Ask HN: How is encryption-based ransomware still a thing?
From my understanding you only need two countermeasures (i) an append-only database (no mutable data) to store everything business critical and (ii) use virtualization on all clients to quickly re-provision a clean OS version.
So why does a recovery from ransomware take more than 300ms?
7 comments
[ 3.0 ms ] story [ 23.6 ms ] threadIf the virtual OS has a vulnerability it will get hacked again.
If the hypervisor has a vulnerability, you won't be able to reprovision.
>> From my understanding
If your understanding is correct, wouldn't the problem already be solved?
If you DO know how to solve the problem, you could make millions by fixing the world's computer security problem. Go for it!
How does that change anything? If your append-only database is encrypted by ransomware, you still have to recover from backups, no?
In which case you're in the same spot with regards to external services you integrate with. That is, out of sync.
The point I'm trying to make is that a lot of systems interact with other systems.
For example, imagine my system generates an invoice, sends the invoice to a third-party for collection, the collection system replies with a token to track the invoice in their system. Finally the invoice is marked as paid once the third-party system returns an "invoice paid" message with that token.
Now imagine the system generated an invoice and sent it to collection, and is then hit by ransomware. I restore from backup or as you say ignore the data since the attack. Except now I don't have the token, so when I get an "invoice paid" message I don't know which invoice that was for.
We have several integrations which work not entirely unlike this, and disentangling the mess of these "desynchronization events" is what has taken the majority of our time when helping a customer after after a ransomware attack. Fortunately it's only been one or two a year.