back to article Don’t expect to get your data back from the Onyx ransomware group

Ransomware groups in recent years have ramped up the threats against victims to incentivize them to pay the ransom in return for their stolen and encrypted data. But a new crew is essentially destroying files larger than 2MB, so data in those files is lost even if the ransom is paid. The group behind the Onyx operation is …

  1. Eclectic Man Silver badge
    Unhappy

    Backups

    "Boyd noted that by 2021, only 8 percent of ransomware victims were getting their data returned"

    That is an appalling rate. Companies really do need to assess the risks of not having adequate security, including offline backups. As the price of serious amounts of storage is now so low (I can literally go to my local Apple store and buy an 8Terabyte hard drive right now), it can only be ignorance or laziness that is preventing them.

    1. Ken Hagan Gold badge

      Re: Backups

      It's 8% more than I'd have expected and it raises the question of how do they know that the recovered data wasn't tampered with prior to encryption? Obviously if you had a backup lying around you could do a comparison. Equally obviously, you wouldn't need to.

      1. Anonymous Coward
        Anonymous Coward

        Re: Backups

        "how do they know that the recovered data wasn't tampered with prior to encryption"

        I'm not an expert, but I'd guess anything like a big data base would be corrupted if it was encrypted while it was in use.

        I don't trust my backups of my Thunderbird directory unless I close it first.

        1. OhForF'

          Re: Backups

          As you point out encrypting (or doing a backup) of a database by attempting to simply doing it file by file will result in a corrputed database [if the files are modified by the database while you encrypt/backup].

          If the attacker does it that way (maybe not even knowing the files belong to a database) your data will be corrupted even if the attacker does not tamper with it.

          So let's assume the attacker is smart enough to have an encryption process that takes care of those things.

          What stops an attacker from modifying the data before starting the encryption process if he has full administrative access?

          Restoring the system using the decryption tools provided by the attackers will restore the system to a state where you KNOW it was vulnerable (and includes any tampering the attacker might have done).

          Trusting an attacker to not have added a few extra remote administrative access options in case they want to come back is something i would not recommend.

          Unfortunately restoring from backup is not much better. Unless you know for sure when the attacker first accessed your systems and you use an older backup you still have to assume the backup contains things you don't want to have. You although end up in a vulnerable state and have to figure how the attacker got access and close that hole or he can just use the same vulnerability to come back.

  2. Michael 66

    Trust issues?

    So ransomware companies are not abiding by the social contract? What is the world coming to?

    1. Fading
      Pirate

      Re: Trust issues?

      If you can't trust cyber criminals who can you trust?

  3. heyrick Silver badge

    there's going to be a lot of very angry people at affected organizations

    But angry at who?

    The ransomware crew, the idiot that opened that email with that executable that let the demons in, or the bean counters for deciding that maintaining regular rotating backups (and periodic testing of such) was not something that could be justified in the budgeting?

    1. sanmigueelbeer Silver badge

      Re: there's going to be a lot of very angry people at affected organizations

      the idiot that opened that email with that executable that let the demons in

      I am really offended by this statement. </joke>

      I believe one of UK's rail operator got hit from a "poisoned" email. A "staff member" clicked the attachment and, as the saying goes, the rest is history.

      That "staff member" is no other than the CEO.

  4. Danny 14

    I expect to get my files back from the immutable backup store.

  5. Anonymous Coward
    Anonymous Coward

    Back me up before you go go…

    Sorry

  6. Anonymous Coward
    Anonymous Coward

    There is an argument

    For an offensive cyber warfare capability in the UK, backed up with conventional weapons as a last resort.

    In the event of a total collapse of infrastructure caused by an unfriendly country or regime, quite right

    that all options should be on the table.

    At the moment about all we can do is send them a threatening letter, no hope of fighting back.

    1. doublelayer Silver badge

      Re: There is an argument

      The UK military has hired people for computer-related jobs, including offensive operations. They're predictably not keen on telling us how many people are working on offense rather than defense and exactly what they're doing, but they exist. Other parts of the UK government have had offensive uses for computers for quite a while. If a country used cyberattacks to cause significant damage, they also have conventional weapons available to them. The UK and many other countries already have what you're asking for and have announced plans to expand.

      1. Missing Semicolon Silver badge
        Devil

        Re: There is an argument

        "Other parts of the UK government have had offensive uses for computers for quite a while". Does HMRC count?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022