Ransomware - restoring in what manner?
I have a question regarding ransomware or other similar rogue viruses. We utilize MS 365 when it comes to backing up our data on each computer using OneDrive. However, in the event of a rogue attack, we would be able to restore all the user files up to 30 days. Is that typically enough of a timeframe to clear most of the issues or is more than 30 days necessary? Might there have been a resident malware present within the system beyond 30 days? What do you know in regards to actual real life scenarios?
Also, once a restore is done, I imagine is should be sanitized...so would malwarebytes or a good antivirus pickup anything resident in the system?
Also, once a restore is done, I imagine is should be sanitized...so would malwarebytes or a good antivirus pickup anything resident in the system?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
David, how would one search thru backups? For example, if I were to use Idrive cloud backups, how would I search it if its in the cloud? Should I assume that I should be keeping it onsite rather than the cloud?
I use datto backup - can't speak highly enough about them.
We have a server on prem that also replicates to the cloud.
We got hit with ransomware on a server back in 2018. We were able to spin up a VM off of a backup, and utilize that to keep the business running while we worked on the metal.
Ended up doing a full wipe of the server and cloned the VM back to the metal. We're less concerned about a users documents because of roaming profiles and what not, so we backup the servers (delta's every hour, full backup every night).
Never heard of a slow pull trigger but in theory you would only need to go back a day before the trigger was pulled to get clean files, no?
We have a server on prem that also replicates to the cloud.
We got hit with ransomware on a server back in 2018. We were able to spin up a VM off of a backup, and utilize that to keep the business running while we worked on the metal.
Ended up doing a full wipe of the server and cloned the VM back to the metal. We're less concerned about a users documents because of roaming profiles and what not, so we backup the servers (delta's every hour, full backup every night).
Never heard of a slow pull trigger but in theory you would only need to go back a day before the trigger was pulled to get clean files, no?
Microsoft does not backup M365. You need to back it up yourself. Microsoft is not responsible for your data. You are responsible for your data. What Microsoft offers is not real backup, and will not get all of your documents back into the right places with the right permissions.
Ranssomware is a continuing evolving target.
It started off using an exploits to run arbitrary code Originally it just went after files.
Admins found that they could restore shadow copies problem solved.. now they delete all shadow copies.
People started backing thngs up.. ok delete/encrypt the backups.
Use signature based A/V or A/M send customized code to each target. +
With Colonial Pileline the actual pipe line operations were safe, but the billing systems were taken offline. Since they couldn't bill customers or validate invoices they shut it down.
Offline backup is your only solution to the problem of users initiating the malware.
It started off using an exploits to run arbitrary code Originally it just went after files.
Admins found that they could restore shadow copies problem solved.. now they delete all shadow copies.
People started backing thngs up.. ok delete/encrypt the backups.
Use signature based A/V or A/M send customized code to each target. +
With Colonial Pileline the actual pipe line operations were safe, but the billing systems were taken offline. Since they couldn't bill customers or validate invoices they shut it down.
Offline backup is your only solution to the problem of users initiating the malware.
If OneDrive doesn't have a clear versioning rule (either by OneDrive itself, or by another backup program), you're still in the dark if you find out about it too late.
Before restoring the files, find the culprit(s), and clean them preferably offline (with antivirus boot dvd/usb)