I do auditing of backups and recovery.

It is crazy the number of companies that do not have appropriate visibility of what they're backing up. If the backups are immutable and if they have ever tested their ability to recover the environment.

And when I say the environment I mean all necessary components of the environment, not just applications, but their databases, Active Directory/Domain, DNS, DHCP, File servers, virtual infrastructure (VMware/HyperV).

In a virtualized environment the backup of these components is made easier, but you still need to understand what makes up your environment in order ensure you're backing it up appropriately.

Sometimes they have backups, but once they're forced to test them, realise they weren't backing up the right components or simply couldn't recover from those backups.

It's a big, risky exercise to perform, but important.

>Is it that difficult to make off-site backups every hour? Storage is cheap. There are many air gapping options for backups, too.

I'd imagine that often your backups get encrypted as well, early enough that the data loss to the last good backup becomes unacceptable.

Yes, there would still be minimal loss. But not enough to be extorted over.

They're not a government organization. Haven't been for almost 10 years

Ah, that’s true, looks like it has been privatized. But the government originally retained a significant stake in the company even after it was made publicly traded. Not sure about it today. Interesting point.

Though I think it’s even worse if a publicly traded company fails to protect its data and falls prey to the extortion. Don’t they have a fiduciary responsibility to their shareholders? It seems wrong to waste their money due to incompetence at such basic infosec.

Government orgs are more difficult to hold accountable for losses than PLCs.

This ransom is not about encrypted data on the victims hard drive. Instead they have stolen data and money has to be paid so the attackers would not make the stolen data public.

Many ransoms now are for the leaking of the info, not the destruction of the info.

With huge GDPR fines for data leaks in Europe, the criminals are using the legal system as their 'threat'.

In this case it’s encryption but interesting point.

GDPR fines come from not following basic data protection practices, not for the breach itself. Also, a lot of reputational damage of the leak comes from bad infosec (case study: LastPass). If the customer data is reasonably protected, there isn’t much motivation to pay ransoms.

Companies have data breaches all the time. Even a start-up I worked in in GDPR times had a data breach, and an extortion attempt. But all customer PI data was encrypted and only ever in plaintext on our end in an ephemeral way. The data was worthless, we never paid ransoms. We bought some darknet monitoring service for some fake canary user data, but nothing ever came up in 4 years after the breach. No ransom was ever paid and honestly, the data breach was on our minds for 10 days max.

This is not hard to do, it was done by two business guys who listened to infosec podcasts and read infosec articles online. Specialists in the area that I’m sure all of these ransomed big businesses can afford can definitely do much better data protection.

I don’t think companies are sued/prosecuted for GDPR non-compliance or any damage done to their customers if hashed blobs get leaked. Assuming the hackers even bother to leak them, because what are they going to say in the forums they sell the data on? “I have unknown encrypted data about some hashed usernames from company X”? Maybe one day in the far future that data will hold some value, but not today. I would more easily see investors suing the management for paying ransoms instead of doing even rudimentary data protection.