Some original threads:

Apparently modern IDS (Intrusion Detection System) platforms make a lot of assumptions about national origin of DNS records. Pretty-much any TLD (Top level Domain) from smaller countries is automatically treated as hostile.

E.g., any DNS query for a domain in Palau (pw) is automatically assumed to be malware.

If you google about the domain, the autosuggestions are wonderful.

Pretty safe bet. Ever intentionally visit a site from Palau?

I remember at RIT in the days before gmail. I forwarded each individual spam message I got at my address to the RIT sysadmin to complain.

Once spam started getting bad, I set up rules to auto-block anything that came from an ip address in China or Russia, and that actually kept most of it at bay for years.

I used the spam filter that was built into Thunderbird, and it worked rather well at the time.

I frequent sites with the top level domain of the Federated States of Micronesia though I doubt that counts.

So I found out about this guy when he sorta accidentally took out the cnc servers of some global ransomware servers by registering the domain they were using out from under them.

Since then he’s has a bit of a storied carrier including getting arrested on his way out of the states. All this to say, I generally trust him on malware analysis, he’s pretty good. I was glued to his stream when ghidra first came out and he got to use it for the first time.

Apparently when the target is jucy enough, actual people go into the network in search of backups to delete, indicating that online writable backups no longer count as backups for the purposes of defending against ransomware.

Ok, so they ransomware my PC. Then they find the NAS on my network and somehow ransomware that. How the hell can they then get to AWS and ransomware my cloud backups?

I’m imagining however you get to aws, they get to aws.

How do they get my AWS 2FA? By the way, my NAS also has 2FA.

1 Like

If you only backup to AWS manually using 2FA every time, they’re screwed. If you have some cron job doing it, then they just use that.

Incremental backups solve that. Each backup snapshot is WORM or WORR.

I have no idea what those are, and a cursory google was not helpful.

The IAM identity that the cron job uses to run the backups only has permission to write new files. Even if they get its API credentials, all they will be able to do is create new backups. It can’t be used to modify or remove existing backups.

Seems you’re safe.

Write Once Read Many

Basically storage where you write to it once, and it can not be written to or over-written again. But it can be read as-needed.

WORR is a fairly uncommon term that I’ve heard around backups. Write Once Read Rarely. Same concept.

I still haven’t seen any real ransomwares that don’t rely on someone running an executable they got from a shady source, or installing a plugin (that they got from a shady source).