Reevaluate your backup strategy in the face of current ransomware trojans like Locky

Discussion in 'backup, imaging & disk mgmt' started by manolito, Feb 21, 2016.

  1. manolito

    manolito Registered Member

    Joined:
    Apr 23, 2013
    Posts:
    341
    The current 'Locky' ransomware trojan encrypts not only files on your local computer (including all connected external HDDs), it also encrypts all files on your network it can reach. It even reaches network shares which are not currently activated in your system. On top of this even cloud storage which is synchronized to a local folder will get encrypted.

    This means that a widely used backup strategy which does scheduled backups to a permanently connected external HDD or to a NAS or to a cloud folder is now obsolete. Locky can and will encrypt your backup files if it can reach them.

    So far the only strategy which can prevent this is to do your backups to an external drive which only gets connected to the computer just prior to the backup. Even safer would be to only make backups outside of the operating system from a recovery media or from a BCD store entry

    Any thoughts?


    Cheers
    manolito
     
  2. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,189
    Location:
    USA
    In a properly configured corporate environment your back up solution should be Active Directory integrated with a service account and that service account is the only one with permissions to the backup location.

    Typically when a virus like this changes the extensions of what its encrypting. You can use File Server Resource Manager to shut down a PC that is detected as changing extensions on a file server before it causes too much damage. I implement FSRM in an environment to prevent crypto locker type viruses. I even have it set to remove any shares from the file server and tell me the username that caused the extension change so I know exactly where to go to resolve it.
     
  3. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,517
    LOL.

    I have been advertising this "offline" cold backup/restore for years on this forum and many other forums. Few would listen, and most would still prefer "hourly" or even "real time" backup of their OS and data. So most of people prefer "convenient" over "security" of their data, until their disk imaging or data backup software backed up all their infected files or OS, or, in situation like this: a malware encrypted all their data.

    For decades, I only make disk/OS images when I just cleaned, formatted the disk, re-installed my OS, have all settings adjusted, all software installed and updated. I fail to understand why people want to backup their OS on an hourly, or daily basis. When it comes to data files, MAYBE it make sense to back them up every hour or so for some people, but for me, I don't think it's necessary, as I have two internal HDDs to store duplicate copies of the same data. I normally create/modify files on my D: drive, then copy the updated version to E: drive at the end of the day, manually. Every month or so, I backup data files to two external HDDs. I have been doing this for decades, never encounter any data loss.

    Sometimes, simple and conservative procedures are the most effective and efficient way to manage your data and OS.

    I remember you questioned/laughed at my strategy of only using Acronis boot USB to do offline backup/restore, just a couple of weeks ago. Now you also realized "convenience" is not always a good thing? Think about Linux Mint, what happened to them since yesterday. Think about the risks being online all the time. Do people think their OS is more secure than Linux Mint's servers? If their servers can get hacked, so do your system. Sooner or later.
     
  4. ssbtech

    ssbtech Registered Member

    Joined:
    Aug 19, 2013
    Posts:
    57
    Location:
    Canada
    This reminds me, I need to post in the Macrium forum and seek advice on auto-running a backup upon USB drive insertion.

    Anyway... the way I do it at home is with a WD MyBook network drive. The share on the drive is password protected with a password that's different from my PC's user account. That is to say, if I navigate to \\mynetworkdrive I get a password prompt. I have the username/password set up in Macrium so it can write to the backup file, but should a virus infect the PC and attempt to encrypt network shares it won't have access to the backup destination.
     
  5. Brian K

    Brian K Imaging Specialist

    Joined:
    Jan 28, 2005
    Posts:
    8,647
    Location:
    NSW, Australia
    manolito,

    I don't follow the logic. If the data files have already been encrypted then an online or offline backup would be pointless. If the data files have not already been encrypted then an online or offline backup would be useful. The backup files need to be on drives subsequently disconnected from the computer.
     
  6. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    2,898
    Location:
    Australia
    Exactly! That's what I have been doing for ages.
     
  7. TheRollbackFrog

    TheRollbackFrog Registered Member

    Joined:
    Mar 1, 2011
    Posts:
    3,054
    Location:
    The Pond - USA
    Mab says...
    It's very nice to see various users pat themselves on the back for their data mgmt/backup strategies and data protection... I'm sure most of the schemes work very well for the individuals involved. But it seems to me that the root of just about everything discussed here, is not inadequate strategies for protecting data, it's inadequate strategies in using the Internet.

