Classification: Confidential "6. Here comes... (I am *not* sales guy!) disk snapshot plus some "WORM-like" features. IBM calls it Safeguarded copy. Yes, you can perform many shapshots a day, all of them are incremental. None of them are accessible from the source system, even if you have all the authorities like Administrator, root, SPECIAL, etc. Access to the copy require special procedure and it is always read-only."
I believe multiple "snapped" backups will not be effective unless multiple INDEPENDENT snapped copies are used. Not incremental upgrades. If this is not done, your backup will also have the ransomware. Even in this case there is another item that needs to be addressed All of the ransomware recovery scenarios REQUIRE a "clean" backup. The majority of ransomware attacks I am aware of have been triggered some time after the infection, such that all backups are compromised. It is a problem and the only cure I can see if to have a pre-compromised backup available "somewhere". -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Radoslaw Skorupka Sent: Tuesday, April 8, 2025 4:01 PM To: [email protected] Subject: Re: WORM backup tapes block ransomeware attacks? [CAUTION: This Email is from outside the Organization. Unless you trust the sender, Don’t click links or open attachments as it may be a Phishing email, which can steal your Information and compromise your Computer.] W dniu 08.04.2025 o 21:11, Schmitt, Michael pisze: > A hypothetical IT department wants all tape systems, including z/OS, to turn > on WORM (Write Once Read Many) so that the tapes are immutable. The reason is > for prevention of ransomware attaches from altering backup data. > > My question is: how does this help? If an attacker has the access and > authorization to update a tape, they also have the access and authorization > to copy the tape data to a new tape with altered data. > > When we restore from a backup, we don't consult a post-it note that says "now > mount volume T13439". We mount whatever volume the tape catalog system says > contains the data set we need. > > What am I missing? A lot of things are missed. 1. Assuming the ransomware attack is possible (which is *good* assumption!) you cannot trust any of your system structures, including RACF db, tape catalog, etc. 2. You cannot trust your ...backup copy. Disk or any online copy can be altered. Air gap? WORM? Both provide some isolation, but... maybe it was too late? Maybe you air gapped, WORM copy is already altered by ransomware? 3. How to recognise altered backup copy? In general you cannot. Note, some ransomware attacks allow to open encrypted files before the attack is finished. Note, the ransomware can be pervasive or not. How to recognise *one* altered file among hundreds of thousands other? How to do it *everyday*? The are some tools for that, but none of them provide 100% accuracy and 100% certainty. 4. Is your latest copy altered? Maybe the previous one is healthy? That's one of the most common and quite reasonable methods. However when talking about tape - is it possible to perform *full* copy everyday? 5. Why everyday? Maybe twice a day? Or every 4 hours? But... how? 6. Here comes... (I am *not* sales guy!) disk snapshot plus some "WORM-like" features. IBM calls it Safeguarded copy. Yes, you can perform many shapshots a day, all of them are incremental. None of them are accessible from the source system, even if you have all the authorities like Administrator, root, SPECIAL, etc. Access to the copy require special procedure and it is always read-only. Short version: forget about tapes. WORMs are good for archival copies. -- Radoslaw Skorupka Lodz, Poland ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ::DISCLAIMER:: ________________________________ The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only. E-mail transmission is not guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or may contain viruses in transmission. The e mail and its contents (with or without referred errors) shall therefore not attach any liability on the originator or HCL or its affiliates. Views or opinions, if any, presented in this email are solely those of the author and may not necessarily reflect the views or opinions of HCL or its affiliates. Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of this message without the prior written consent of authorized representative of HCL is strictly prohibited. If you have received this email in error please delete it and notify the sender immediately. Before opening any email and/or attachments, please check them for viruses and other defects. ________________________________ ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
