Re: So, nothing important was encrypted
I grasp that running servers are always vulnerable to failure and malicious acts must be factored in as a possibility. Thus temporary disruption may not be wholly avoidable. Yet no organisation ought allow itself to be in the position of facing permanent loss of irreplaceable data.
Presumably mechanics of encryption extortion require some time for encryption of large sets of data to be completed (seconds. minutes, or hours?). Also, I assume miscreants must arrange secure deletion of original versions when the task is completed. This leaves the matter of how well backup and mirroring regimens operate.
Although an attack may obfuscate the entire collection of data available to legitimate users at the time it began that should not mean recovery from backup not in continuous connection to affected servers is infeasible. That raises the question of how frequently backing-up ought occur, and how many layers of independent backup ought be retained, in order to minimise irretrievable data loss from point of intrusion after the last backup. Presumably, someone has worked this out? Perhaps the answer varies according to the load on vulnerable servers?