From Newsgroup: comp.sys.mac.system
On 2021 Jul 11, Alan Browne wrote
(in article <0ICGI.11153$
VU3.5129@fx46.iad>):
On 2021-07-10 15:41, gtr wrote:
Whether the result of a computer virus or malware affixed to a well-intentioned software/update, have their been any successful ransomeware attacks on a Apple computer?
If companies had proper IT infrastructure, training for staff, data
backups separate from applications backups; separate again for OS.
Thence a disaster recovery plan. (this is the key).
There would be no ransomware attacks. Companies would simply wipe their drives (or replace them), re-install and re-start. Hours to a day or 2 depending on the size of the co. to get critical functions up and running.
It’s not quite that simple.
1. A large company might have tens of terabytes, even hundreds of TB, of
data. Buying the storage is not the problem. Even buying triple the storage, to have _two_ complete backups, is not the problem. Restoring the entire company suite is the problem. That takes time. Even if you simply grab drives from the backup set and use them to replace drives in the active set, it
still takes time.
2. Backups, by themselves, are not the solution. Several ransomeware variants deliberately aim at backups, so that the backups are also contaminated. Extra software, to check the backups and ensure that they’ree good, would be required... and that’s not cheap. And it slows down both backup and
restore.
3. You mentioned training for the staff. This is absolutely critical. Last I looked, 93% of ransomeware attacks got in thanks to human error: social engineering attacks, most often phishing or pharming, or the ever-popular ‘click me’ attacks. Ransomeware would be far less of a menace if only staff wouldn’t fall victim to these kind of attacks. The problem is that it only takes one guy to make one mistake, and the bad guys are in. Right now MS is fighting PrintNightmare, an attack using the print spool services on Windows as of Vista (MS isn’t patching Vista, though the patches for Win 7 might work there. MS is patching 7. Last I looked there were three different patches out, because there were problems with the first two. Good luck
keeping track.) and PrintNightmare can allow all kinds of attacks. A good way to stop PrintNightmare is to disable printing on Windows. Unfortunately companies who depend on print services (like, oh, the one I work for) have a major problem doing that. Rioght now we’re printing from Macs and Linux only, but that can’t go on. If there isn’t a fix, soon, the solution will be to dump Windows entirely, and that will cause serious problems right
there.
4. Also critical uis better software. Software to detect inbound ransomeware and kill it before it gets near the network. Software to monitor live files, and backups, looking for unauthorized actions, including but not limited to files being encrypted. Software blocking unauth inbound, and especially, outbound, network activity. Yes, such software exists. However, it needs to
be faster, easier to use, cheaper, and, especially, it needs to be actually used. Until I insisted, certain defensive systems at the company had been turned off last year, as they made life interesting for those working from home, which was most of us. I finally got all systems turned back on, even if Zoom hated them. (Zoom hated them. MS Teams did not. We moved to (ugh)
Teams.) There’s no point having the defenses and not using them...
But it would appear that it's cheaper to negotiate down the ransom
amount (Colonial) over a few days and then paying off to get things
going again than to practice comprehensive IT security...
It depends on (among other things) how long it would take to make the
restore. If it’ll take five days (the last time we ran a full test of the restore plan it took 125.7 hours from go, with teams running around the
clock, to fully restore everything. Remember, you don’t have a backup if
you can’t make a full restore.) Given how much money we’d lose per hour, if paying the bastards got the data back for less than we’d lose over 126 hours, we’d pay. If the bastards priced themselves too high, we’d recover the data from backups.
BTW: financial companies (big) have some of the best IT out there. They invest heavily in the ability to be up and running quickly after any
sort of disaster imaginable. This is not cheap at all as it involves mirroring in near real time. That's not for every co.
I once proposed getting serious backup systems, especially faster systems. Management nearly had heart failuire when they saw how much it would cost.
A company doesn't need that level of recovery, but they need far better
than what the null brains at Colonial had.
When a co. is in a strategic national economic position such as
Colonial, there should be standards for recovery.
And a whole lot more.
--- Synchronet 3.18b-Win32 NewsLink 1.113