A web server has been compromised due to a ransomware attack. Further investigation reveals the ransomware has been in the server for the past 72 hours. The systems administrator needs to get the services back up as soon as possible. Which of the following should the administrator use to restore services to a secure state?
To restore services to a secure state after a ransomware attack, the system administrator should use the last full backup that was conducted seven days ago. This is because incremental backups require a full backup to be effective, and restoring from the incremental backup alone is not sufficient. Since the ransomware has been on the server for the past 72 hours, restoring from a backup taken exactly 72 hours ago could risk reintroducing the ransomware. The baseline OS configuration would not include the data and configurations added since the initial setup, and the last known-good configuration might still be compromised. Therefore, the best option is to restore from the last full backup, ensuring the ransomware has not reinfected the system and minimizing the risk of lingering or missed vulnerabilities.
I would go with C here. Reason - 7 days ago is more than 72 hours ago and possibly the last good backup taken. Just my thoughts. Open for discussion...
The question also isn't exactly clear about the exact time the ransomware infected the system. If it infected 72 hours ago and our backup was made 72 hours ago was it infected a second before or after the backup? Is it possible the ransomware was in the system before but not detected? Not to mention the fact that an incremental backup on its own without being combined with a full backup is meaningless. For these reasons I also say C.
Yeah I agree with that, the primary focusing here is "secure state"
Also correct me if I'm wrong but incremental backup restores cannot be done on their own. See Wikipedias definition of an incremental backup; An incremental backup is one in which successive copies of the data contain only the portion that has changed since the preceding backup copy was made. When a full recovery is needed, the restoration process would need the last full backup plus all the incremental backups until the point of restoration. With this in mind the full backup would be needed to restore first, then incremental restores after to recover more recent data. Restoring from an incremental right away could also cause some infected files to not be replaced by the restored files so it would just reinfect. Also there's the risk that the randsomware encrypted everything and an incremental would not be able to fix that.
I'm conflicted. I've done a multi-national org ransomware restore. not a pretty sight. if the backup was exactly 72 hours ago & the infection was exactly 72 hours ago, then the backup is toast. these are whole numbers, there are no what ifs... then u take the hard hit & go to next available backup which in this question is 7 days ago. it's going to hurt, but it is what it is.
B and D affects the configuration, not the users data. C is a full back up which takes time, the question asks for the best option to get the service up as soon as possible. Answer is A.
If it’s ransomeware, all data should be got encrypted. incremental backup won’t help you to get all your data back. I would go answer c
A full backup also may have been infected with the ransomware - it's not a trustworthy configuration anymore as ransomware has been doing its thing for 3 days. The last known good configuration, answer B, is a snapshot of the system in its last known securely functioning state. This would ensure the configuration with ransomware is no longer used.
Last Known Good is a windows feature restoring to the last successful boot. Deprecated in Win10 and beyond.
100% agree
huh? You are not supposed to store the backup on the same hard drive. That's the point of a back up to store it somewhere else.
I second zzzfox's opinion. any incremental backups without a full backup are meaningless. An incremental backup is a backup type that only copies data that has been changed or created since the previous backup activity was conducted. Since all the data has gone, we need a full backup + any available incremental backups or differential backups. Either way, a full backup is a must.
yes i second this, considering the three requirements are a secure state, as soon as possible, and have it back up running C is the best answer.
So restore back to a point where the ransomware was likely still on the system? I think not. The question also states "restore data to a secure state" not as soon as possible. The answer is C.
Incremental backups REQUIRE the full set also, so this is not a faster solution. Then there is the issue of if 72 hours is far back enough.
Took test recently, this question was on it
ok what was the answer you selected
Another user saying it was on the test but not providing the answer. BOT all the way.
