>> Thus, defense in depth: >> [...] >> (3) Test-restore from your backups periodically.
> As for (3), I don't understand how a test-restore would help. The theory is, if the restore restores good contents then the backup contains good contents. > Even if the files have been encrypted, I don't understand how a > restore would detect that the files are being encrypted / decrypted > on the fly if a boot every morning does not notice a problem. It wouldn't. That was to defend against the "the backup contains the encrypted version" risk - which only some backup mechanisms will suffer from. If you use something like tar(1) to make your backups, something that uses the usual file-access mechanisms to read the files, it will back up the decrypted-on-the-fly version, which is what you want. But if you use something like dump(1) that goes behind the filesystem's back to read the files, or something like dd(1) that is filesystem-blind and just backs up the disk's contents, it easily could end up backing up the on-disk encrypted version (which is what that kind of ransomware hopes for, of course). /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTML mo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B