Imagine a restic setup as follows:
- Clients backup to central server running with restic rest server or rclone rest server with append only
- Central server forgets/prunes backups of all repositories at time x by accessing backup data using separate server key as clients can’t prune themselves. Let’s say the forget policy keeps some amount of daily, weekly, yearly snapshots, etc.
Imagine a ransom ware attack where the attacker encrypts the client’s hard drive. While the client can’t delete his own backups (as server runs with append only), he can backup as many times as he wants. The ransom ware deletes client’s backup data by first encrypting drive then by making many snapshots with future dates (by changing system time) and a lot of them.
Now the attacker waits until time x when prune policy is executed by server and all the client’s legitimate backup data is lost/overwritten by bad snapshots of the encrypted drive. This is because the bad snapshots all have futuristic times and the prune policy will only keep recent snapshots.
Anyone have suggestions on stopping this?
Edit this attack is even easier if the forget policy keeps only the last 100 snapshots or so. Then the attacker makes this many bad ones to clear out legitimate data