ZFS snapshots are immutable (read-only) for normal users.<p>So, if you had your data stored on a cloud storage platform that created and maintained ZFS snapshots, Mallory could gain <i>all of the credentials</i> and still not be able to touch your daily/weekly/monthly snapshots.<p>Now, if only there were a cloud backup platform that included zfs snapshots ...
> "I decided to make a counter-offer using insurance proceeds in the amount of $400,000, which I determined to be consistent with ransoms recently paid by other municipalities,"<p>They didn't say no. It's odd there is so little recourse against things like this.
I don't understand what I'm reading here. Why did they offer to pay $400K to recover ~100 PCs if they had backups? Was it so expensive to restore those PCs?<p>I guess the good news is that we can now sell backups as "anti-ransomware" cybersecurity.
Why not make it a crime to pay the ransom demand for cryptolocker attacks? This way the flow of money to these gangsters will stop.<p>If you get hit with a cryptolocker and you have no backup you simply lose that data. Or you can pay the ransom, get your data back and go to jail.<p>While this might seem unfair, it might stop 1000 other attacks because there will be no money in it. It would be for the greater good.
Do I read this right? They offered to pay $400K even though they had backups to restore their data from? Does this mean that the restore operation cost more than 400K or was this an incredible sample of laziness?<p>They'd rather pay the ransom to a criminal than invest the time it takes to restore backups?
See also Matt Levine's take on ransoms (scroll down):<p><a href="https://www.bloomberg.com/opinion/articles/2019-08-27/the-libor-change-is-coming" rel="nofollow">https://www.bloomberg.com/opinion/articles/2019-08-27/the-li...</a><p>And the linked article:<p><a href="https://www.propublica.org/article/the-extortion-economy-how-insurance-companies-are-fueling-a-rise-in-ransomware-attacks" rel="nofollow">https://www.propublica.org/article/the-extortion-economy-how...</a><p>Tl;dr: perverse incentives, paying some ransoms is in the interest of cyber crime insurers, as it expands the cyber crime insurance market. Also there's more ransomware crime now that the word is out that insurers do pay out ransoms.
I wonder if a law that you can't pay ransom money for files should be passed.<p>This should work to take any government and larger companies off the target of these groups as they are likely to obey these laws. Kinda like the we dont negotiate with terrorists approach.
NetApp has a solution for all of that:
Cloud Volumes ONTAP is a virtualized storage platform running on AWS, Azure, and Google,it consumes native cloud resources and it provides NFS/CIFS/iSCSI.<p>Cloud Volumes ONTAP has the best snapshots out there, immutable and without any resource penalty. you can take any size snapshots (or restore) in seconds. you can also create clones out of these snapshots, so you can check if that data been affected or not, again in seconds.
Adding to that Cloud Manager's Ransomeware protection that blocks known Ransomware files.<p>In short- this is the best solution out there for any hybrid/ cloud and it can actually be cheaper than free, if you have enough capacity, due to all of its storage efficiencies like dedup, compressions and compaction, with auto-tiering of unused blocks to the checper object storage,.
So they offered $400,000 for restoring what was most likely a week of lost work for 158 employees. That works out to $2,531.65 per employee for that week. Is the average salary of the compromised employee $131,645.57 ($2,531.65*52)? It sounds like the town was just willing to throw a lump of cash at the attacker based on what other victims had paid with no regard to what the lost work was actually worth. I know the attacker did not accept and it allowed them to strengthen their security and etc., but it bothers me that the attacker could have just gotten a $400,000 payout. It’s almost as if the moral of the story is “even if a town government had backup system in place, you can still pull in a few years of income with a ransomware attack!”
Could somebody contextualize how targeted this particular attack really was?<p>According to random Google result #1: <a href="https://www.2-spyware.com/remove-ryuk-ransomware.html#qm-h2-4" rel="nofollow">https://www.2-spyware.com/remove-ryuk-ransomware.html#qm-h2-...</a> the specific malware distribution is unclear but likely involves email attachments and/or vulnerable and exposed RDP.<p>While reporting on ransomware cases often sounds like targeted APTs, more often than not the details in these stories read like "we didn't bother to pay enough admins to actually patch and secure our systems" and "we didn't train our users not to click on every random attachment".
It sounds like they played every card right, and that's probably not by accident. I'd be fascinated to see a case study made out of this - especially with a breakdown of how they performed against their CSIRP - because there's no way they didn't tabletop that plan at some point, and it paid off in the end. Sort of like insurance, eh?
Honestly this success might encourage city governments to make sure their backup systems work better.<p>The counter offer of 400k was presumably the break even point for the cost of losing X days of work (depending on what was lost that could involve manually recovering things like tax payments, billing, tickets, etc)
Great read: <a href="https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/" rel="nofollow">https://www.wired.com/story/notpetya-cyberattack-ukraine-rus...</a>
The real solution is for them to hire out for their ops. No reason these rag tag city governments should store their stuff on-prem. Until then these okie dokie city bureaucrats will keep getting pwned.
Paying hundreds of thousands to restore 158 backed up machines would be absurd. Surely a week of work for those 158 employees isn't worth that. They've gotta put a financial analyst on these issues, and not leave it up to panicking executives.<p>And look at how greedy the attacker was. Missed out on a 400k payday.
> Because the attack happened at night, most of the city's systems were turned off and the ransomware was unable to spread.<p>I used to complain Indian banks used to allow fund transfers only during working days and office hours. Now I see why it was useful.