> Thus, defense in depth:
> [...]
> (3) Test-restore from your backups periodically.
As for (3), I don't understand how a test-restore
would help.
The theory is, if the restore restores good contents then the backup
contains good contents.
Even if the files have been encrypted, I don't
understand how a
restore would detect that the files are being encrypted / decrypted
on the fly if a boot every morning does not notice a problem.
It wouldn't. That was to defend against the "the backup contains the
encrypted version" risk - which only some backup mechanisms will suffer
from. If you use something like tar(1) to make your backups, something
that uses the usual file-access mechanisms to read the files, it will
back up the decrypted-on-the-fly version, which is what you want. But
if you use something like dump(1) that goes behind the filesystem's
back to read the files, or something like dd(1) that is
filesystem-blind and just backs up the disk's contents, it easily could
end up backing up the on-disk encrypted version (which is what that
kind of ransomware hopes for, of course).
/~\ The ASCII Mouse
\ / Ribbon Campaign
X Against HTML mouse at
rodents-montreal.org
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B