Department of Justice ransomware - backups encrypted and 50 BTC ransom demanded

Little Mac

Honorary Master
Joined
Jul 18, 2008
Messages
53,491
Government's risk management policies are audited by the AG, and backups have to be kept 20+km offsite, and tape backups are rotated and collected daily. It is also required that twice a year a recovery is tested to ensure backups can restore. Even for their data stored at SITA, it is taken offsite as part of SITA's offsite storage management, or by Dept's own contractors. But even online replication, would have overwritten the remote backups. Backups are generally catering for crashed discs and file corruption, fire, theft, etc, and faithfully replicate the master data to the remote location. One just hopes that all Dept's data is being thoroughly checked and that no other surprises pop up for others now. Imagine SASSA being hit.
If they followed their own policies, they would have been good.
Unfortunately these policies are all too often a box checking exercise.
 

Little Mac

Honorary Master
Joined
Jul 18, 2008
Messages
53,491
That is not backups. A backup is not writing one set of data over old set of data, wtf.

A backup is a unique set of data each time it is copied, you do not replace an old dataset with the new dataset. There is also little to no chance they just so happen to backup the encrypted data after the system got encrypted.

The most obvious case is problably true, THEY had no backups offsite.

Encryption happens on the system that is infected. Merely copying over data from infected system to backup location doesn't mean the data suddenly after a timebomb would become encrypted on the backup location.

Files got encrypted on a set data, any data backed up before it got encrypted on the physical infected machine would be unencrypted.
Backup rotation is normal. You don't keep unlimited backups without good reason. Storage costs $$
 

Danie_V

Well-Known Member
Joined
Apr 15, 2010
Messages
277
That is not backups. A backup is not writing one set of data over old set of data, wtf.

A backup is a unique set of data each time it is copied, you do not replace an old dataset with the new dataset. There is also little to no chance they just so happen to backup the encrypted data after the system got encrypted.

The most obvious case is problably true, THEY had no backups offsite.

Encryption happens on the system that is infected. Merely copying over data from infected system to backup location doesn't mean the data suddenly after a timebomb would become encrypted on the backup location.

Files got encrypted on a set data, any data backed up before it got encrypted on the physical infected machine would be unencrypted.
"Backups" includes incremental and full backups. You don't do the one or the other. A backup plan allows for a series of full and incremental backups, but after 5 months you don't have much to fall back on. You can restore an April backup and lose 5 months of court work? If it was a question of restoring say two days back, then that should in theory be easy if it is not encrypted. It's possible though the encryption has hit the network side and not the application data. That means rebuilding the networks and severs from scratch before restoring the application data, and maybe that is what they are faced with.
 

grok

Honorary Master
Joined
Dec 20, 2007
Messages
24,471

Department of Justice hack — all backups gone and R33 million ransom demanded​

Ah.. uhm.. Mr Hackers.. yoohoo.. can we.. uhm.. ask.. a little favor perhaps..?

Do SARS next please & make sure you get everything.

It should be easy, that previous IT head, sho..
 

MightyQuin

Not amused...
Joined
Oct 6, 2010
Messages
24,619
Tape for bare-metal and system backup.

Mirrored redundancy for data to ensure fast/immediate recovery and data mining.
 

MightyQuin

Not amused...
Joined
Oct 6, 2010
Messages
24,619
Government's risk management policies are audited by the AG, and backups have to be kept 20+km offsite, and tape backups are rotated and collected daily. It is also required that twice a year a recovery is tested to ensure backups can restore. Even for their data stored at SITA, it is taken offsite as part of SITA's offsite storage management, or by Dept's own contractors. But even online replication, would have overwritten the remote backups. Backups are generally catering for crashed discs and file corruption, fire, theft, etc, and faithfully replicate the master data to the remote location. One just hopes that all Dept's data is being thoroughly checked and that no other surprises pop up for others now. Imagine SASSA being hit.
What?!?!

Only twice a year? Might as well not do backups then.
 

Rickster

EVGA Fanatic
Joined
Jul 31, 2012
Messages
18,987
At some of our clients we use 5x 1.6TB HP LTO tapes, it does a full backup every day and tested once a month.
 

John Tempus

Executive Member
Joined
Aug 8, 2017
Messages
5,696
Government's risk management policies are audited by the AG, and backups have to be kept 20+km offsite, and tape backups are rotated and collected daily. It is also required that twice a year a recovery is tested to ensure backups can restore. Even for their data stored at SITA, it is taken offsite as part of SITA's offsite storage management, or by Dept's own contractors. But even online replication, would have overwritten the remote backups. Backups are generally catering for crashed discs and file corruption, fire, theft, etc, and faithfully replicate the master data to the remote location. One just hopes that all Dept's data is being thoroughly checked and that no other surprises pop up for others now. Imagine SASSA being hit.

Sit back and just think about what you just wrote.

Do you honestly believe our government entities have any real oversight ? Just think about it for a minute. If we had even the most basic oversight we would not be in multiple corruption/theft scandals in every conceivable government department today.

There is zero true oversight in this government. People get employed, take a salary and do as they please. If something goes bellyup, the government just bail them out and the issues get pushed under the rug.

This possibly the country with the least real oversight on anything going on in the government.
 

xodosman123

Expert Member
Joined
May 30, 2012
Messages
1,467
Where will sars get the Income tax? They have warned everyone that they need to tax on Crypto, Now lets see how they trace the money, I can bet you no way ever.
 

John Tempus

Executive Member
Joined
Aug 8, 2017
Messages
5,696
So let's look at SA Gov's Cybersecurity portal at https://www.cybersecurityhub.gov.za/, created with much fanfare years ago.... Recent vulnerabilities show May 22, 2020 as most recent. Question I really have is, what has this entity been doing the last few months whilst ransomware attacks have been hitting other governments? Is it an entity in name only? What about all the expense and time to create that portal, and the facilities etc? It was shown up about a year or two back by MyBroadband I think for being dysfunctional, and then was receiving attention to sort itself out. What happened? This is what it was preparing for the whole time! I can understand that Depts don't have the expertise in-house.

Nothing, they took a huge payment for creating bullsht and moved on.

That is the government tenda initiative and it plays out the same with every single project.
 
Top