• coco@lemmy.world
    link
    fedilink
    arrow-up
    49
    ·
    1 year ago

    Uh no

    Go to the main breaker that feed the servers whatever. And pull the 600v switch off

    The smartest layout for that situation is having the main breaker box close to the hooman IT operator room

    No choice if it is very serious breach

    • Chunk@lemmy.world
      link
      fedilink
      arrow-up
      21
      arrow-down
      2
      ·
      1 year ago

      Nah. Rip that shit right out of the chassis. Destroy that RJ45 port. Make it so the security audit team has to resolder a jack to the mobo before they can even ssh to the box.

      Trust me I run a security company. If you need help with your security please feel free to contact me! We are the best in the business!

    • Trainguyrom@reddthat.com
      link
      fedilink
      English
      arrow-up
      11
      ·
      1 year ago

      The advice I’ve always heard is disconnect network but leave powered for forensics/recovery. Some ransomware store the decryption key soley in memory, so it is lost upon power loss

      • Haui@discuss.tchncs.de
        link
        fedilink
        arrow-up
        2
        ·
        1 year ago

        That actually makes sense. We had a ransomware attack once. We also disconnected the device but I cant remember if we powered it off. At the time it stopped encrypting due to that since our network drives were not reachable anymore.

        Is there actually a way to spread the encryption process to a server?

        • Trainguyrom@reddthat.com
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Best I understand the encryption key is needed to encrypt and decrypt, so if the malware isn’t written well enough it may well continue to store the encryption key in memory.

          There’s some old malware on archive.org that just pulls the FAT off the filesystem into memory and offers a dice roll to restore it

    • JuxtaposedJaguar@lemmy.ml
      link
      fedilink
      arrow-up
      6
      ·
      1 year ago

      I vaguely remember the advice actually being to leave it running but disconnect it from the internet. Although maybe hard disconnect the backups if you can.

      • Gestrid
        link
        fedilink
        English
        arrow-up
        5
        ·
        1 year ago

        And probably the intranet, too, just to be safe.

    • RizzRustbolt@lemmy.world
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      Should be a trunk line disconnect switch that kills both power and data. And if your manager is cool, then it’s a guillotine switch.