1. OCAU Merchandise is available! Check out our 20th Anniversary Mugs, Classic Logo Shirts and much more! Discussion in this thread.
    Dismiss Notice

bloody bloody cryptolocker bloody

Discussion in 'Business & Enterprise Computing' started by Joshhy, Sep 12, 2014.

  1. greebs

    greebs Member

    Joined:
    Dec 30, 2001
    Messages:
    958
    Location:
    Melbourne
    Can't agree more. It's no different than your disks getting fried, or your building burning down. If you can't recover from cryptolocker, you're in trouble for any sort of DR.
     
  2. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,647
    Location:
    Brisbane
    can we make out?
     
  3. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    14,043
    Location:
    Brisbane
    Quoting just so this makes it to the next page for people like me who don't display 20million posts / page :)
     
  4. de_overfiend

    de_overfiend Member

    Joined:
    Jul 12, 2001
    Messages:
    2,546
    Location:
    Gold Coast
    had 3 infected pcs come in last week - no backups ... 2 were business machines - stupi people...
     
  5. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,678
    Am I missing something? Why does the media matter?

    If the policy is for the user to rotate the media Week 1 and Week 2, and they don't do it with External hard drives... what magical properties does Tape have that will make them swap the media?

    SME's aren't going to buy a tape robot to cycle their tapes automatically.
     
  6. callan

    callan Member

    Joined:
    Aug 16, 2001
    Messages:
    5,181
    Location:
    melbourne
    Tape is intrinsically abstracted from any active filesystem that can be overwritten by Crypto. As long as a removable HDD is connected to a machine the data on it is vulnerable to being klobbered. With tape, however, even if the tape is loaded, it cannot be touched (as the only thing that can talk to it is the tape software itself.)

    also tape, by its very nature drives operators to offline backups.
    A lot of users consider tape to be the fax-machine of the IT world: archaic technology used by old farts who don't realise the world has moved on.
    But sometimes these old farts might actually know something - and tape is one of those times.

    Disclosure: The first QIC data tapes I used had the startling capacity of 7Megabytes:lol:

    Callan
     
  7. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,678
    Makes sense to me :). I was thinking more along the lines of Business Data gets Crypto'd -> Crypto'd business data gets written to backup media (be it tape or disk) -> Business gets fucked.
     
  8. Cubix

    Cubix Member

    Joined:
    Apr 15, 2011
    Messages:
    110
    Your exposure to loss would depend on your backup schedule/rotation and detection of crypto.
     
  9. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,647
    Location:
    Brisbane
    Tapes are generally also implemented with *loads* of recovery points - aka lots of tapes.
     
  10. Great_Guru

    Great_Guru Member

    Joined:
    Sep 5, 2001
    Messages:
    1,225
    Location:
    Australia
    I'm glad you said generally. Because in my experience I've come across some atrocious situations.

    There are some SMB/Client scenarios who end up at the point where they have a rolling 5-10 tape business backup system and that's it. How did they get into such a rubbish situation.

    Client: Oh my this solution is expensive
    SMB Sales Guy: Oh we'll just cut out some tapes to bring it in line with competitor quote
    SMB Tech: Goes to install and finds 5-10 tapes instead of 22 minimum (depending how you want to roll)
    SMB Sales Guy: Oh we'll get them extra tapes with a post install sales

    6-12 Months later, nothing has changed and business is running on a crippled backup system. For cryptolocker at least you'd probably be right as detection is usually found relatively quickly due to the viral nature but the story still stands.
     
  11. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,647
    Location:
    Brisbane
    My experience is the following;

    Stage 1 - No Backups
    Stage 2 - 1 Portable USB
    Stage 3 - 2-5 Portable USB drives in some form of Rotation
    Stage 4 - NAS that things are backed up to - generally without off-site
    Stage 5 - NAS that things are backed up to - with off-site backup (to USB drives etc)
    Stage 6 - Tapes w/ 5-10 day rotation
    Stage 7 - Tapes w/ GFS 5 day/4 week/12 month/annual rotation
    Stage 8 - New tape, every day, we never ever overwrite

    Cloud is a nice thing and all - but it came about when i moved to a place where upstream internet is non-existent. I haven't really had a chance to evaluate many providers, but generally clients have been scared by per-incident restore fees (i.e xfer the data to the drive, the box up a drive and ship it to the client) - and/or the cost scaling as the amount of recovery points increase.

    Tape infrastructure is expensive - but from a media point of view, super cheap once you're invested.
     
  12. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    14,043
    Location:
    Brisbane
    You should be monitoring servers for known filetypes associated with crypto so if fileshares get infected you can identify the source, shut it down and restore from backup.

    There's no reason you can't do a tape style backup with hard drives, but people just generally are lazy about it :)
     
  13. Smokin Whale

    Smokin Whale Member

    Joined:
    Nov 29, 2006
    Messages:
    5,188
    Location:
    Pacific Ocean off SC
    I was thinking about this issue the other day. I like automation as much as the next guy, but the ability for randsomware to attack backups that reside on network shares is pretty scary. I was wondering how difficult it would be to implement a NAS to NAS backup system which would work around the premise that the backup NAS shares only available on a certain time schedule. You could use this to limit the spread of malicious encryption, whilst simultaneously setting up a system which allows for malicious data encryption to be detected as early as possible without compromising entire volumes of data.

    So for example, NAS1 has all live data, NAS2 is for backups.

    • NAS2 would have various network shares as per data retention requirements
    • Specific shares would be available at 2:00am, backups would commence at 2:10am.
    • If disk activity commences before 2:10am, or if file extension is changed, the share is closed off, IT administrator is alerted to potential security breach
    • NAS1 would communicate to NAS2 when backup is complete, allow for network share to be closed off

    The only concern is that this would be a bit inefficient in terms of storage requirements, but data is probably more important. Does this idea have any merit? Plenty of businesses out there that have the hardware already and don't necessarily want to tapes or someone physically swapping disks.
     
  14. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,647
    Location:
    Brisbane
    Or you know... just lock down the backup share with a password that your backup software authenticates with...

    There are a lot of ways to combat this problem - a big number of them surround the idea of only elevating your privileges as required.
     
  15. Smokin Whale

    Smokin Whale Member

    Joined:
    Nov 29, 2006
    Messages:
    5,188
    Location:
    Pacific Ocean off SC
    Yeah, I'm not sure why I didn't think of that earlier. That's way simpler. :tongue: I may have to adapt a few backup systems for this to work, but it's certainly less mucking around.
     
  16. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,647
    Location:
    Brisbane
    Shadowprotect will do it out of the box. Windows Backup supports it as well.
     
  17. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,678
    Some strains of Cryptolocker have local priv esc built in, so if your not up to snuff on your updates, and your backup is accessible via smb, it might get eaten anyway.
     
  18. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,647
    Location:
    Brisbane
    Local Escalation isn't going to help you on a remote device with its own Auth AKA every NAS in existence.

    If you have AD Auth enabled Samba, and your user has write access - then you're still fucked tho
     
  19. Iceman

    Iceman Member

    Joined:
    Jun 27, 2001
    Messages:
    6,647
    Location:
    Brisbane (nth), Australia
    No because 1. snapshots 2. principal of least access
     
  20. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    14,043
    Location:
    Brisbane
    If you can't keep your backup server updated that's a problem. You're never gonna find cryptolocker with 0day unless it's a public 0day :)
     

Share This Page

Advertisement: