Pay Us in Beer
Somebody had to say it.
Staff at Arran Brewery were locked out of its computer systems this week following a ransomware attack. The attack against the Isle of Arran-based Scottish beer maker appears to have been a targeted strike. Prior to the infection, adverts for an already filled finance post at the brewery were placed on recruitment sites …
Ransoms only work because people pay them, if people stopped paying them then people would stop taking things ransom. Also we were talking about ransomware, not people kidnapping other.
In regards to kidnapping, it is already illegal to pay a ransom under anti-terrorism laws.
Sorry, this is a ransomware attack. You mean your database is your loved one, and they send it back row by row?
No, read what he said... “a bit at a time”.
So one day you get a 1 in the post, then a 0, then maybe another 0... maybe they’ll take a byte out of the victim, or if the extortionists are really cruel they’ll communicate by the time-honored method of cutting out words.
I had a customer caught like this a couple of years ago.
Removed the hard drive, re-imaged the machine with a new drive, the user was back up and running in 2 hours.
Luckily it just encrypted the boot partition and rebooted, it didn't try and do the file shares. An encrypted share would have been a bit more work, but a maximum of 3 hours work lost.
On the other hand, I know one company, where the directors ran their own NAS, because they didn't trust ops and ops weren't allowed to back up the NAS either, that was the job of the directors... Only they never got around to it, because, you know, RAID... They got hit by ransomware and, while the director concerned noticed it quite quickly, they still lost a couple of years worth of financial information and had to cough up.
"But a NAS that supports automated daily snapshots would have had a sporting chance of recovery "
An automated backup likely means the backup drive is attached to the system, in which case it could also be encrypted by the ransomware. I remember a guy telling me about how the company he used to work for used USB hard drives for backups and they were only connected to the servers during the backup, one day in the middle of a backup lighting struck the building and killed not only the servers but also the USB hard drives.
If a backup drive is connected to the system then it no longer counts as a backup for the duration of the time it is connected, this is why you need to rotate backup drives so that you always have an isolated backup.
Every time I read about, "we lot everything due to ransom-ware," I think about all of the easy, good practices that have been developed over the years. And I think about how they are not followed, because it requires even a minimum of effort.
Good backups means that the recovery process takes place in maybe three to four hours. Bad backups means that data spanning years is lost. Suck it up, and put good practices in place!
Also, an offsite backup wouldn't be a bad idea. Buildings do burn down or washed away. Offsite backup is likely to be a PITA to do, so it may only get done weekly or monthly. But losing only a few weeks worth of data will probably look like a blessing when confronted with the loss of all the configuration information and data that the company owned other than what can be recovered from surviving scraps of paper and a random selection of files and eMails from personal machines.
There are many ways to destroy data integrity, not just the obvious ransom-ware or HDD failure, but also examples of electrical surge, fire, flood or some oik nicking the thing.
Having an off-site copy is a VERY GOOD IDEA and if you want to DIY then you could sync two NAS locally, move one off-site and then have an rsync job (ideally taking a copy of the most recent snapshot so it is all consistent in time).
Of course you also need to check it is working, not just initially but also months down the line, and to try your recovery process as well. You REALLY don't want to find out its not quite right after a major event!
All really good advice. But be aware that, as with many other things, what's simple in concept may not be so simple in practice. For example, it'd take a good part of a week to stash a copy of my PC hard drive to the "cloud" over my suburban US DSL line. And I don't have any video data. Folks (including businesses) in neighboring towns have even slower connections BTW. Moreover, tying up the home data pipe with a massive, days long, upload is likely to annoy the other folks that reside here. Therefore my home system offsite backup is on a usb stick in the spare tire well of my car. THAT only takes about five hours to build
One very likely wants to encrypt offsite data. Easy enough, if one does something like tar-compress-encrypt on high level directories. Why tar? Because I really don't want to deal with data recovery from a file system with tens of thousands of files with obsfucated names. Rsync isn't going to work very well. Solvable? Yes, I think. I haven't actually tried to integrate rsync into the workflow. Easy? Not so much I'm pretty sure.
another call for VMs. the host is isolated from the normal network and has an isolated backup. Then when the guests are infected you first power them off forcefully. recover from backup. carry of as normal.
if the guests can get to the hosts then you are doing something wrong. the whole point of having a management network is to keep your infrastructure away from production network.
oh and for backups get a pair of cheap synology. they will even rsync to each other. keep then in totally different buildings (different power etc) and vlan'd apart from the production network (if you cant dedicate cabling). for less than 1500 you can have terabytes of independent backups that live in different buildings.
hyperv server is free. it can even cluster and can use server storage nowadays - no need for san. a pair of r410 can be bought (refurbished ) for under 3k with enough ram and storage to have a 2 node clustered VM platform for your linux servers. no licensing needed.
shame that you need datacenter for stretch cluster as stretch cluster works brilliantly for multisite cluster resiliency (thats what we do)
Rsync replication won't help. It will sync the encrypted files and delete the originals!
