Ransomware protection

[ubuysa]

I'm sure everyone on here knows that the best protection against being infected by ransomware (and having all your files encrypted) is to take regular backups. These backups of course need to be to an external drive that is only connected to the PC during the backup run, otherwise it's at risk of being encrypted by ransomware as well.

The problem with this is that you can't automate it, you have to remember to plug in the external hard drive and run the backup routine.

Until now....

I've just ordered one of these for my PC that's currently in production (from PCS of course). It's a USB controlled mains switch, the control software allows the switch to be controlled by timers. I intend to have my external hard drive permanently USB attached but it's power cord will be plugged in to this switch. I'll set a timer to turn the hard drive on a minute before the backups are scheduled, I know how long the backups take so I'll set another timer to turn the switch off after the backups have finished (I might even be able to do that programmatically when the backups have finished).

It's a European plug and socket (which is what I need) but a couple of travel adapters would enable it's use in the UK.

This offers the very best protection against ransomware, the external hard disk is only available during the backups and the backups can be scheduled and automatic, at other times the external hard drive is not accessible.

I'll report back when I've got it all set up...

 

[Wozza63]

Don't see how this is much better than physically plugging it in, and if the idea catches on then Ransomware will implement driver control for them.

Another solution is a networked drive connected to a raspberry pi or similar with a password for read access and an extra strong password for write access. This works because a) the ransomware probably isn't going to look be able to scan network drives and b) the ransomware most likely won't run on ARM Linux.

 

[mishra]

Not saying that all, but some versions of ransomew/cryptolocker definitely search for accessible network drives. I had a user who worked over VPN/remote desktop connection on his PC at work. Got some crazy **** which encrypted all his PC files then spread onto main server. Had to roll back whole virtual machine from the day before.

We are using paid Veeam to handle all backups but I know that even the free Veeam Endpoint protection come now with cryptolocker safe guard for USB drives (it can mount and un-mount the drive by itself).
I have to say cryptolocker and ransomware is the worst thing that happen to IT world now.

update: Also I don't think it matter if ransomware will or will not work on ARM, for as long as it can "see" the files on a shared drive it will happily encrypt them(most likely from your PC).

 

[ubuysa]

I believe in the KISS principle; Keep It Simple Stupid.The key point with this switch is that the backup process can be automated, so you never have to worry about it, the backups just happen. However, because of the switch, the external HDD cannot be accessed except when the backups are running.

You're right that it would be technically possible for ransomware to turn on the external drive and then encrypt it. However, most ransomware is built not by technically savvy people, but by relative amateurs using pre-built code kits. It will be a long time before these code kits get around to turning on external drives via switches of this type.

 

[Wozza63]

Not saying that all, but some versions of ransomew/cryptolocker definitely search for accessible network drives. I had a user who worked over VPN/remote desktop connection on his PC at work. Got some crazy **** which encrypted all his PC files then spread onto main server. Had to roll back whole virtual machine from the day before.

We are using paid Veeam to handle all backups but I know that even the free Veeam Endpoint protection come now with cryptolocker safe guard for USB drives (it can mount and un-mount the drive by itself).
I have to say cryptolocker and ransomware is the worst thing that happen to IT world now.

update: Also I don't think it matter if ransomware will or will not work on ARM, for as long as it can "see" the files on a shared drive it will happily encrypt them(most likely from your PC).

The ransomware would need to be able to process and it's likely compiled to Windows x86. Unless it's using an interpreted language like Python, but then you'd need a Python interpreter installed. And the drive wouldn't be accessible without the write password.

I do also have my very most important files spread across Google Drive, OneDrive and Dropbox. I imagine they have the best defense against this and everything else (while it would be very annoying) is stuff I can get back, like games and ripped DVDs.

 

[mishra]

While I am no expert. I think I disagree on this one. It doesn't need to actually run on target device. Let's say your Windows got infected and encrypted all your files. If you are also using network Linux NAS for storing your files. For as long as Windows can see the files on that Linux share (through Samba or NFS) it will happily encrypt them there too. Same is for your DropBox, Google Drive documents. These will be encrypted on your PC first and then Dropbox/GDrive client will upload these "updated files" back to your cloud accounts. If you are only using web interface to access your Google files then you are right... even uploading encrypted files or virus itself will not do any harm as it won't be able to run in that environment - until of course you download that file to a Windows based PC.