    In WhiteDragon's case, it shows a responsibility for a network of users rather than the individual user... this is a tougher case as the responsible party finds it difficult to "train" their users in the proper use of the Internet. But individual responsible users should be able to do this without issue.... practice "Safe NET!"

    The LOCKY trojan mentioned by the OP is delivered by a Microsoft WORD Macro. Even MicroSloth has that capability turned OFF by default and informs users when a document wants to use the macro capability. Why would anyone bypass that capability when opening a MicroSloth WORD document is beyond me... unless something like that was expected directly from its source ("Hey Pete... did you send me a M$ WORD document with a macro in it?"). The same thing applies to most, if not all, of the previous RansomWare delivered by infected email attachments... why are they being opened when they aren't even expected ("Hey Pete, did you send me an email with an EXE/BAT/COM/PIF/<whatever> extension?")

    Rather than protect all this DATA with all kinds of unGodly manipulation, might our time be better spent understanding HUMAN ENGINEERING, which is the primary focus of most all these baddies... and finally accepting the fact that the Internet, as powerful as it is, is not really a very safe place to be. We need to be careful... and a few well placed habits (no unexpected macros or executable email attachments without vetting the source & decent AV/AM) and things can be a lot less scary.
     
    Last edited: Feb 22, 2016
  8. TheRollbackFrog

    TheRollbackFrog Registered Member

    Joined:
    Mar 1, 2011
    Posts:
    3,054
    Location:
    The Pond - USA
    ...and I would add PORN SITES and questionable GAME SITES to the list of "Should I go here?" places. Of all the drive-by download places I've come across while dealing with broken clients, these sites were probably responsible for 90+% of all the infections encountered. Once again... a perfectly human engineered place to inject an infection (people LUV free games, and guys, especially, LUV porn!).

    SAFE NET, ba-bee!
     
    Last edited: Feb 22, 2016
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,054
    I agree Froggie. As to backups, data is reduntantly backed up. So are images, although I don't think, at least so far, are being attacted by encryption. But the bottom line is I don 't modify my backup stuff because of any Ransomware, I instead work to prevent ransomware from getting on the system.

    1. Any office document not generated by me is checked in Sandboxie, is protected by Appguard
    2. HMPA, prevents the encryption
    3. So far EIS has always been first to block any malware I've tested against it.

    Finally on my data critical machine Macrium does hourly backups so I can always restore prior to problem, and my data files are archive when they are closed. The archives are on the machine, but they are safe from encryption.
     
  10. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    It's a matter of probability. Constant backups is far more likely to help me recover data faster and more completely than the very unlikely chance that I will be infected by something like this.
     
  11. Robin A.

    Robin A. Registered Member

    Joined:
    Feb 25, 2006
    Posts:
    2,283
    Invoking probabilities seems a very rational approach. The problem is, nobody knows what the probabilities are.
     
  12. TheRollbackFrog

    TheRollbackFrog Registered Member

    Joined:
    Mar 1, 2011
    Posts:
    3,054
    Location:
    The Pond - USA
    Very true, but "constant" backups require constant connectivity... and as soon as some stupid RansomeWare decides to start encrypting known imaging files, there goes those constant connected backup devices.
    An excellent approach.. and it really doesn't require a lot of effort, just some very good habits.
     
  13. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,517
    Another strategy is to use Bitlocker to encrypt the full disk where you store your data, either internal HDD or external HDD. That way, nothing can break into your disk and change your files.
     
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,054
    Hi Oliverjia

    I don't see that as a solution.

    Look at the encryption threads and compare the number who ask for help because they can't get it, then see if any posters say encryption save them.
     
  15. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,699
    Existing methods are not useless. Backups are first and foremost around hardware failures. And that WILL happen.
    Malware and whatnot may happen, but your primary concern is retaining data when the media dies.

    Mrk
     
  16. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Yes, but what is an experienced Wilders member's infection rate? Without some widespread zero-day exploit, which this malware clearly lacks, I'll take my chances with my existing setup. Not as if backup is the only layer at all.

