Reevaluate your backup strategy in the face of current ransomware trojans like Locky

For Bitlocker encrypted full data drive, basically instant, on-the-fly decryption once you input your password. Only extra time it takes as compared to a unencrypted drive is the time needed to type in your password

 

Please see the drive F: before being unlocked (Figure 1 and 2) and after being unlocked (Figure 3). All it takes is double click the yellow padlock in Windows Explorer, input your password, then instantly F: is unlocked on the fly.

 

Thank you. Looks easy.

 

Sure thing. As easy as pie
Same for Linux full disk encryption - from within File Explorer, double click the encrypted disk, type in password, disk gets unlocked in a second. For portable storage devices, full disk encryption is especially useful, considering the higher probability of being lost.

 

And how do you create an image from a boot UFD in an external encrypted USB disk?

 

Good question. The answer is I don't, although theoretically I could - the Win10PE_SE boot USB has the ability to unlock a Bitlocker encrypted drive in the PE environment, so do the Macrium Reflect boot USB. I don't do this because as you can see from my computer configuration, I normally have at least 1 internal HDD left unencrypted on my computer, which is normally where I first create the backup OS image (much faster than writing to external USB), subsequently I also copy the image to an encrypted external HDD for backup storage.

Win10PE_SE basically is a miniaturized Windows 10 running from the USB.
http://www.theoven.org

 

It´s possible to unlock BitLocker from the command prompt,
How to unlock BitLocker drive from command prompt.

 

1. All backups are done with a laptop which the IT manager keeps, uses best practices on, and only connects to the network when doing a backup.
2. Configure the windows firewall rules on this laptop so NO INBOUND connection is allowed, only outbound (IF . . . a crypto-locker bad is lurking and waiting when the laptop is connected to network he blocked) - First "one way" street. Laptop to network is "one way."
3. Connect laptop to network and do the backups per schedule.
4. Backups are stored offsite in the cloud with a service that allows MAC address filtering. The ONLY machine that can access the cloud share where the backups are stored is IT manager's laptop. Effectively a "one machine only" gatekeeper function. Any cryptolocker infected machine is blocked.
5. Put the "keys to the kingdom" in the hands of the IT manager who should have the common sense to not surf porn, download games, etc. from the "enterprise network admin laptop."

Downsides are obvious: 1) no "automated" install and forget solution. 2) enterprise has to purchase a most of the time "stand alone" laptop and then configure the laptop firewall logs accordingly as well as use an offsite storage solution which allows MAC filtering.

 

Welcome! Great post.

 

Okay...I'll bat....

Proper backups are critical IMO and should consider ransom/malware and pretty much any problem which threatens data in its current state. This should include exfiltration, infiltration, modification and destruction.

There are several ways of achieving this in relation to ransomware:

As stated, protect the client. Problems typically occur here first as in the case of .locky.

Additionally, protect access between the client and backup along with hardening the backup itself. So *push to a NAS and then *pull data from the NAS (active file server) into a secure backup. No client should have direct access to the backup. The NAS should not have privilege on the backup.

Use versioning/append-only. If you have good versioning policy and robust filesystems, data is much harder to lose and offers better utility to the user. So unless the backup server is directly getting hosed--your backups are preserved.

Use redundancy in diferrent locations and on different media is generally suggested: The 3-2-1 backup rule. This may be expensive, but adds great protection against most problems related to destruction--even EMP-based. If you use media like BD/R, ransomware is useless. Bluray runs about USD 20 for about a terabyte. For a premium you can get MDISC Bluray which is designed for archives and is rated for 1000 years.

~

 

Thanks folks for your comments, a lot of food for thought...

@Brian:

My logic is simply that the very moment you connect your external backup drive, it will be vulnerable to being encrypted by the crypto locker lurking in the background. So while you are making a backup all your previous backup images could be encrypted. And yes, backup images are already on the extension list of some crypto lockers.


@Froggie:
Basically what you are saying is:
Don't change your backup habits, change your Internet surfing habits instead. "Practise Safe NET". You recommend to stay clear of porn sites and gaming sites, and to escape HUMAN ENGINEERING by applying common sense.

Sorry, but this is totally unrealistic.

First of all a lot of drive-by infections do not come from porn or gaming sites, not even from piracy sites. A lot of people have experienced drive-by infections from well respected sites with an excellent reputation. I do frequently visit the darker corners of the Internet, and I never got infected there. But I did get a nasty virus twice from the driver download section of a well known hardware manufacturer.

The HUMAN ENGINEERING part also does not work. It will work for people like you and me and probably for a lot of Wilders members, but not for the Average Joe. The bad guys use these techniques simply because they are successful.

Compare the situation to the way HIV is spread. Everybody knows about Safer Sex, but still the infection rates are rising again. Telling people to stay away from porn and gaming sites is like taking all the fun out of it. It just doesn't work.



For me the main problem is how I should change backup strategies. I do know how to protect myself, thank you very much. But I am also the 'Computer Doctor' for a couple of friends and relatives. And some of you will know how hard it is to get people to adopt any backup strategy at all.

