Since reading about xxclone (post below) yesterday I thought of something else!

Discussion in 'backup, imaging & disk mgmt' started by ratchet, Apr 10, 2014.

Thread Status:
Not open for further replies.
  1. ratchet

    ratchet Registered Member

    Joined:
    Feb 20, 2006
    Posts:
    1,988
    Recently Kim Komando mentioned (if I under stood it correctly) that the latest encrypting ransomware will prevent restorations if the imaging program utilizes Windows Shadow Copy, which I believe most do.
    I have as much faith in Paragon as I do W7's backup and Paragon's is much more user friendly. Right now, I have a 500 GB, USB 3.0 HD mounted internally and partitioned 250/250, one for W7 backups and one for AX64. Paragon's images are on an SSD and I'd still have those images available for everyday recoveries. I'm assuming it is Shadow Copy dependent though.
    If I bailed on W7's images and used that partition to clone with xxclone, and I was infected with this worst case scenario ransomware, could I boot my system from that partition? Could/would I even be able to access it from the Desktop>Computer?
    Since I built this system I have the OEM W7 SP1 CD. I assume I'd be able to reinstall W7 too but then be two years behind on hot fixes and updates.
    Would appreciate your opinions!
     
  2. TheRollbackFrog

    TheRollbackFrog Imaging Specialist

    Joined:
    Mar 1, 2011
    Posts:
    4,945
    Location:
    The Pond - USA
    Ratchet, the Volume Shadow Service (VSS), which I believe is what you're talking about, only affects the TAKING of images, it does not affect any COLD RESTORE capability of any imager that I'm aware of (they don't use VSS for restoration purposes). You should have no problem with restorations of images taken before this so called ransomeware was in place.

    I really don't know how infecting VSS would affect anyone except to probably take a phony image of some sort or disable image taking, but by that time it's already too late.
     
  3. ratchet

    ratchet Registered Member

    Joined:
    Feb 20, 2006
    Posts:
    1,988
    This is what she said: "The ransomware targets text, pictures, video, PDF and Office files and encrypts these with a strong RSA-2048 key which is hard to undo. It also wipes out Shadow Copies which are used by many backup programs. This gives it the potential to cause major, major problems." Here is the link!
     
  4. taotoo

    taotoo Registered Member

    Joined:
    Mar 13, 2013
    Posts:
    459
    Are you referring to this Ratchet?

    http://www.komando.com/blog/247072/cryptodefense-the-new-supervirus-of-death

    If so, I think the idea is that the ransomware erases shadow copies to prevent you using the Previous Versions feature instead of paying the ransom. So assuming you're all backed up, I don't think it's an issue.

    By the way, since you mentioned Windows 7 Backup - I think I'm right in saying that should you have multiple Windows 7 Backup images, that have been taken on a schedule, then all but the latest image will be stored on the backup drive as Shadow Copies. Should the ransomware remove shadow copies for your backup drive, then you would be left with only your most recent image intact. So if you were to get infected shortly before a scheduled incremental image takes place, then your single-remaining image would presumably be useless.
     
  5. ratchet

    ratchet Registered Member

    Joined:
    Feb 20, 2006
    Posts:
    1,988
    I'm still very confused though! Could you access other drives from the desktop to restore and/or could you boot from the xxclone clone, as from the description of the program you should be able to? Thanks!
     
  6. taotoo

    taotoo Registered Member

    Joined:
    Mar 13, 2013
    Posts:
    459
    I don't know anything about xxclone, but by the sound of it you should be able to boot from the drive it's backed up your system to.
     
  7. bgoodman4

    bgoodman4 Registered Member

    Joined:
    Jan 13, 2009
    Posts:
    3,237
    IT just gets more fun each day doesnt it.

    So would a program like AppGuard not protect against this baby (the ransomware)? I would presume it would need to install itself and if its blocked then its not going to be a threat.

    I use AG, Eset Smart Security, AX64 TM, Drive Cloner (1x/week), and Zemana AntiLogger and I believe myself to be pretty well protected,,,,,am I wrong?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.