 said in Payroll Provider gets Encrypted & Pays Ransom:

Even paying the ransom didn't work as expected!

Or DID work as expected, who actually expects that to work?

scottalanmiller

@DustinB3403 said in Payroll Provider gets Encrypted & Pays Ransom:

The FBI is telling people to not pay the ransom, but Cyber Security experts are telling clients to pay the ransom.

Different goals.

DustinB3403

@scottalanmiller said in Payroll Provider gets Encrypted & Pays Ransom:

@DustinB3403 said in Payroll Provider gets Encrypted & Pays Ransom:

The FBI is telling people to not pay the ransom, but Cyber Security experts are telling clients to pay the ransom.

Different goals.

The FBI's goal is to stop the act entirely. The SCE's goal is to get paid as much as possible and save face with their people.

scottalanmiller

@DustinB3403 said in Payroll Provider gets Encrypted & Pays Ransom:

@scottalanmiller said in Payroll Provider gets Encrypted & Pays Ransom:

@DustinB3403 said in Payroll Provider gets Encrypted & Pays Ransom:

The FBI is telling people to not pay the ransom, but Cyber Security experts are telling clients to pay the ransom.

Different goals.

The FBI's goal is to stop the act entirely. The SCE's goal is to get paid as much as possible and save face with their people.

Well, and the FBI's goal is to protect "everyone", they don't particularly care about the company that has been hit. The consultants job is to protect the company that has been hit and no concern about others.

Dashrender

@scottalanmiller said in Payroll Provider gets Encrypted & Pays Ransom:

@DustinB3403 said in Payroll Provider gets Encrypted & Pays Ransom:

@scottalanmiller said in Payroll Provider gets Encrypted & Pays Ransom:

@DustinB3403 said in Payroll Provider gets Encrypted & Pays Ransom:

The FBI is telling people to not pay the ransom, but Cyber Security experts are telling clients to pay the ransom.

Different goals.

The FBI's goal is to stop the act entirely. The SCE's goal is to get paid as much as possible and save face with their people.

Well, and the FBI's goal is to protect "everyone", they don't particularly care about the company that has been hit. The consultants job is to protect the company that has been hit and no concern about others.

The consultant is the protect their customer? They are already infected, not much to protect them from.

scottalanmiller

@Dashrender said in Payroll Provider gets Encrypted & Pays Ransom:

@scottalanmiller said in Payroll Provider gets Encrypted & Pays Ransom:

@DustinB3403 said in Payroll Provider gets Encrypted & Pays Ransom:

@scottalanmiller said in Payroll Provider gets Encrypted & Pays Ransom:

@DustinB3403 said in Payroll Provider gets Encrypted & Pays Ransom:

The FBI is telling people to not pay the ransom, but Cyber Security experts are telling clients to pay the ransom.

Different goals.

The FBI's goal is to stop the act entirely. The SCE's goal is to get paid as much as possible and save face with their people.

Well, and the FBI's goal is to protect "everyone", they don't particularly care about the company that has been hit. The consultants job is to protect the company that has been hit and no concern about others.

The consultant is the protect their customer? They are already infected, not much to protect them from.

that's not true. Protecting them from data loss or financial loss.

DustinB3403

What I find most interesting about this article is how nonchalant the Marketing person is about this. "We paid and it sucked."

StorageNinja

@JaredBusch said in Payroll Provider gets Encrypted & Pays Ransom:

But restoring an entire infrastructe is never a fast task.

Couple ways...

1. Snapshots plus an orchestration system that can recall and mount them (SRM, Veeam).
2. Not being a Muppet and keeping backup, and infrastructure management on a different domain (or just off the domain if some small shop and use local SSO database for vCenter, and local user accounts for Veeam/backup servers).
3. Use a DRaaS service provider that has immutable retention that can't be restored (A lot of Veeam partners will do this for you). Fairly certain this is an option from iLand and some others.