Re: Recovery redundant?
Ransomware attacks are awkward. you have to be pretty certain that the recovery systems that you build are not coming from infected backups.
I'm not saying that they do this, but if I was someone wanting to place a ransomware bomb in a system, I'd probably want to install and spread it but leave the encryption dormant for several weeks, so that it would be copied onto the backups.
By doing this, you could probably immediately re-infect the environment that is being rebuilt, especially if it is just a timed trigger rather than an instruction from a command and control system external to the environment.
What I really struggle with is the fact that so many environments appear to be easy to infect. I know that the malware probably involves privilege escalation as well as the ransom encryption, but in a properly segmented environment, you should be able to contain an infection before it spreads. But I suppose the rush to consolidate systems into easy to manage large groups probably works against you there.