    That doesn't negate the usefulness of constant backups. It's like saying this known cure isn't good anymore cause of some extremely unlikely side effect 0.001% of the population has. Sure that percentage is higher for average users, but in my case it's really like that. Plus no one said constant backups replaces offline backups.
     
  17. TheRollbackFrog

    TheRollbackFrog Registered Member

    Joined:
    Mar 1, 2011
    Posts:
    3,054
    Location:
    The Pond - USA
    Of course "constant" (periodic?) backups are important, never said they weren't. It's really the off-line version which will save anyone during that .001% window... on-line versions may some day be very vulnerable.
     
  18. Gaddster

    Gaddster Registered Member

    Joined:
    Dec 11, 2013
    Posts:
    38
    Location:
    UK
    People should pat themselves on the back for looking after their own data and I've personally stopped bothering to even mention the word backup to anyone now as its like talking to a brick wall, which even telling family members to back up their files is a nightmare as they know best. So look after your own files and let the rest spin the roulette wheel with their data.
     
  19. bgoodman4

    bgoodman4 Registered Member

    Joined:
    Jan 13, 2009
    Posts:
    3,132
    Pardon Pete, what is HMPA and EIS?

    OK, just found that HMPA is Hit Man Pro Alert,,,,what is EIS though.

    I am running AppGuard, and ESET Smart Security, should I also add HMPA? Will it interfere with my other antimalware programs (also running Zemana AntiLogger)?
     
    Last edited: Feb 22, 2016
  20. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    2,898
    Location:
    Australia
    HitmanPro.Alert

    Emsisoft Internet Security - I think.
     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,054
    HMPA is HitmanPro Alert
    EIS is Emsisoft Internet Security
     
  22. bgoodman4

    bgoodman4 Registered Member

    Joined:
    Jan 13, 2009
    Posts:
    3,132
    Thanks to both of you,,,,, I was editing my above post while you both posted and had added the following to it,

    I am running AppGuard, and ESET Smart Security, should I also add HMPA? Will it interfere with my other anti-malware programs (also running Zemana AntiLogger)?
     
  23. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,517
    Most of the problems related to encryption in those threads are about full disk encryption of the OS drive, especially when the old TrueCrypt was used. If you do full disk encryption of a data drive, normally there is no problem (provided your HDD/USB drive has no physical damage).

    I have been using Bitlocker encrypted full data drives, both HDD and USB for about a year now, have not met any problem yet.

    Full disk encryption of the data drive, and keep at least two duplicate drives, is normally a good idea, especially for portable HDDs. When you loose it, no one can access your data.
     
  24. Brian K

    Brian K Imaging Specialist

    Joined:
    Jan 28, 2005
    Posts:
    8,647
    Location:
    NSW, Australia
    oliverjia,

    How long does it take to decrypt the files so they are readable in Windows Explorer? Just interested.
     
  25. Keatah

    Keatah Registered Member

    Joined:
    Jan 13, 2011
    Posts:
    853
    I always do off-line imaging. And off-line recovery if and when the time comes. My mission critical backups are never exposed to a live operating system. Always a boot disc. It also gives me piece of mind that the operation completed successfully and no worries that I may have missed an automated status stating otherwise.

    I also do not back–up every hour of every day. And I more or less rotate through media. It's simple and convenient and allows me to go back a version or two should bad come to worse. No strict scheduling means less gotta-get-it-done-now stress.

    I'll perhaps do more frequent backups of select files if I'm doing a lot of work. But there is no reason to be high frequency on an OS and application/archive drive that doesn't change a whole lot.

    I work around the premise that if my system ceased to exist for any reason, could I get back in business and to where I was before the crisis? And the answer is yes. I might have to re-update some applications or something. Maybe redo the afternoon's writing or something. But compared to 30+ years of historical data? .. That's nothing!

    And since my backups are not too frequent there is less wear and tear, less chance for something to go wrong un-observed.

    Been operating this way for years. Never lost anything. BTW, I'm a SOHO/personal user. And the few times I needed my backups, it was more attributable to user error/stupidity than it was to mal-ware or hardware failure. But without them I'd be dead in the water.
     
    Last edited: Feb 23, 2016
Loading...