For those interested here is pretty good article about the latest large ransomware attack: Up to 1,500 businesses infected in one of the worst ransomware attacks ever | Ars Technica
I have to wonder why all these companies continue to use such compromisable infrastructure. What software systems are so important that they have to? What is Kaseya and the like providing that these folk can’t do without?
I cannot figure how multi million dollars companies be so sloppy as to have no backup in place. Their IT manager should be fired.
Ransomware doesn’t hit you immediately, it often waits a while and infiltrates more computers … AND BACKUPS. Because backing up compromised files doesn’t help you much, does it?
So you might have an uncompromised backup from 4 weeks ago but …
When my sister discovered her PC had been hacked by ransomware her backups going back 1 week were all encrypted too. After all, many people just use an external harddisk or a NAS attached to the network and backups happen automatically …
Kaseya is used by IT service companies to remotely manage and support their customers IT infrastructure - it does asset management, event monitoring, service pack installs, Desktop support etc.
A company I am working with have their IT infrastructure remotely managed as they have no IT staff and the IT support company use Kaseya
I was not referring to individuals, but million dollar companies, who are paying IT managers handsomely to protect their assets.
… and I was referring to how ransomware often works - which has nothing to do with whether it affects an individual or a company, and still means you might only have an old backup if any at all (eg new file → encrypted → backed up).
Wish it was so simple: “Have a backup? YAY! Save from Ransomware!” - but it isn’t.
So let me ask: which multi-million dollar business has no backup? I would actually like to see what you are talking about …
So is the ransomware encrypting backups for some period of time BEFORE the local data gets encrypted? So that if you are doing proper multiple backup rotations, with some rotations going off site, those backups are encrypted as well?
If so, how far ahead of time does the backup encryption start? If very far, that would imply one should test backups for integrity / usability on a routine or automated basis.
But it also implies the ransomware may be even more sophisticated than I had assumed, because messing with the myriad of ways backups can occur and doing so silently for a period of time without raising any flags seems like quite a feat.
It strongly depends on the ransomware, but yes, it is far smarter than what opinions here imply. For example there is ransomware that disables or actively evades security software.
And checking the backup for consistency might not be as helpful as you think. If you back up encrypted files then that is still consistent.
And sometimes the attack comes from unexpected directions. A friend of mine works at an Alzheimer Care Society (mostly volunteers, some half-time employees), and was quite relaxed as she is using two Macs and is making automatic backups. But all the files were shared via a 1 TB Dropbox account. And one of the volunteers used an old PC laptop. So the files in the Dropbox got encrypted which spread to each computer and into the respective local backups. Attempts to use the Dropbox backup to restore the files failed (I still don‘t know why, but I had logged in remotely and there was no access to any backup). LUCKILY she was off for a week as her husband had an operation, and while she worked a bit from home (just answering emails) on her laptop (which was enough to synchronize Dropbox) she did NOT use her old iMac - which had the only non-encrypted copies of the files across the whole organisation.
Then I didn’t explain myself well enough. My point was that if backups were getting encrypted BEFORE the local data, then this seems like it checking if the backup data is readable/consistent MAY give an early indication of a pending ransomware strike.
So in terms of automation, perhaps taking a MD5 of same sample (or honeypot) backup files and comparing to the MD5 of the same local file should be able to determine if the backup files are readable.
And if they are, then one “just” needs a safe way to bring up a known clean system image and restore (only) the data to it. Obviously that system needs to be air gapped from the network until all possible infection points within the network have been isolated.
I doubt extremely much Colonial saved on dropbox
Then it seems to me that these IT cservice companies need to be doing MUCH more in terms of ensuring their own integrity. If they are obtaining service packs and pushing those out to customers, they need to airgap the process and use a private network to connect to customers.
To ensure security, you need cool programmers focused on the security of computer systems. Any protection can be bypassed, but you need to work to ensure that there are as few such loopholes as possible.
Yes, the should have used SolarWinds instead. Oh, wait they got attacked by the end of last year too.
Most “attacks” still often come from inhouse-people in larger organisations (or at least some Inhouse people helped externals). Problem with SaaS: the same rule applies. Difference: now their customers are suffering …
It should be noted that often enough, ransomware attacks happen after some idiot in the organization clicked on some social engineering link, phishing mail, or used a password too easy to find out by brute force.
There is very little to do against human stupidity.
Hum, how about a very good antivirus ? I use eSet Nod 32. Sometimes when I Google, I get links that are poisoned, as soon as I click eSet alarm comes in, you can’t miss it. If you choose to open the link, then the problems lie somewhere 12" from the monitor !
Large businesses should use centrally managed solutions that will not let open a suspicious link even though told not to do.
Employees should never have direct access to critical files. They should be served the data from protected servers as needed. But never have the ability to change a file directly. The servers should be air-gapped from the internet and accessible only by means of a directly connected terminal with a hardware key. The last place where I did some contract work, was working towards this setup. Their critical systems are already isolated from the Internet. They are in the process of banning USB sticks, and disabling external USB ports on company computers. It may not be possible to prevent every possible attack, but they’ve at least made themselves a much harder target.
When you and your buddy are being chased by a bear, you don’t have to be able to run faster than the bear. You just have to be able to run faster than your buddy.
The biggest problem at the moment is that Bitcoin provides the means for money laundering. It has no other useful purpose. At least none that can’t be duplicated by legitimate payment systems. Governments are going to crack down on it very soon, and that will be the end of it. Without the ability to launder money, it will have no appeal to anyone.
I think what happens is that the ransomware infects the computer but stays dormant for some period of time. During this time it may spread itself through files and systems but doesn’t invoke the encryption. Then after x number of days it suddenly does its thing.
So IT goes and gets a backup and restores everything. But the backup has the same infected files and once everything is basically restored and comes back on line the virus goes active and encrypts everything again.
That might be an oversimplification, but it’s probably not far off.
I’m sure these companies all have backups of their systems. There’s a lot of products on the market for disk based with cloud based backups including one by our own @Tim_Jones
It’s another example of why local disk backups (I’m looking at you Time Machine and rsync) are not good for serious disasters.
In these situations, remember that it’s not JUST your system disk that is affected, but any writable volume that is connected to the system while the malware is active. So Time machine volume - toast, webDAV volume - toast, USB External disk - toast, and so on …
If the victims were using tape - their backups are both air-gapped since they are not on live media and untouchable since they are usually written using a protected container format. Rebuild a clean host, reinstall the backup software, restore the backups from write-protected tape.
If the victims were using cloud - depends on the cloud mechanism since the way the files are sent to the cloud storage would play a major part in whether the malware could touch the remote data.
If the victims are using simple disk-based copies, the simplicity of the original backup makes the corruption of the backups just as susceptible.
This is something that we’ve promoted in the tape realm for backup for over 34 years. Once the files are on tape (NOT the LTFS stuff where the tape just mimics a disk), they can’t be touched or modified by a malicious third party actor. In fact, if the tape is write protected after it’s written and verified, it can’t even be erased.
Also, a good tape solution would allow you to safely compare the data in your security backups against the data on your machine to determine exactly what’s been tampered with.
Even something as simple as using tar or cpio to store your archives on another disk - heck, even an SDXC card that’s write protected after it’s written, is safer than just rsync, cp/copy, or similar as long as the disk is dismounted once your backup is completed.