> Op 2 feb. 2015, om 18:44 heeft Schneider, Jim <jschnei...@ussco.com> het > volgende geschreven: > > Roger, > > According to my TSM Data Protection for SQL 6.4 manual, servers that run TDP > for SQL require backdelete authority. I don't know how to get around this > problem.
Mitigated by running the file backup and ‘structured data’ backup as separate nodes so you can at least protect your unstructured data against such ransomware. > > Jim Schneider > > -----Original Message----- > From: ADSM: Dist Stor Manager [mailto:ADSM-L@VM.MARIST.EDU] On Behalf Of > Roger Deschner > Sent: Friday, January 30, 2015 7:40 PM > To: ADSM-L@VM.MARIST.EDU > Subject: [ADSM-L] Ransomware deleted TSM backups from node > > I'm not sure there's anything that can be done about this, but take it as a > warning anyway. > > A Windows 7 desktop node here was attacked by CryptoWare 3.0 ransomware. > They encrypted all files on the node, and left a ransom note. > > The node owner called me because they were having trouble restoring their > files from TSM using a point-in-time restore. The files were gone! > Apparently this villian located which backup program was installed, found it > was TSM, and issued actual dsmc delete backup commands, which they were > allowed to do since PASSWORDACCESS GENERATE was in effect. So this attack > vector is not limited to TSM; it would work with any backup program that the > villian can figure out how to use. > > I have moved this node to a domain that includes VEREXISTS=NOLIMIT > VERDELETED=NOLIMIT RETEXTRA=NOLIMIT RETONLY=NOLIMIT for that Copy Group, > while our data security people investigate. > > I am planning to change all TSM client nodes to BACKDEL=NO ARCHDEL=NO to > prevent a hacker from deleting backups. Anybody got a better idea? > > Roger Deschner University of Illinois at Chicago rog...@uic.edu > =================== ALL YUOR BASE ARE BELONG TO US!! =================== > > ********************************************************************** > Information contained in this e-mail message and in any attachments thereto > is confidential. If you are not the intended recipient, please destroy this > message, delete any copies held on your systems, notify the sender > immediately, and refrain from using or disclosing all or any part of its > content to any other person. -- Met vriendelijke groeten/Kind Regards, Remco Post r.p...@plcs.nl +31 6 248 21 622