Wikipedia:Reference desk/Archives/Computing/2021 May 22

= May 22 =

Question about Ransomware Attacks
There is something I don't understand about the recent ransomware attack on Colonial Pipeline. As I understand it this kind of attack results in the victim's data being encrypted and they can only get the key if they pay the ransom. What about backups? I would expect data centers like that to have off site disaster and recovery plan. E.g., in case a disaster took out one of their data centers. Or if they don't have data centers and use hosted computers I would expect the hosting service to have offsite backup. --MadScientistX11 (talk) 03:46, 22 May 2021 (UTC)


 * The attackers may also try to delete, encrypt, or corrupt online backups . If the attacker has covert access for a longer period of time, they may silently damage backups as they are made; even the threat that they may have done so means victims cannot blithely restore backups (as victims generally don't know the date when their systems were first compromised). -- Finlay McWalter··–·Talk 06:40, 22 May 2021 (UTC)


 * Additionally, the attackers may threaten to publicly release (or sell on the Dark net) the stolen data which, if it includes the bank and/or other personal details of employees and/or clients, or other private data, could make those people vunerable to further attacks by further criminals, or at the very least expose matters covered by privacy laws, for which the victim company might be held responsible and have to pay for in compensation, regulatory fines and loss of future business. Leaving aside their moral responsibilities, the potential financial fallout resulting could be significantly more than the ransom demanded, making it more likely that it will be paid. {The poster formerly known as 87.81.230.195} 90.197.27.217 (talk) 07:13, 22 May 2021 (UTC)
 * While the above answers are good, an additional point is that even if you have excellent backups etc and are confident which backups you can recover, and have no worries of the attackers releasing data; if you have a lot of systems, and all the backend etc to support it and a big chunk of this is affected, recovering from an attack is still a lot of work i.e. it's a process that will take quite a time. Meanwhile your entire business is significantly affected with employees unable to do their jobs properly, customers (or whatever) avoiding the business because they know it isn't working properly etc. So beyond the probably relatively small cost in the grand scheme of things for your recovery, there's a much larger cost to your business while and even probably after recovery.  Note while some cases like the Colonial Pipeline case are extremely public, it's generally believed many smaller companies just quietly pay a ransom and few people even know it happened. [//www.wired.com/story/colonial-pipeline-ransomware-payment/] [//www.stuff.co.nz/business/92619739/embarrassed-companies-hit-by-ransomware-pay-up-and-keep-it-quiet] This relates to both my point (since customers may distrust a company affected by a ransomware attack) and 90's one.  Also while this is pure speculation, I suspect it's unfortunately? true that a lot of the time, even if it is public that a company was affected by a ransomware attack so paid a ransom and was semi back to normal after a few day; this company will be perceived better 3 months away than a company who was affected by a ransomware attack but refused to pay the ransom and took maybe a month or more to get back to semi-normality which as I've indicated may not be unreasonable even with good trustworthy backups etc.  'company was affected by a ransomware attack, paid a ransom and was semi back to normal after a few days' results in a better image for customers, shareholders etc than 'company was affected by a ransomware attack & refused to pay a ransom leading to significant disruption, after 1 month or go, they were semi back to normal'.  I say companies, but remember quite a number affected are public schools and other public services.  See [//www.bbc.com/news/business-48661152] for discussion of an example, noting while some many questions the $45 million figure, when you think of such figures it's not that hard to imagine why paying a ransom is cheaper than trying to recover by yourself. A "smart" attacker will also likely target how much they demand based on a combination of factors like how much the the company can easily pay but also how much the cost of recovery would be if they won't pay. As that source notes, the demands can often be negotiated.  Nil Einne (talk) 14:25, 22 May 2021 (UTC) 08:33, 23 May 2021 (UTC)