Don’t expect to get your data back from the Onyx ransomware group Ransomware groups in recent years have ramped up the threats against victims to incentivize them to pay the ransom in return for their stolen and encrypted data. But a new crew is essentially destroying files larger than 2MB, so data in those files is lost even if the ransom is paid. The group behind the Onyx operation is …
"Boyd noted that by 2021, only 8 percent of ransomware victims were getting their data returned"
That is an appalling rate. Companies really do need to assess the risks of not having adequate security, including offline backups. As the price of serious amounts of storage is now so low (I can literally go to my local Apple store and buy an 8Terabyte hard drive right now), it can only be ignorance or laziness that is preventing them.
"how do they know that the recovered data wasn't tampered with prior to encryption"
I'm not an expert, but I'd guess anything like a big data base would be corrupted if it was encrypted while it was in use.
I don't trust my backups of my Thunderbird directory unless I close it first.
As you point out encrypting (or doing a backup) of a database by attempting to simply doing it file by file will result in a corrputed database [if the files are modified by the database while you encrypt/backup].
If the attacker does it that way (maybe not even knowing the files belong to a database) your data will be corrupted even if the attacker does not tamper with it.
So let's assume the attacker is smart enough to have an encryption process that takes care of those things.
What stops an attacker from modifying the data before starting the encryption process if he has full administrative access?
Restoring the system using the decryption tools provided by the attackers will restore the system to a state where you KNOW it was vulnerable (and includes any tampering the attacker might have done).
Trusting an attacker to not have added a few extra remote administrative access options in case they want to come back is something i would not recommend.
Unfortunately restoring from backup is not much better. Unless you know for sure when the attacker first accessed your systems and you use an older backup you still have to assume the backup contains things you don't want to have. You although end up in a vulnerable state and have to figure how the attacker got access and close that hole or he can just use the same vulnerability to come back.
But angry at who?
The ransomware crew, the idiot that opened that email with that executable that let the demons in, or the bean counters for deciding that maintaining regular rotating backups (and periodic testing of such) was not something that could be justified in the budgeting?
the idiot that opened that email with that executable that let the demons in
I am really offended by this statement. </joke>
I believe one of UK's rail operator got hit from a "poisoned" email. A "staff member" clicked the attachment and, as the saying goes, the rest is history.
That "staff member" is no other than the CEO.
For an offensive cyber warfare capability in the UK, backed up with conventional weapons as a last resort.
In the event of a total collapse of infrastructure caused by an unfriendly country or regime, quite right
that all options should be on the table.
At the moment about all we can do is send them a threatening letter, no hope of fighting back.
The UK military has hired people for computer-related jobs, including offensive operations. They're predictably not keen on telling us how many people are working on offense rather than defense and exactly what they're doing, but they exist. Other parts of the UK government have had offensive uses for computers for quite a while. If a country used cyberattacks to cause significant damage, they also have conventional weapons available to them. The UK and many other countries already have what you're asking for and have announced plans to expand.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
