ADSM-L
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ADSM-L] Ransomware deleted TSM backups from node

2015-02-02 18:42:13
Subject: Re: [ADSM-L] Ransomware deleted TSM backups from node
From: Remco Post <r.post AT PLCS DOT NL>
To: ADSM-L AT VM.MARIST DOT EDU
Date: Tue, 3 Feb 2015 00:39:58 +0100 
> Op 2 feb. 2015, om 18:44 heeft Schneider, Jim <jschneider AT USSCO DOT COM> 
> het volgende geschreven:
> 
> Roger,
> 
> According to my TSM Data Protection for SQL 6.4 manual, servers that run TDP 
> for SQL require backdelete authority.  I don't know how to get around this 
> problem.

Mitigated by running the file backup and ‘structured data’ backup as separate 
nodes so you can at least protect your unstructured data against such 
ransomware.

> 
> Jim Schneider
> 
> -----Original Message-----
> From: ADSM: Dist Stor Manager [mailto:ADSM-L AT VM.MARIST DOT EDU] On Behalf 
> Of Roger Deschner
> Sent: Friday, January 30, 2015 7:40 PM
> To: ADSM-L AT VM.MARIST DOT EDU
> Subject: [ADSM-L] Ransomware deleted TSM backups from node
> 
> I'm not sure there's anything that can be done about this, but take it as a 
> warning anyway.
> 
> A Windows 7 desktop node here was attacked by CryptoWare 3.0 ransomware.
> They encrypted all files on the node, and left a ransom note.
> 
> The node owner called me because they were having trouble restoring their 
> files from TSM using a point-in-time restore. The files were gone!
> Apparently this villian located which backup program was installed, found it 
> was TSM, and issued actual dsmc delete backup commands, which they were 
> allowed to do since PASSWORDACCESS GENERATE was in effect. So this attack 
> vector is not limited to TSM; it would work with any backup program that the 
> villian can figure out how to use.
> 
> I have moved this node to a domain that includes VEREXISTS=NOLIMIT 
> VERDELETED=NOLIMIT RETEXTRA=NOLIMIT RETONLY=NOLIMIT for that Copy Group, 
> while our data security people investigate.
> 
> I am planning to change all TSM client nodes to BACKDEL=NO ARCHDEL=NO to 
> prevent a hacker from deleting backups. Anybody got a better idea?
> 
> Roger Deschner      University of Illinois at Chicago     rogerd AT uic DOT 
> edu
> =================== ALL YUOR BASE ARE BELONG TO US!! ===================
> 
> **********************************************************************
> Information contained in this e-mail message and in any attachments thereto 
> is confidential. If you are not the intended recipient, please destroy this 
> message, delete any copies held on your systems, notify the sender 
> immediately, and refrain from using or disclosing all or any part of its 
> content to any other person.

-- 

 Met vriendelijke groeten/Kind Regards,

Remco Post
r.post AT plcs DOT nl
+31 6 248 21 622
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ADSM-L] Ransomware deleted TSM backups from node, Marcel Anthonijsz
Next by Date:  [ADSM-L] 7.1.1 TDP for Exchange 2010 backup Task Details not updated?, Prather, Wanda
Previous by Thread:  Re: [ADSM-L] Ransomware deleted TSM backups from node, Zoltan Forray
Next by Thread:  [ADSM-L] 7.1.1 TDP for Exchange 2010 backup Task Details not updated?, Prather, Wanda
Indexes:  [Date] [Thread] [Top] [All Lists]