>Hi all,
>
>Discussion going on between me and the IT personnel at a client of mine. I have read, but cannot quantify, that ransomware viruses out there can infect a machine and then wait weeks or months to actually carry out the attack.
>
>The discussion is going on because the client uses a rotating series of external hard drives to backup their Veeam (VM) images - basically 8 hard drives with a couple being offsite at any one time. They also have their images offsite but those are at a connected data center (which is not "air gapped" as Veeam suggests).
>
>So even though they have backups on and offsite to handle "regular" disaster recovery, their off-line backups are limited to 8 weeks. If they get infected by ransomwhere that delays by more than 8 weeks, they will have nothing.
>
>So my question is: have others heard of ransomware that delays longer than a couple months? I have found some articles stating 3 months but not many.
>
>Albert

As I understand it, some malware waits in order to try to encrypt backups as well as on-line production files. This is risky for the malware; the longer it's present but inactive, the greater the chance it will be detected.

This is only an issue if the ransomware is able to encrypt backups. Some comments in no particular order:

1. The most likely entry point for ransomware is a networked workstation, not a server. Workstations typically can't see backup drives on server(s). Ransomware on a workstation can encrypt any files it can access on file shares but that's it.

2. Assuming it can spread and infect and run locally on the server, it's still not a given that a ransomware process on the server can see the backup drives. In some cases, such as Windows Server Backup, it's possible to "dedicate" a drive for backup, which is then not visible in File Explorer etc. You should ask the backup software vendor how vulnerable the backup media are to a ransomware attack

3. Some server-grade antivirus has ransomware protection which heuristically monitors the file system for ransomware-like activity.

4. Running a verify after a backup can give some peace of mind

5. It's theoretically possible to ransomware to install as a file system driver. This would transparently encrypt and decrypt on the fly until the shutoff date was reached. This would be dangerous, as everything would seem to be A-OK until the attacker pulled the plug (including, for example, verified backups). I haven't heard any reports of instances of this type. I believe it would require admin access on a server to install such a driver, in which case there are likely to be bigger issues.

6. As I understand it most ransomware just encrypts any files it can access. Some smart types may start with old files not recently accessed and encrypt new/active ones last, in an attempt to not be noticed as long as possible. That's the most likely threat, not being noticed for a long time, because that can taint backups.

Mitigation 1: find out how many extra backup media would be needed to implement another layer in the child/father/grandfather/great-grandfather scheme. It may not be too hard to push that back to 6 months or a year's worth of backups.

Mitigation 2: Some backup systems allow for unlimited file versioning. With systems like that, even if all files are encrypted, versions prior to encryption are still available to be restored.

I see you've been asking some security-related questions lately. How big a company is this? I would think large companies would have dedicated IT security. I'd suggest for small firms, not to necessarily fixate on tech, but to also address other issues such as phished or rogue employees, BYOD etc. I'd be careful about offering a "secure" solution - I would make very clear which aspects were addressed and which were not.