Dont get me wrong,im glad they don't, its just kind of surprising as it seems like such a rookie mistake. Is there something i'm missing here or is it more a caseof people who know what they are doing don't chose a life of crime?
I assume that threat detection maintains a big fingerprint databases of tools associated with malware. Rolling your own tooling, rather than importing a known library, gives one less heuristic to trip detection.
Ransomeware wouldn't be a problem at all if copy-on-write snapshotting filesystems were the default.
Then changes made to files should be stored as deltas to the original.
But realistically a good readonly/write new backup solution is needed, you never know when something bad might happen.
Developers with 1 project open have potentially hundreds to thousands of open, quite valuable files.
Now of course, we generally expect developers to have backups via VCS but that's exactly the point: snapshotting filesystems with append semantics for common use cases is an actual, practical defense.
That's not incompatible with sandboxing applications to limit the damage a malware can do.
Even on a regular user's "workstation" there's no need for every single app to access every single directory / every single network drive with rw permission etc.
P.S: FWIW the backup procedure I put in place doesn't just encrypt/compress/deduplicate the backups, it also compares the backup to previous backups (comparing size gives an idea, for example), then also verifies that the backup can be decrypted, using a variety of metrics (for example if, after decrypting then decompressing the backup a Git repo backup is found, it'll run "git fsck" on it, if a file with a checksum is found, it'll verify that file's checksum, etc.). Already helped us catch not a malware but a... bitflip! I figured out that if a procedure can help detect a single bitflip, it probably can help detect malware-encrypted data too. I'm not saying it's 100% foolproof: all I'm saying is there's a difference between "we're sandboxing stuff and running some checks" vs "we allow every single application to access everything on all our machines because we need users to access files".
You are incorrect. What is limited is the number of attacks that can be used for victims to recover their files. If you think the author is the only person that was using this attack to recover files, you are incorrect again. I’d recommend checking out book The Ransomware Hunting Team. It’s interesting book about what happens behind the scene for helping victims recover their files.
This feels like a net win.
Huge props to the author for coming up with this whole process and providing such fascinating details
Would like more details on the mini PC. Processor, RAM, price. Is it fanless.
