CDOT held ransom

[Rumline]

Clearly I don't understand this ransomware stuff. Isn't this what backups are for? Just wipe everything and restore from last night's backups. No?

[CS1983]

Clearly I don't understand this ransomware stuff. Isn't this what backups are for? Just wipe everything and restore from last night's backups. No?

Backups, a lot of times, are for servers and critical infrastructure, not for endpoint usage. To conduct a backup of an enterprises's entire infrastructure -- every single host, etc., every day would be a massive overload on the architecture.

Imagine 2k endpoints w/ 250GB of data each, but let's just leave out the data servers, etc. (which is where a huge amount of the data resides).

That =



A file size of 500,000 gigabytes can also be expressed as *


4,294,967,296,000,000 .......... bits
536,870,912,000,000 .......... bytes
524,288,000,000 .......... kilobytes
512,000,000 .......... megabytes
500,000 .......... gigabytes
488.28125 .... terabytes




Plus, once the malware is on there it's best to simply wipe it and reimage. Otherwise, you are gambling that some aspect of that malicious code is no longer on the machine -- perhaps having embedded and hidden itself in something innocuous to spring up again. Reimaging a single device takes about 30 minutes to an hour, depending on things. If all went well, and just considering the best case scenario, it would take 1000 hours to reimage the enterprise's workstations. Most shops are set up for imaging a few machines at a time. Enterprise upgrades are planned out for months at a time and usually a dedicated team handles it.

CDOT got hosed.

[Rumline]

I would argue that users shouldn't be saving data to their local hard drives, beyond maybe a few files they're actively working on, but I get your point: it's not that the fix is complicated, but that it takes a long time.

Do these ransomeware viruses encrypt NASs / SANs also? If so maybe the backups would be gone too. Tapes FTW!