We had a CEO who decided mirrored, redundant servers were the solution, hot stand-by, so no need for backups. Until he managed to corrupt the database and realised the hot stand-by also now had the corrupted database as well.
Offsite, offline backup on a separate medium is the only real answer. And offsite != cloud backup. Tapes on another site in a fire safe or in a bank valut, for example, are proper offsite backups. Cloud backup, unless you use glazier style is online and disk based, which breaks 2 two rule in 3-2-1 backup (no file exists, until there are at least 3 copies, on 2 different medium and 1 is offsite). Although a backup on an HDD array half way around the world is probably OK these days.
I use replication to an external drive, replication to a NAS and cloud backup at home. At work we have Veeam onto hot near-line storage and onto external media, into the fire safe.
I'm very surprised to see the Arran Brewery featured here as I've visited the place and it's tiny! A reminder that these bastards can take down businesses large and small. Anyhow, it's well worth a visit, the island is beautiful and the beer is excellent. I recommend Red Squirrel.
Not for me. When I went to visit we all paid, got inside and the place was shut down. They'd gone out of business and the new owners weren't up and running yet. I'm guessing that's around 10 years ago. They showed us some nice bottles as we came out in the style of "look at what you could have won"...
Their beer is very pleasant, and it is indeed a lovely island, but the brewery tour was certainly disappointing that day.
we run pfsense and snort (paid version). i get an alert when some idiot opens the .doc/.xls/.pdf that try to phone home to compromised servers, sometimes the AV gets them too. luckily we havent been hit with anything snort hasnt known about.
still, at least i can educate people when the alert goes off. education is better than AV or IPS reliance.
the decision meant accepting the loss of three months worth of sales data from one infected server
"Recovers?" Sounds more "gives up and moves on." But good on them for not paying the scammers.
They can probably recreate most of the sales data from credit card transaction logs and their customers' records, anyway.
There was some other method of storing data. Some kind of write once read many format in an easily read container. Though I will admit matters of scale can be an issue, and the file system has to be regularly updated. Data dispolsal can get interesting too (I personally burn mine).
It's times like this that as much as I like moving forward with the march of progress, I wonder if we lose too much in the process (no one's ever managed to encrypt hard copy once it's been created. The only other thing I can think of is if the language dies but that's slightly different and can't be held to ransom over that one)
“Barry Shteiman ... said ... If the downtime caused by data being unavailable, or by the backup restoration process, is more expensive than paying the ransom, then organisations should pay.”
Mr Shteiman is overlooking the wider effect on society of paying.
Perhaps, if he really believes in this selfish “only our bottom line matters” attitude, we need to tell him that we’ll boycot businesses that pay ransoms.
Does anyone have a list of businesses that have admitted to paying ransoms?
If I were running a ransomware operation I'd want to take a look at whatever was so important that a victim agreed to pay for it. If it's that important to the victim then it's probably worth a higher ransom.
Why would you trust the bad guys to provide the decryption key once you've paid? They're bad guys.
As for 'losing 3 months worth of sales data'... it's a valuable lesson which the brewery could probably have learned at a lower cost.
I very much approve of small breweries in general though - I'll make a point of sampling their product soon.
Been hit a couple of times by ransomware, (Trend AV on client PCs not being as useful as you’d expect, and users not being as vigilant as... ah what am I saying...)
Data held on NetApps was restored via Previous Versions or using ndmpcopy from the netapp console to restore direct from .snapshot folder once the clients were taken offline.
The approach I use for backups is to have a backup system (Linux running 'backintime') pull data from the servers. The backup systems do not have shares on them, they only attach to shares on the server. I have nightly and hourly backups - some kept locally - and at least 2 backup media kept off-site. Standard portable hard drives (currently using 2 TB) keep nightly backups for 3 weeks, then a couple months of weekly, and finally monthly backups kept. Periodically phasing in a new drive allows years of monthly data readily available. Using this approach, the chance of any backup getting infected is reduced by orders of magnitude.
Biting the hand that feeds IT © 1998–2021