Multiple incremental copies are as good as multiple independent copies.
However incremental copies are *feasible* multiple times a day.
And of course the goal is to detect ransomware as quickly as possible -
but it can happen "two snapshots later". So, you have to recover from
older snapshot. And no, "infected" copy will not affect neither older,
nor newer copy. Of course, encrypted/destroyed ABC.FILE will be
encrypted in next copies, but there is no relationship to full vs
incremental topic.
Note: incremental copy means physical comparison of changed tracks. The
list of tracks is maintained by the disk array, not (possibly infected)
OS. So, the difference between yesterday healthy dataset and today
infected dataset could be 100%.
BTW: this is the way how backup software detect ransomware.
--
Radoslaw Skorupka
Lodz, Poland
W dniu 09.04.2025 o 14:55, Allan Staller pisze:
Classification: Confidential
"6. Here comes... (I am *not* sales guy!) disk snapshot plus some "WORM-like"
features. IBM calls it Safeguarded copy. Yes, you can perform many shapshots a day, all of them are
incremental. None of them are accessible from the source system, even if you have all the
authorities like Administrator, root, SPECIAL, etc. Access to the copy require special procedure
and it is always read-only."
I believe multiple "snapped" backups will not be effective unless multiple
INDEPENDENT snapped copies are used. Not incremental upgrades. If this is not done, your
backup will also have the ransomware.
Even in this case there is another item that needs to be addressed
All of the ransomware recovery scenarios REQUIRE a "clean" backup. The majority
of ransomware attacks I am aware of have been triggered some time after the infection,
such that all backups are compromised.
It is a problem and the only cure I can see if to have a pre-compromised backup available
"somewhere".
-----Original Message-----
From: IBM Mainframe Discussion List<[email protected]> On Behalf Of
Radoslaw Skorupka
Sent: Tuesday, April 8, 2025 4:01 PM
To:[email protected]
Subject: Re: WORM backup tapes block ransomeware attacks?
[CAUTION: This Email is from outside the Organization. Unless you trust the
sender, Don’t click links or open attachments as it may be a Phishing email,
which can steal your Information and compromise your Computer.]
W dniu 08.04.2025 o 21:11, Schmitt, Michael pisze:
A hypothetical IT department wants all tape systems, including z/OS, to turn on
WORM (Write Once Read Many) so that the tapes are immutable. The reason is for
prevention of ransomware attaches from altering backup data.
My question is: how does this help? If an attacker has the access and
authorization to update a tape, they also have the access and authorization to
copy the tape data to a new tape with altered data.
When we restore from a backup, we don't consult a post-it note that says "now mount
volume T13439". We mount whatever volume the tape catalog system says contains the
data set we need.
What am I missing?
A lot of things are missed.
1. Assuming the ransomware attack is possible (which is *good*
assumption!) you cannot trust any of your system structures, including RACF db,
tape catalog, etc.
2. You cannot trust your ...backup copy. Disk or any online copy can be
altered. Air gap? WORM? Both provide some isolation, but... maybe it was too
late? Maybe you air gapped, WORM copy is already altered by ransomware?
3. How to recognise altered backup copy? In general you cannot. Note, some
ransomware attacks allow to open encrypted files before the attack is finished.
Note, the ransomware can be pervasive or not. How to recognise *one* altered
file among hundreds of thousands other? How to do it *everyday*? The are some
tools for that, but none of them provide 100% accuracy and 100% certainty.
4. Is your latest copy altered? Maybe the previous one is healthy?
That's one of the most common and quite reasonable methods. However when
talking about tape - is it possible to perform *full* copy everyday?
5. Why everyday? Maybe twice a day? Or every 4 hours? But... how?
6. Here comes... (I am *not* sales guy!) disk snapshot plus some "WORM-like"
features. IBM calls it Safeguarded copy. Yes, you can perform many shapshots a day, all
of them are incremental. None of them are accessible from the source system, even if you
have all the authorities like Administrator, root, SPECIAL, etc. Access to the copy
require special procedure and it is always read-only.
Short version: forget about tapes. WORMs are good for archival copies.
--
Radoslaw Skorupka
Lodz, Poland
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
