nanog mailing list archives
Re: Can somebody explain these ransomwear attacks?
From: "Alex K." <nsp.lists () gmail com>
Date: Fri, 25 Jun 2021 18:56:36 +0300
In my humble opinion, the hidden assumption beneath this question seems to be incorrect. Ransomware is not a single event, with assumed similarity to the kind of failures, we regulary see at our network world. The key abstruct differences, might be summed up as follows: A. First and foremost, ransomware attack is not a single failure, such as failing NAS or power outage might be. In fact, it takes enormous amount of time, just to be remotely sure, how this thing got into your network, in the first place. Cause simply bringing your backup network (i.e. your backup solution and its' storage) online, otherwise presents not only you with the ability to revert all files to their saved backups - but more importantly, may allow the ransomware to encrypt your backups, too. It's not a single event. First, you must be sure you plugged the holes and eliminated the threat, before you can even bigin considering, connecting your backups. Think of it this way: ransomware is a program, running on some computer, just looking for more files to encrypt. Without properly removing this threat first (how do you find, which computers have it in the first place?), every new disk connected somewhere at the network, with chances of 99%, will be promptly encrypted. B. Usually (and you may suspect it as much), another hacking initiatiatives are also involved. Recently, we see data theft accompanying ransoware efforts. Mainly with high stakes events (i.e. not that random phishing email that your neighbor clicked on, believing he has relatives stuck in Nigeria without money, since 1985). Simply bringing your backups online, is rushing to action without fully evaluating the threat and hackers/ATPs "just love" rushed and not fully thought thru actions. Once again, it is far-far more complecated question, than just bringing the backups online and starting copying the files over. Without proper *security* (not network!) action, you more likely allowing the bad guys access to more stuff, than simply recovering your operation. C. High stakes ransomware events (i.e. not the same neighbor from above) are complex security events, not just loosing some data. To gain initial access, not the ransomware tools are the tools which used. Moreover, some ATPs deploy surveilance/hacking tools, also during the peak events (such as discovery, your IT/Security folks initial response, ransom negotiations themselves, hiring outside specialists etc.) to (a) maximize their profit from the operation and (b) try and avoid law enforcement. Those might be (and usually are) completely silent tools (such as diskless viruses) whose whole purpose is monitoring your response and give the bad guys as much surveilance power, for their advantage, as they can possibly use. In short, serious ransomware events, are multy faceted, nothing like we at the network level are accostumed too, outages. Sure, there are many similarities and in some cases, may even be complete likeness, but those are usually smaller events. Adittional difference, might be that our outages at 99.9999% are lacking malice while ransomware events are - and you may think to yourself, ah ... it's simply a so small, theoretical question, but it isn't - the most important practical consideration, is that network outage is not *actively* trying to hide it tracks (remember the question, how you find the PC running his software and clean it up?). I never met power outage, which constantly deleting log files. Especially not after everything presumably went up. So, yes - we should never pay the crooks, but's unfortunatelly, a very simplified outlook. I wish, we could allways follow that simple solution but our life, is unfortunatelly much more complicated. Ah ... and one more thing. Gladly, it is not our (network folks) life's complicated. It's system/DBA/and security folks, lifes. But I don't want to get cocky. We got SDN :-) Alex. בתאריך יום ה׳, 24 ביוני 2021, 17:44, מאת Michael Thomas <mike () mtcc com>:
Not exactly network but maybe, but certainly operational. Shouldn't this just be handled like disaster recovery? I haven't looked into this much, but it sounds like the only way to stop it is to stop paying the crooks. There is also the obvious problem that if they got in, something (or someone) is compromised that needs to be cleaned which sounds sort of like DR again to me. Mike
Current thread:
- Re: Can somebody explain these ransomwear attacks?, (continued)
- Re: Can somebody explain these ransomwear attacks? Baldur Norddahl (Jun 25)
- Re: Can somebody explain these ransomwear attacks? Michael Thomas (Jun 25)
- Re: Can somebody explain these ransomwear attacks? Michael Thomas (Jun 24)
- RE: Can somebody explain these ransomwear attacks? Jean St-Laurent via NANOG (Jun 25)
- Re: Can somebody explain these ransomwear attacks? Don Gould (Jun 25)
- Re: Can somebody explain these ransomwear attacks? Valdis Klētnieks (Jun 26)
- Re: Can somebody explain these ransomwear attacks? Michael Thomas (Jun 26)
- OT: Re: Can somebody explain these ransomwear attacks? Karl Auer (Jun 24)
- Re: OT: Re: Can somebody explain these ransomwear attacks? Michael Thomas (Jun 24)
- Re: OT: Re: Can somebody explain these ransomwear attacks? scott (Jun 24)
- Re: OT: Re: Can somebody explain these ransomwear attacks? Michael Thomas (Jun 24)
- Re: Can somebody explain these ransomwear attacks? Alex K. (Jun 28)
- Re: Can somebody explain these ransomwear attacks? Mike Meredith via NANOG (Jun 28)
- Re: Can somebody explain these ransomwear attacks? Jakob Heitz (jheitz) via NANOG (Jun 26)
- Re: Can somebody explain these ransomwear attacks? Saku Ytti (Jun 27)
- Re: Can somebody explain these ransomwear attacks? Randy Bush (Jun 27)