Ransomware [was Re: Backups [was Re: Is tape dead?]]

Mouse mouse at Rodents-Montreal.ORG
Wed Sep 16 21:11:24 CDT 2015


>> Thus, defense in depth:
>> [...]
>> (3) Test-restore from your backups periodically.

> As for (3), I don't understand how a test-restore would help.

The theory is, if the restore restores good contents then the backup
contains good contents.

> Even if the files have been encrypted, I don't understand how a
> restore would detect that the files are being encrypted / decrypted
> on the fly if a boot every morning does not notice a problem.

It wouldn't.  That was to defend against the "the backup contains the
encrypted version" risk - which only some backup mechanisms will suffer
from.  If you use something like tar(1) to make your backups, something
that uses the usual file-access mechanisms to read the files, it will
back up the decrypted-on-the-fly version, which is what you want.  But
if you use something like dump(1) that goes behind the filesystem's
back to read the files, or something like dd(1) that is
filesystem-blind and just backs up the disk's contents, it easily could
end up backing up the on-disk encrypted version (which is what that
kind of ransomware hopes for, of course).

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse at rodents-montreal.org
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B


More information about the cctalk mailing list