That's why cryptolocker threats are so hard to protect from. It only take lack of attention of one user in your environment and it will spread like plague across the network. I bet it will even encypt documents on any temporarily connected devices such as phones, cameras etc.. Infection is on your PC and is running from there, it just targets files wherever it can access them. It doesn't have to be compiled to run target device. This make it unique to the usual virus/trojan infections.

So far best form of protection is backups with retention and like Ubuysa said ideally you want the backups on an offline device, which is physically disconnected from your network. While easy to do in principle - not so easy to automate.

 

[Tony1044]

Switching your backup drive on and off doesn't necessarily protect you I am afraid. Some of the latest batches of ransomware quietly encrypt in the background but don't drop the final hammer for many weeks or months down the line by which time, your backups are also full of encrypted files.

I have copies of my files on my NAS and from there I take regular copies onto a USB HDD. I then test those files on another, non-internet connected machine.

It's still far from foolproof but I should get a fairly early warning if the files become unreadable on the other machine.

I also use multiple layers of systems to try and protect myself - flash blockers, ad blockers and script blockers on my web browsers for example. I have run various versions of AV over the years but currently have Sophos along with their Home (Free) version of their UTM (Unified Threat Management Gateway) which gives me good reporting on all my managed machines such as the wife's my old mans and the kids. On top of that, I also run Antimalwarebytes too.

 

[ubuysa]

Switching your backup drive on and off doesn't necessarily protect you I am afraid. Some of the latest batches of ransomware quietly encrypt in the background but don't drop the final hammer for many weeks or months down the line by which time, your backups are also full of encrypted files.

I have copies of my files on my NAS and from there I take regular copies onto a USB HDD. I then test those files on another, non-internet connected machine.

It's still far from foolproof but I should get a fairly early warning if the files become unreadable on the other machine.

I also use multiple layers of systems to try and protect myself - flash blockers, ad blockers and script blockers on my web browsers for example. I have run various versions of AV over the years but currently have Sophos along with their Home (Free) version of their UTM (Unified Threat Management Gateway) which gives me good reporting on all my managed machines such as the wife's my old mans and the kids. On top of that, I also run Antimalwarebytes too.

That's the first I've heard of ransomware taking that long, but I'll take your word for it. Nevertheless, having a fully automated backup process to a drive that's switched off at other times is better than a poke in the eye with a sharp stick.

It may not be perfect but it's way better than trying to remember to do a manual backup.......

 

[Tony1044]

That's the first I've heard of ransomware taking that long, but I'll take your word for it. Nevertheless, having a fully automated backup process to a drive that's switched off at other times is better than a poke in the eye with a sharp stick.

It may not be perfect but it's way better than trying to remember to do a manual backup.......

Here's one example reported back in 2015

And another from later in 2015

By the way a backup isn't a backup if a) the data remains in close proximity to the original and/or b) it isn't used to restore (i.e. tested). That's just a copy.

 

[mantadog]

Anything that helps cant be bad, connecting HDD's has just become part of my routine.

I like to advise people take multiple copies of whatever they cant afford to loose, store them in different locations and occasionally test they work as devices do fail from time to time even when you don't use them. It's like everything else, you need to work at it.

As an example, I keep my books/accounts on my main machine, on a usb drive on top of my machine for easy backup, send via dropbox to my accountants server and periodically I copy to a usb stick I keep in my shop. Oh and I print everything so I have a hard copy, so when they apocalypse comes and the taxman wants to do an audit of my VAT returns I can oblige.

MY scottishness will not allow me to shell out 70 EURO on a plug with a usb on the end of it...

 

[ubuysa]

Here's one example reported back in 2015

And another from later in 2015

Thanks for those. I still maintain that, even given the above, a hard drive that's switched off except when running an automated backup up is far safer than either forgetting to do the backup manually, or leaving the hard drive on all the time. It might not be 100% perfect but it's a big step forward.

By the way a backup isn't a backup if a) the data remains in close proximity to the original and/or b) it isn't used to restore (i.e. tested). That's just a copy.

I've had this argument many times before.

