Backup File Server to DAS

coliver

@IT-ADMIN 's company has shown that their data is next to valueless. They don't care about investing in a proper backup solution (no offence @IT-ADMIN) or even the licensing to ensure their servers won't die if they are restored from a backup solution. So if they do get ransomware on those machines they may determine that since they did nothing to prevent it (or prevent more likely issues like hardware failure) then it isn't worth the ransom.

coliver

@scottalanmiller said:

@coliver said:

@DustinB3403 said:

@coliver the ransom maker is trying to make money.

There is no benefit to them to make a ransom that's obscene. Unless you value your data so little that you'd be just fine without it.

The entire point of the ransom where is to entice people to need their data (value it) to the point where the ransom is reasonable.

Agreed. But how is the ransomer (Chrome says that is a word) going to know where that cut off point is? For some companies it could be 100$ for others it could be significantly more. Just thought it was an interesting idea.

They guess, normally at a pretty small number so that essentially everyone pays.

Right, I understand that. Just trying to go through an idea.

Jason

@IT-ADMIN said:

because even the ransom will not benefit form the data itself, his concern is wining money

Not necessarily true.

IT-ADMIN

@Jason said:

@IT-ADMIN said:

because even the ransom will not benefit form the data itself, his concern is wining money

Not necessarily true.

at least in our case, may other companies have data that can be sold maybe ?

Jason

@IT-ADMIN said:

at least in our case, may other companies have data that can be sold maybe ?

Well, yeah. Many companies get hourly attempted attacks just for such a thing.

DustinB3403

@Jason said:

@IT-ADMIN said:

because even the ransom will not benefit form the data itself, his concern is wining money

Not necessarily true.

Jason the ransom demand maker generally isn't trying to sell trade secrets, they might get lucky and encrypt someone with this kind of information.

But they aren't copying the data. They're simply encrypting it locally, and passing the decryption key to their server(s).

So it is true... the ransomers' are not profiting from the data, only from the ransom.

Jason

@DustinB3403 said:

Jason the ransom demand maker generally isn't trying to sell trade secrets, they might get lucky and encrypt someone with this kind of information.

But they aren't copying the data. They're simply encrypting it locally, and passing the decryption key to their server(s).

So it is true... the ransomers' are not profiting from the data, only from the ransom.

That's not true in every case.. some have been found to upload the data.

DustinB3403

I've yet to see a Cryptoware variant that exports data off of a victims system.

Please name 1.

This malware needs to act quickly. It doesn't have time to dick around and upload potentially TB or more of data to encrypt it.

Just stop trolling, because you clearly are.

scottalanmiller

@IT-ADMIN said:

@Jason said:

@IT-ADMIN said:

because even the ransom will not benefit form the data itself, his concern is wining money

Not necessarily true.

at least in our case, may other companies have data that can be sold maybe ?

No financial data? Nothing private that the company would not want divulged? No customer data?

IT-ADMIN

OK, can a restore point decrypte the ransomed data ??

scottalanmiller

@DustinB3403 said:

@Jason said:

@IT-ADMIN said:

because even the ransom will not benefit form the data itself, his concern is wining money

Not necessarily true.

Jason the ransom demand maker generally isn't trying to sell trade secrets, they might get lucky and encrypt someone with this kind of information.

But they aren't copying the data. They're simply encrypting it locally, and passing the decryption key to their server(s).

So it is true... the ransomers' are not profiting from the data, only from the ransom.

That is generally true but not universally.

Jason

@DustinB3403 said:

I've yet to see a Cryptoware variant that exports data off of a victims system.

Please name 1.

This malware needs to act quickly. It doesn't have time to dick around and upload potentially TB or more of data to encrypt it.

Just stop trolling, because you clearly are.

Yes, I'm trolling when we have a IT forenstics team that looks into our attempted attacks. We know what goes on with these, we've looked into it heavily.

scottalanmiller

@IT-ADMIN said:

OK, can a restore point decrypte the ransomed data ??

Not decrypt! Nothing can decrypt except the key that you get when you pay the ransom.

If you roll back to BEFORE the data was encrypted AND the restore point itself was not encrypted then you are okay.

scottalanmiller

@DustinB3403 said:

This malware needs to act quickly. It doesn't have time to dick around and upload potentially TB or more of data to encrypt it.

Thats not true. It needs to encrypt quickly. Once encrypted it has free time to upload all that it can.

IT-ADMIN

@scottalanmiller said:

@IT-ADMIN said:

OK, can a restore point decrypte the ransomed data ??

Not decrypt! Nothing can decrypt except the key that you get when you pay the ransom.

If you roll back to BEFORE the data was encrypted AND the restore point itself was not encrypted then you are okay.

for this reason it is very recommended to store your system images in another physical storage not on the same machine

Jason

@IT-ADMIN said:

@scottalanmiller said:

@IT-ADMIN said:

OK, can a restore point decrypte the ransomed data ??

Not decrypt! Nothing can decrypt except the key that you get when you pay the ransom.

If you roll back to BEFORE the data was encrypted AND the restore point itself was not encrypted then you are okay.

for this reason it is very recommended to store your system images in another physical storage not on the same machine

Not just that but preferably with a system that can lock it as read-only once it's backed up. Which is great for audits as well.

scottalanmiller

@IT-ADMIN said:

@scottalanmiller said:

@IT-ADMIN said:

OK, can a restore point decrypte the ransomed data ??

Not decrypt! Nothing can decrypt except the key that you get when you pay the ransom.

If you roll back to BEFORE the data was encrypted AND the restore point itself was not encrypted then you are okay.

for this reason it is very recommended to store your system images in another physical storage not on the same machine

Correct, but it would need to be one that is decoupled, which is very difficult to do.

scottalanmiller

@Jason said:

@IT-ADMIN said:

@scottalanmiller said:

@IT-ADMIN said:

OK, can a restore point decrypte the ransomed data ??

Not decrypt! Nothing can decrypt except the key that you get when you pay the ransom.

If you roll back to BEFORE the data was encrypted AND the restore point itself was not encrypted then you are okay.

for this reason it is very recommended to store your system images in another physical storage not on the same machine

Not just that but preferably with a system that can lock it as read-only once it's backed up. Which is great for audits as well.

Decoupled or locked, as Jason points out. It needs to be read only or it will get ransomed too.

IT-ADMIN

i guess setting up an account on the backup destination so that veeam authenticate against will make the backup decoupled

scottalanmiller

@IT-ADMIN said:

i guess setting up an account on the backup destination so that veeam authenticate against will make the backup decoupled

No, if ANYTHING running on your server can talk to the storage, it is not decoupled. That is tightly coupled. Things like Unitrends appliances stand BETWEEN your systems and the backup storage. That's lightly decoupled. Tapes are fully decoupled.