Latest Ransomware attack

But Tim,

Even with an air gapped tape, if the files written to it are infected then they will still reinfect any systems once restored. So the question is how long do you need to keep a tape backup?

Only if they are executable files (or scripts, macros, etc.) – database files that are only data can be restored without issue.

1 Like

:face_with_raised_eyebrow: encrypting files does not happen instantly, it takes time.
Organizations usually don’t open their hundreds/thousands/millions of files at the same time daily so the process could take many days without anyone encounter problems and the backups are taking place as usual, storing the already encripted files.

So all the files must be read only for the IT to know that when a MD5 changes is an attack and not just a file editing :thinking:

Not all backups are the same, not all Ransomware attacks work the same, There many mechanism to prevent Ransomware attacks but it all deppends on what the company has and how much they are going to spend in this.

You should always try to have what I called above a “Security” backup of your system.

And, as Douglas states, an infected data file is just corrupt data. It won’t wreak havoc even if it was corrupt before it was backed up.

Here’s an example of what we do:

Rotation starts with a Full backup that is doubled (written to 2 tape drives at the same time) of the base system. One tape onsite and one geographically offsite (more than 3K miles away - in Brussels for us). These are retained and controlled until the machine is retired.

We the run a full every Week to a disk pool, monthly to tape, and quarterly to offsite tape. The weekly jobs are retained on the storage server for 3 months, the monthlies are vaulted locally for 3 months and then shipped offsite for 3 months, rotating back in as they pass that 3 month period, and the quarterlies for are kept onsite for 6 months and then offsite for 2 years, once again, rotating back onsite once they have passed the 2 year mark offsite…

While this sounds like a lot of tapes, compared to data recovery or business collapse, LTO-6 tape at $28 each and LTO-7 tapes at $40 each is a very, very inexpensive insurance policy.

We then run daily incremantals for each system’s data - NOT system files - to a disk layer that uses a Diffie-Hellman key pair exchange and strong encryption to a dedicated server that runs no tasks except the backup software engine (ArGest Server) - nothing to hack or infect - retaining these backups for a period of 3 months.

In this case, we can always return a system to as-delivered and restore baseline updates through a specified weekly or monthly full, followed by intervening incrementals. A bit of a project, but far better than bankruptcy or worse.

No, the point would be to compare the MD5 of the local file and the backed up file. If they were the same, the backup is not corrupt. And you only do that so some sample files, or files you create and do not change or edit. To server only as an integrity check.

But all of this was just based on a supposition the OP was implying backups could be corrupt even before the local data was known to be encrypted. If that was referring to the system files or application programs being silently corrupted, that is a different story.

As Tim points out, if you are doing a system recovery after some attack, you do NOT want to restore more than raw data from the backups. You build the systems back up from known clean starting points. I (mis?)took the OP to mean the backups themselves were encrypted and unreadable, not that the backup was just infected.

Well Kaseya, Solarwinds, and all similar tools are exactly used by (mainly large) corporations to manage their whole infrastructure stack limiting and trying to protect the users and the used infrastructure. The big issue starts, when these companies are under attack or compromised internally, and the tools are working as a vector for Ransomware or any other disasters. Though I’m a big fan of cloud services, it isn’t necessarily the best approach to protect your on-premise stack via SaaS. All you can do is trust the service offering companies, which has been showing in the past 9 months to not always be the best choice :wink:

Do not run against bears, that is in every movie were bears appears on screen, don’t you know ?
Also, I like my buddies ! :wink:

Hi, its always better to use somebody, who is trusted… and as we are humans I still don’t understand, why everybody wants to hack everybody… In old times life was easier, and you could have a snack with your it guys, and sometimes you don’t have to talk in a foreign, or describe your issues to a call agent who tries to route them to somebody who will help you ( if you have the correct SLA)

BR Rainer


As fa as I understand, Kaseya and Solarwinds are not solutions that are local only in the client infrastructure, I mean they rely on component that are located outside the infrastructure to protect. Then isn’t easier for the hackers to compromise many sites ?

I was thinking about a solution that is installed 100% locally and managed centrally, it that is still possible.

In the end, it looks like the company, Kaseya, that was supposed to protect its clients was not itself protected enough. This is the kind of things I dislike about the cloud, because when a cloud solution provide is attacked, it brings a lot of companies on their knees, and that can be you :weary:.

1 Like

Correct, that is what happened here. Those solutions are usually only installing a windows service that interacts then with the cloud. It is technically convenient for companies, where for instance not all subsidiaries are using an active directory. You can literally “collect” all your assets into your tenant in their cloud and then manage your devices (patching, deploying software, pushing antivirus, manage remote access rights, monitoring devices, etc). So indeed technically speaking very appealing and usually relatively cheap, at least there is an easy ROI for most companies. Downside: big disaster if your cloud service provider got hacked and the hack itself uses their services to deploy itself. That’s exactly what happened with SolarWinds … :frowning:

Our little town here is still recovering from a ransomware attack that took down the computers in 2 major hospitals completely for more than 3 weeks while they struggled to get things restored. I have no idea what actually happened to the computers as, of course, they aren’t talking about it yet because the FBI is investigating or perhaps they just don’t want to give away how actually poor their planning actually was. I do believe that they did not agree to pay and that they ultimately succeeded in restoring in spite of that. Patient care was severely impacted during that time as it has been long enough since the docs were able to use paper charts that most of the newer ones on staff and almost all of the nurses and other staff have absolutely no idea how to manage things without the computers, and they were all totally and completely gone. No records, no daily prescription lists, no daily notes that weren’t jotted down by hand and stuffed into a folder that then nobody could find. It was an absolute nightmare.

Since I don’t know what actually happened I don’t know if they were compromised through one of those companies offering remote management solutions for windows or if it was something else. Lots of jokes going around about people opening attachments while logged into a hospital computer or something similar but I don’t know if that happened. Since the computers all over the place are only running either a browser or a database client software to access the data they aren’t logging into the actual servers which were lost. The ransomware must have either been placed on the servers themselves by a failure on the part of the people who had direct access to those, or vis some other exploit in the windows software that they all run. How else would it even jump from a desktop machine in the lounge to the server if the machines don’t have access to the drives on which the database was installed at all? If it was targeted specifically at the medical data database system then they could have found a problem with that which let them inject SQL or something similar but I rather think it was a more mundane approach through the operating systems themselves though that is only an impression from vague comments.

The other major hospital in town which wasn’t infected does not use a remote database client, but does all access through a citrix system. Which is kind of hilarious to me as the actual doctors interface to all the data runs inside a browser which they they run in a citrix session. Which means they paid extra for a browser based interface to the database and yet aren’t actually using it :wink: This is very amusing to me on so many levels, but at least there are Mac clients for citrix so that my wife can connect to work without having to have a windows machine inside my own firewall. My concern with that is that once you do that the citrix instance is running inside the firewalls. I’m sure they have a firewall between the citrix servers and the database servers, but very possibly not, or at least not as strong as a single https input to the application server. It is my belief that this makes them less secure not more. But then I’ve never run such a system only used it so I don’t know for sure.