All backups are copies in one form or another, their proper term is 'backup copy'. What makes it a backup is it's intended use, not it's location. It is true however, that for complete protection (including the loss of the data centre) the backup copies need to be stored elsewhere. For a home user however that's taking things a bit far, the majority of people don't even take backups!

 

[Tony1044]

It makes not one jot of difference though. Leave it plugged and schedule backups. If the files being backed up are encrypted then that isn't changed by unplugging the drive... The source is the problem.

And no. It's a copy. Not a backup.

You're welcome to your point of view on it and I respect that but in terms of ransomware (which my phone just helpful tried to autocorrect to random ears!) the buggers are getting ever more clever unfortunately.

 

[mantadog]

It makes not one jot of difference though. Leave it plugged and schedule backups. If the files being backed up are encrypted then that isn't changed by unplugging the drive... The source is the problem.

And no. It's a copy. Not a backup.

You're welcome to your point of view on it and I respect that but in terms of ransomware (which my phone just helpful tried to autocorrect to random ears!) the buggers are getting ever more clever unfortunately.

But if you want a set and forget type of arrangement its better than nothing. I kinda enjoy the housekeeping on my PC so its not an issue for me but ransomware is a hugely difficult problem to get round. No one thing is going to solve the problem but anything you can throw in its way might be a lifesaver come the day. Your car probably has crumple zones, air bags, seat belts and might even apply the brakes for you just as you are about to hit something but would you wouldn't rely on any one of those systems alone.

Having the HDD attached and powered off 99% of the time reduces susceptibility but does not eliminate it, convenience always costs something somewhere along the line.

 

[mdwh]

I backup to a 64GB USB stick - still big enough to backup the most important things, and it's easier to do then connecting a hard drive. Plus it can stay in my pocket. A larger amount of data is automatically backed up to a second drive - so that's more at risk from things like ransomware, theft, fire.

The biggest worry for ransomware is if it does so gradually, as Tony1044 mentions.

By the way a backup isn't a backup if a) the data remains in close proximity to the original and/or b) it isn't used to restore (i.e. tested).

Are there any backup tools that can test restoring, in a way that's immune to ransomware?

I mean, the traditional way to check is to make sure that if file A is backed up, then it's possible to restore file A. But if A as now been replaced with a ransomware encrypted file, how is the backup check going to know? One can verify manually - but doing so for all your personal files, for every backup, is not really feasible... are there any tools to help?

 

[ubuysa]

It makes not one jot of difference though. Leave it plugged and schedule backups. If the files being backed up are encrypted then that isn't changed by unplugging the drive... The source is the problem.

I'm sorry but that's just not true. Suppose I leave the drive plugged in and powered on and I get a ransomware infection. The backup drive will be encrypted. Now suppose the backup drive is plugged in but powered off and I get a ransomware infection. The backup drive cannot be encrypted because it's not accessible. The only time the drive is able to be encrypted is the half hour during which it's powered on and taking backups.

And no. It's a copy. Not a backup.

So exactly how long is a piece of string then?

You're welcome to your point of view on it and I respect that but in terms of ransomware (which my phone just helpful tried to autocorrect to random ears!) the buggers are getting ever more clever unfortunately.

Thank you for giving me permission to have a point of view.

If you are not able to see that a hard drive that is switched off is impossible to encrypt no matter how clever the malware, then I rather wasted my time starting this thread.

 

[Tony1044]

Wow. I was being light hearted. You are blatantly missing the point that the files you're backing up are slowly, over time, being encrypted. So you're backing up encrypted files. So tell me please how your magic on off solution is immune to this whereas tapes and traditional nearline disks aren't????

Whatever. I was trying to offer you an informed and up to date side and you chose to take offence.

I'll make it simple. The malware encrypts the files on your own drive but decrypts them transparently for months when you access them. You are copying encrypted files. when the time comes to drop the hammer and stop the transparent decryption you have a bunch of encrypted files.

How about researching or at least reading the articles I linked to or trying to understand before peddling archaic and potentially unsafe ideas and takibg offense at a perceived slight?

 

[Wozza63]

Please refrain from being rude on the forum

Also I did read an interesting comment on an article. If you fall victim to disk encryption, leave it in a cupboard for a few years and by that time there will be a $40 program that can unencrypt it. Encryption is a constantly evolving area and new forms of encryption are cracked just a few years after their invention. Otherwise there would be no industry designing new encryption algorithms.

