HACKER Q&A
📣 xupybd

What is your ransomware mitigation strategy?


We've just seen a huge attack on US companies. How would you recover?

What systems do you have in place?

We have some physical backups but they're always a week old. We have online restic backups but they're open to attack. I don't know how to protect our systems.

  👤 corobo Accepted Answer ✓
Firewall it all off. Audit the logs, etc to see how they got in. Fix that. Restore from backups.

My main "oh god everything is dead" full system backups pull from the servers rather than having them push to backup storage. Just in case though I also have individual sites pushing snapshots to write-only S3 with glacier/expiration rules set up as appropriate.

3-2-1 backup strategy on both of these too. 3 copies, 2 different types of storage, (at least) 1 offsite.

Also you do test your backups now and then, right? At least check the filesize. You don't want to find out your zip function has been creating empty zip files for the past 6 months in this situation. That's how I learned to backup properly :P

👤 cpach
One possible solution is to sign up for rsync.net

They will create immutable snapshots of your data using ZFS.

https://www.rsync.net/products/ransomware.html

👤 prepend
This reminds me of the scene in altered carbon where [spoiler] someone’s real-time backup of themself gets corrupted so when they get killed they are permanently killed.

I thought, who keeps only one backup? If I get ransomwared, I need to be able to restore to separate copies. Maybe lose a few days of data but nothing is gone forever.

👤 pearjuice
I use Common Sense 2021 as I'm the sole user of my system and do not execute arbitrary executables. In the case I get hit by a vulnerability beyond my control, everything important is in "the cloud" and on secondary hard drives on different locations in cold storage.