The other ransonware scam

Topic

New Reply

ON SECURITY By Susan Bradley You can’t decrypt your way back to normal. In addition to all the other irons I have in the fire, I help moderate a group
[See the full post at: The other ransonware scam]

Susan Bradley Patch Lady/Prudent patcher

5 users thanked author for this post.

Tom-R, lmacri, OscarCP, Alex5723, abbodi86

Reply | Quote

Replies

Susan Bradley wrote:

I just can’t say it enough — put a backup plan into effect.

I couldn’t agree more.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

Susan, how may sets back should be available?

 

Have the bad guys learned to infect and then wait awhile before springing the trap hoping that the backups have now been overwritten and there is no safe backup?

Reply | Quote

You should have a rotation of drives so that should you get nailed, you have a backup that is offline.   I would then scan that image either as you put it back or before you put it back – mount the drive and run an a/v scanner on it.

Susan Bradley Patch Lady/Prudent patcher

2 users thanked author for this post.

OscarCP, John18

Reply | Quote

John18 wrote:

Have the bad guys learned to infect and then wait awhile

It seems they go for immediate cash (coin) over properly encrypting everything. Most users / companies don’t have a proper backup regime in place.

cheers, Paul

Reply | Quote

John18 wrote:

Have the bad guys learned to infect and then wait awhile before springing the trap

Yes. Many hackers have dormant code waiting for the proper moment to act.

According to research from the UK’s National Cyber Security Centre and reported in The New Scientist, ransomware often lays dormant on a network for weeks or even months before the cybercriminals activate it to launch their attack.

https://www.keepitsafe.com/blog/post/is-there-a-ransomware-timebomb-already-on-your-network-asigra-s-v14.1-ransomware-protection-feature-can-alert-and-assist#:~:text=According%20to%20research%20from%20the,it%20to%20launch%20their%20attack.

Reply | Quote

That was an extremely well written article, Susan.  Thank you.

Reply | Quote

This URL may be useful:

Check out these free decryptors that will help you decode your data without paying the ransom.
https://heimdalsecurity.com/blog/ransomware-decryption-tools/

Reply | Quote

As is my usual and frequent recommendation, use a very plain (and old) backup strategy based on a series of external hard drives and a rotation through that series.

Exactly!  If everyone followed this advice, the bad guys would basically be forced to abandon their ransomware attacks almost entirely; since they wouldn’t be finding very many victims willing to pay those ransoms.

Anyone whose system got hit with a successful ransomware attack would just re-image their system from their most recent offline backup (hopefully no more than a day or two old); and — except for possibly the most recent data from that day or so — the system should be back up and running just fine.

And, in the case where an attacker has somehow stealthily compromised a system, waiting for a period of time before striking, it might mean going back to an earlier system image.  In that case, it would be a bit more complicated; but still not a show-stopper.  The hardest part would be determining at what point in time the system got compromised; so that you’d know how far back in time you’d need to go to restore the system image.  Then, once the system image is OK, you’d restore the non-executable data files from the most recent offline backup; which, again, should get you back to where you were no more than a day or two ago.

Recovering from the “stealthy” lie-in-wait attack involves that extra step of determining when the system got infected; so that you know which date to restore the system image from.  But other than that the recovery process is pretty straightforward.  The key, as Susan makes very clear, is making and keeping those offline backups.  That’s your ransomware insurance policy.

Reply | Quote