Of course, that's not to say you should rely on that but it's a very interesting point.

 

[Scott]

As above, Petya was cracked fairly recently.

I have an online server that I use for all my storage. The only thing I would lose that I would care about would be my family stuff. Everything else is inconsequential for me. I have a secondary drive that creates a backup of my important stuff weekly.

Having said all that, I'm not prone to falling for the type of shenanigans that brings about these threats.

 

[Wozza63]

As above, Petya was cracked fairly recently.

I have an online server that I use for all my storage. The only thing I would lose that I would care about would be my family stuff. Everything else is inconsequential for me. I have a secondary drive that creates a backup of my important stuff weekly.

Having said all that, I'm not prone to falling for the type of shenanigans that brings about these threats.

Google Photos is honestly the best thing for that. Plus it can now store photos from your computer, not just ones that were taken on your phone. It's free and storage is unlimited.

I'm in pretty much the same situation. I'd be annoyed if it happened, like when my hard drive died but pretty much everything I was able to get back as most of it is just DVDs, music and games. All my photos are backed up on Google Photos and therefore if my files were to get encrypted they wouldn't replace the existing ones it would just add to it and all my work is either through git or I upload manually to the cloud and have multiple copies there, so even if something happens, git can just restore the code to the last working version no problem. Which would be annoying because I'd still have to re do any work that wasn't pushed to git but nothing that is the end of the world.

 

[mdwh]

Also I did read an interesting comment on an article. If you fall victim to disk encryption, leave it in a cupboard for a few years and by that time there will be a $40 program that can unencrypt it. Encryption is a constantly evolving area and new forms of encryption are cracked just a few years after their invention. Otherwise there would be no industry designing new encryption algorithms.

I'm not convinced that encryption algorithms are being cracked every few years, but in some cases there is the arms race between key length and computational power.

AES has been secure since 1998. It replaced DES which is insecure - but AIUI this wasn't that it was inherently cracked as such, but advances in computer hardware made brute force attacks feasible. Brute force attacks on say AES-256 are unfeasible even if we consider theoretical limits of computation, or quantum computers ( https://ip.bitcointalk.org/?u=http://i.imgur.com/fYFBsqp.jpg&t=568&c=eyDijE3i8fSqag ).

A more common attack is against the password used to generate the key, which is a particular issue for ransomware - the key has to exist on the person's computer in order to encrypt, opening up the possibility of obtaining it. Flaws in some versions of ransomware have allowed people to recover the data - it's possible this was what you were reading?

https://blog.malwarebytes.com/threa...somware-preparing-for-a-massive-distribution/ has an interesting timeline of DMA Locker:

Version 1 bundled the key with the malware, and the malware deleted the key after encryption - so recovery is possible _if_ you have a sample of the original malware file (e.g., the email attachment it arrived in). But if you don't, waiting a few years won't help you.

Version 2 onwards use RSA to encrypt the AES key with public key encryption. Version 2 had a flaw due to weak random number generator, making it feasible to brute force the password. Version 3 used the same key multiple times, so could be recovered as long as one person paid the money. Version 4 has no known flaws.

Now sure, you could say if we wait, someone might discover a flaw. But this isn't necessarily so - it might be there are no longer any flaws.

There are methods to attack RSA faster than brute force, and it's here there's the race between key length and computation power. http://crypto.stackexchange.com/que...-rsa-key-is-considered-secure-today/1982#1982 has some good details. A quick Google suggests that present day ransomware is already using 2048 or 4096 keys. So I think you'll be looking at more than a few years, especially if we're talking about decrypting on a single computer, rather than say a mass-distributed effort. Alternatively, quantum computers would break RSA, but that's still likely some time away (especially for use on a home computer).

Having said that, I don't disagree with the principle. If you lose access to say some treasured irreplaceable photos, it might that in 20-30 years' time you'll be able to get them back. But that's still a long time, and you also have the problem of making sure you can still read/recover that data by that time (problems include bitrot, inability to read outdated hardware, or if you keep the data on "live" systems, the risk of another ransomware attack!)