So far I would set up a backup software to do automatic scheduled backups to a permanently connected external HDD. Define a retention rule so at least two or three backup generations will be kept, and you will have a good level of security without requiring any user interaction.

This strategy is obsolete now. Having a backup target drive permanently connected is a no-no, and even doing hot backups by only connecting the drive just prior to the backup is unsafe. Using BitLocker (or TrueCrypt or VeraCrypt) is no solution either, as soon as you unlock the drive by entering your password it will be vulnerable.

All the proposals how to harden your NAS, set up firewall rules and other elaborate things are not applicable in my situations. The typical hardware configuration I am dealing with is just a local machine with one or several external HDDs (no NAS) and maybe a cloud folder.

To be safe you must do your backups under a safe recovery environment (CD, USB or menu entry in the BCD store). But for such backups you cannot use a predefined template, all settings have to be done manually. For many of my 'clients' this probably means that they will not do backups at all in the future. And in the case of a disaster they will call me for help anyways...


Cheers
manolito

 

And did you executed the said driver download yourself? Colour me surprised if not and you weren't using some outdated browser/OS.

Common computing sense should start with telling the difference between one file type and another. Then choose carefully not necessarily where you browse, but where the executable file you downloaded came from (which is why App Stores are excellent ideas) and what information you upload online. Use of something like VirusTotal when dealing with suspicious or unknown files/websites would be nice.

As Locky, it doesn't affect my backup strategy at all. Some remote chance of infection far from negates the benefits of having up-to-date backups. Plus I can make offline backups whenever I want, not as if it's one or the other either.

 

just to add, even Dropbox is 'immune' from ransomware as it keeps unlimited versions of a file for a default of 30 days and optionally for a year (paid extra). so as long as you discover the encrypted files within that time, your data is safe.

 

OT but HMPA adds exploit, including ransomware protection and more. It's keystroke encryption (which can be disabled) will probably not play nicely with ZAL. But you probably don't need ZAL if you use HMPA.

 

This prevention, plus grey matter (what's left), is also my strategy.
I also keep offline copies of images and data, but am concerned that where badware may be latent and timed to go execute sometime in the future, how far back does one go?

 

For connected USB backup drives, I have made the whole drive read-only using unfortunately abandoned Secure Folders, with only imaging / backup programs (Macrium, Bvckup 2) as trusted applications.
May not be infallible, but worth a try.
See also here.

 

I just gave this a try.

Unfortunately, as I suspected, previous versions of a file are lost once the file has been renamed. As the ransomware viruses typically rename the files, your previous versions will be lost.

 

Another strategy simply would you create a folder with a password lock and change the permission level of this folder, Locky not need admin privileges because the fact it not want to change your system related files but your own private data and with such a strategy it not net access to it without admin/password.

No tools, can be done directly via windows. The only problem is that this possible get compromised the same time it's unlocked but for this, simply use other mentioned backup strategies. But such ransomware comes with emails/js so you simply can avoid it by disabling email attachments in your email program and enable 'only txt' mode to see directly everything.

 

i just tried, renamed a file then overwrote it with a corrupt file. restored fine. i had the option of restoring the renamed file or the original which was in the deleted folder (deleted files kept for a year, although i had an option of restoring a version from 2013 for some reason). see pics



edit- this might be of some help to you http://www.it-book.co.uk/2811/recovering-dropbox-files-encrypted-with-cryptolocker

 

Thank you

 

Can you elaborate on that solution please? On my desktop I have my OS, one internal hd and one external hd - they are not shared. How would I set up a password requirement for the external drive?

 

I don't know how you would do it on an external USB drive. Mine is a network drive where I can set up shared folders and assign folder permissions. Sorry!

 

This idea I would say is on the right track, and I'm surprised no one else has mentioned this. Assuming most people sensibly run as standard users, why not simply change the permissions of the backup directory to allow Standard users "Read only" access? That's how mine is set in properties. If the malware can run with only User privileges, it will have no way of writing changes to the backup files in this directory.

 

Good point - you can configure Macrium (and likely others) to run the scheduled backup as a specific user, such as the user you've given write-rights to the destination backup folder.

 

It occurs to me that our new AJC File Server will help you create backups that are safe from a ransomware virus on Windows.
http://www.ajcsoft.com/file-server.htm

Think of AJC File Server as an equivalent something like and FTP server except that it is more reliable, date stamps correctly and you can do block level sync to only send the changes to big files. It also has an archiving system to get back old versions of files (and only stores the changes each time).

You need AJC Sync v4 on the client to backup to it.
http://www.ajcsoft.com/file-sync.htm

Now if the ransomware infects your client, it can encrypt your files on the client but it cannot get to the file server (make sure it can't). Now your backup would still happen and the encrypted files would be backed up to the server but AJC File Server has an archiving system (optional - turn it on) that allows you to get back any version of a file that is overwritten or deleted during the backup.

As the ransomware has no access to your server the backup archives cannot get damaged. They might get damaged files backed up into the archives if you don't catch it in time but you can still get back the earlier versions.

Anyway just my thoughts. Post a reply if you give this a try.