Roger,

According to my TSM Data Protection for SQL 6.4 manual, servers that run TDP 
for SQL require backdelete authority.  I don't know how to get around this 
problem.

Jim Schneider

-----Original Message-----
From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU] On Behalf Of 
Roger Deschner
Sent: Friday, January 30, 2015 7:40 PM
To: ADSM-L AT VM.MARIST DOT EDU
Subject: [ADSM-L] Ransomware deleted TSM backups from node

I'm not sure there's anything that can be done about this, but take it as a 
warning anyway.

A Windows 7 desktop node here was attacked by CryptoWare 3.0 ransomware.
They encrypted all files on the node, and left a ransom note.

The node owner called me because they were having trouble restoring their files 
from TSM using a point-in-time restore. The files were gone!
Apparently this villian located which backup program was installed, found it 
was TSM, and issued actual dsmc delete backup commands, which they were allowed 
to do since PASSWORDACCESS GENERATE was in effect. So this attack vector is not 
limited to TSM; it would work with any backup program that the villian can 
figure out how to use.

I have moved this node to a domain that includes VEREXISTS=NOLIMIT 
VERDELETED=NOLIMIT RETEXTRA=NOLIMIT RETONLY=NOLIMIT for that Copy Group, while 
our data security people investigate.

I am planning to change all TSM client nodes to BACKDEL=NO ARCHDEL=NO to 
prevent a hacker from deleting backups. Anybody got a better idea?

Roger Deschner      University of Illinois at Chicago     rogerd AT uic DOT edu
=================== ALL YUOR BASE ARE BELONG TO US!! ===================

**********************************************************************
Information contained in this e-mail message and in any attachments thereto is 
confidential. If you are not the intended recipient, please destroy this 
message, delete any copies held on your systems, notify the sender immediately, 
and refrain from using or disclosing all or any part of its content to any 
other person.