Meanwhile, there are countless lawyers, accountants, doctors, architects, engineers, landlords, and other small and medium businesses that suffer similar attacks and don't talk about it publicly. If you have an important relationship with a business like that, the time to ask them hard questions about security and reliability is now, before the court date, tax audit, surgery, construction commencement, etc.
Doctors are often the worst, they sit at that intersection of having a lot of valuable (highly personal and life threatening) data but being small businesses that don't take IT seriously. They also have the money to pay for ransomware attacks.
A few years ago I went to a local doctor as a once off and the computers were "down" that day. A week later I walked past and they were shut, they never reopened. A few months later it made the news that local doctors offices were being specifically targeted.
Yes, this will be true 99% of the time. Although I think that most people understand the concept of "backups" in a basic way, and backups are one of the best tools for mitigating ransomware and wipers. Especially for small businesses which are not going to be able to mount a coherent defense.
But if the relationship is important, they will be open to the conversation and it may be worthwhile. For some of us, it may also present a business opportunity.
We had that happen at a company I worked for. Someone blindly opened an "invoice". We were back to work within a day. For each computer, a full malware scan and then back online. Dumped the one hard drive which was infected.
The NAS (which used to be writable to the victim) took a few days to restore from Amazon Glacier. To me this is key: always have an offsite backup which can't be erased by a non-admin. Use BackBlaze, CrashPlan, S3, Glacier, B2, Arq or whatever. Backups forgive a lot of stupid user sins.
That's why we wiped any system which showed sign of infection. Keep in mind this was ransomware so... probably... it is reasonable to assume the infection will not be subtle.
A local backup can be a lot quicker due to transfer times. From the local backup I'd then do an offsite. You can try to use snapshots with your NAS to just restore the most recent data from remote, too.
And this highlights the fallacy that Amazon Glacier is a backup service. It's not - it's an archive service. Something that takes a few days to recover is not backed up.
I agree the other products are indeed backups as they provide immediate recovery.
Before we instituted the Glacier backup, we discussed whether or not a few days or weeks time would be "good enough" for our needs. We decided it was.
So I totally agree that before picking a backup system, one needs to evaluate what the recovery is going to be like, and whether it will be good enough. For example, when recovering from the cloud, how long will it take to transfer all the data through your Internet connection? BackBlaze's overnight restore via FedEx could be a critical feature in your recovery speed.
I've been wondering if we're simply too over-connected at the moment and if there will be a regression back to using different networks that are literally physically disconnected with one other for certain kinds of professional work.
Meaning, the wonder of the internet is that there are now billions of people who have access to your office door. If a guy in Romania decides he wants to jimmy your lock and steal your filing cabinets, there's little stopping him from trying.
Governments typically already do this for classified information. If there's data that really shouldn't get out to the Internet, don't let anything on that network connect to the Internet. They'll also have procedures for moving things from one network to the another which are intended to avoid inadvertent disclosure and malware infection. Your average company or public radio station won't implement this sort of thing because it's too complicated and costly--or at least that's been the attitude until recently. Maybe we'll start to see the use of small isolated networks for things like the security system they mentioned in the article, or accounting/HR which deal with PII and money. Then you just have to convince the security guy not to plug his personal laptop into the security network, and get the HR employees to stop moving USB sticks back and forth between HR-net and the regular Internet-connected LAN :)
The connection-cat is out of the bag, and the benefits (various kinds of remote collaboration) are too big to put it back (never mind that viruses were perfectly happy to indiscriminately spread on diskettes back in the days). The lesson to be learned is to start taking in-depth cyber security seriously, in this cases of WannaCry and Petya, specifically, vigilant constant patching and upgrading of all systems. Management needs to understand that if they can't afford to staff an IT department to this end, then can't afford to have computers, and IT departments need to understand this stuff, not just trust whatever snake oil salesman invited them to Vegas - especially that software tied to specific versions of other software (Windows and IE are common culprits, but far from the only one) must itself be updated (or else scrapped) the moment the other software receives an update - it must never be allowed to hold back a security update.
> We need to actually write (and purchase) better software.
Ransomware is not a software problem, this is a human problem.
We keep putting up barriers to make it harder for malicious software, but so long as you put a prompt infront of users saying "Whoa, this looks dodgy, are you sure?" they're going to click yes. Even if you make clicking yes more difficult and the warnings more obvious, they'll blame the software for being difficult and run it anyway.
The only long term 'solution' to this from a computing perspective is to run only signed applications from trusted publishers on a restricted list which are sandboxed to such a high degree. No scripting beyond very basic building blocks. Effectively an end to general-purpose computing.
Every time something like this comes along though, everyone loses their minds.
They don't. As the parent said, the problem with the internet is that billions of people have access to your office door. Cut the external cable, and it's right back down to the number of people who literally have access to your office door. It's not a good fix, but it absolutely does make random or semi-targeted attacks far less likely, which leaves only someone with a specific bone to pick who is targeting you--and even they'll have more barriers to jump to get there.
These kinds of things are usually indiscriminate. Reading too much into the kind of organization or even country vicitimized is probably counterproductive.
> The attack, KQED employees said, did not appear to be targeted. In fact, it didn’t seem that the hackers knew what kind of organization they had hit.
I find the word "hackers" quite a misnomer. Not just because of the unix roots, but because it makes it seem like one's dealing with a couple of up-to-no-good punks. "Russian hackers" come off as random people in Russia deciding they feel like doing whatever recent news worthy thing's going on in "the cyber"
Meanwhile, there are countless lawyers, accountants, doctors, architects, engineers, landlords, and other small and medium businesses that suffer similar attacks and don't talk about it publicly. If you have an important relationship with a business like that, the time to ask them hard questions about security and reliability is now, before the court date, tax audit, surgery, construction commencement, etc.