I’ve got a bad recurring dream that my clients get hit by ransomware, but it’s not just any ransomware, and I’m afraid it’s going to be a reality soon. The scenario’s the same every time – a message pops up indicating that a group wants some bitcoin for an unlock key. We’ve seen this before and backups saved us in the past. What’s different in the nightmare is they don’t.
Right now for backups I have offsite and physically disconnected. If someone has access to every running device I own there’re backups from a day or two back that straight up are not connected to the internet, network, etc. There’re also month ago versions, cloud backups, paranoid stuff.
But in my nightmare these are all bad. The malware was on the devices for months, intercepting all writes to the disk and writing encrypted contents, and intercepting all reads and decrypting. The ransomware gang wants money now, and everything backed up through all the snapshots, methods, etc is encrypted with whatever the malware was encrypting things with.
In these dreams I try restoring and setting back the clock but to no avail as the malware disk driver somehow knows it’s not the right time even though internet connectivity is removed and shuts down everything. No method of coercion can get the driver to run and decrypt the contents it previously decrptyed.
File based and image based backups were backing up encrypted garbage for months and everything is destroyed.
I keep this dream in mind and hope it can never happen, but at the moment I have a few files I check regularly from the backups on different devices. Just to be sure.
We talked with a hosting company recently about cloud hosting our data and I mentioned my nightmare dreams to the sales person. They said they’d check whether that was possible with their cloud stuffs, they assumed not but that was an engineering questions. A couple of months on and their team still doesn’t have an answer. Either scary or lazy.
I generally operate now under the dread that some day a hacker is going to come and hit my networks with a targeted attack and win. One of my users is going to get a 0-day chrome exploit which loads a hacking kit which gets my servers and installs that currently imaginary malware driver somehow. Images of the servers and desktops will be useless a few weeks down the road.
Eh, hopefully there’s something I’m missing in modern operating system design that prevents a 0-day exploit from installing a device driver that does this… but it’s something I’ve been really more concerned about as hospitals, police departments, etc succumb to ransomware gangs,