Needs to be a full backup. Incremental backups only back up data that was recently changed. If files were infected that the backup doesn't replace it would cause reinfection. Randsomware is also very unpredictable. There is also the chance of full encryption so restoring an incremental would do very little. Also correct me if I'm wrong but incremental backup restores cannot be done on their own. See Wikipedias definition of an incremental backup; An incremental backup is one in which successive copies of the data contain only the portion that has changed since the preceding backup copy was made. When a full recovery is needed, the restoration process would need the last full backup plus all the incremental backups until the point of restoration. With this in mind the full backup would be needed to restore first, then incremental restores after to recover more recent data.
IMO best of given option is B by rolling back system and restore into last known good-configuration
configuration has nothing to do with stored data, the data is now encrypted. According to your logic, then any ransomware attack can be fixed with a last known good. please tell your boss that you can fix a ransomware attack with a LKG.
Relax bro
D. The Baseline OS Configuration: In the event of a ransomware attack, where the web server has been compromised and the ransomware has been present for an extended period, it is important to restore the system to a known-good state before bringing it back into production. This typically involves using a baseline OS configuration or a clean image of the server's operating system. This ensures that the ransomware and any potential backdoors or compromises are completely removed from the system. Afterward, you can apply patches, restore data from clean backups, and reconfigure the server as needed to bring services back online securely. The other options are not the best.
A is wrong because in order to get back up and running is both Full and incremental backs.
Option A & C seems to be wrong as the back taken from last 7 days will have the ransomware so according to me it is B Using the last known-good configuration ensures that the server is restored to a state where it was known to be functioning properly and free from the ransomware infection
D. The baseline OS configuration Restoring services to a secure state after a ransomware attack involves ensuring that the compromised system is completely clean of any malicious software or alterations. Using the baseline OS configuration provides the most reliable starting point because it represents the initial, trusted state of the system before the ransomware infection occurred. This ensures that any modifications made by the ransomware are completely reverted, minimizing the risk of any residual malicious activity. Additionally, restoring from a clean baseline configuration ensures that all system settings and configurations are reset to a known-good state, reducing the likelihood of any lingering vulnerabilities or compromised components.
Ransomware will most likely render the web server unusable and must be isolated for forensic investigation. This will leave the only option to start a new web server from scratch and restore the last full backup, plus any differential or incremental backups which are sure to be clean from ransomware (if available).
This option involves restoring the system to its initial state, typically the baseline configuration after installation. It ensures that all potentially compromised files and configurations are reverted to a known-clean state, effectively removing any traces of the ransomware.
administrator needs to get the services back up as soon as possible! A. The last incremental backup that was conducted 72 hours ago
The best option to restore services to a secure state after a ransomware attack would be A. The last incremental backup that was conducted 72 hours ago. This is because the ransomware has been in the server for the past 72 hours, so restoring from a backup made before the ransomware infection would help ensure the server is clean. The other options might not be as effective: the last known-good configuration (Option B) might still include the ransomware, the last full backup (Option C) is a week old and could result in significant data loss, and the baseline OS configuration (Option D) would not include any data or configurations added after the initial setup.
restore is always done with full 5 days+ incremental . you cannot restore with inc only
The baseline OS configuration is the initial configuration of the operating system that was set up when the server was first installed. This would provide a known-good state before the ransomware attack occurred, which can be used to restore the server to a secure state. Using a backup that was conducted 72 hours ago or even the last known-good configuration may still contain the ransomware and may not be secure. The last full backup conducted seven days ago may result in data loss, in cases where data has changed or been added since the last backup.
how can you revert to baseline config when a server is infected with a ransomware? the question is how do you restore services the quickest and secure way.
There was a ransomware attack. I am going to assume that some of data ransomed will not be in the incremental backup. An incremental backup will only contain data that was created/modified since the previous backup (full or incremental). If there was only a full backup 7 days ago and an incremental backup 72 hours ago, the incremental backup will only contain files that were created/modified between that time period. Any data older than 7 days will not be in the incremental backup and will not be restored. Based on the options available, in order to get data older than 7 days, you need to restore from a full backup. Answer C.
C. Full back up - "Incremental backups save backup time but can be more time-consuming when the system must be restored. The system must be restored from the last full backup set and then from each incremental backup that has subsequently occurred." --CompTIA guide