RansomWare Worries - Suggestions on My Backup-Routine

grang on 09/06/2016 - 23:38

Given the rise in Ransomware attacks, and that it appears AV isn't really a deterrent… I am quite worried. Young kids, not so tech savvy wife… family that visit and use my systems from time to time…

It doesn't seem far fetched that the wrong website or PDF from what I read can cause you a lot of grief; I have been wondering about my defenses against what seems to be a "luck of the draw" scenario.

I make religious backups—- but they are all linked in series. And here is my worry about cross-contamination.

I basically run a desktop and two laptops that auto replicate to a 4 Disk Raid-5 Synology NAS. (Synology Cloudstation - works really well for my setup - like a localised Lan share). I have ONE version history (so hopefully if a file is encrypted I can get an earlier version from the NAS).

The Synology Nas then backs up to Amazon Glacier incrementally one a week. (I don't do that much every week) The Glacier backup is split in two sections - ~25GB documents and ~500GB photos.

Given my slow connection speed, it took 2 months to dump all the photos, so I am relatively unworried about my photos getting encrypted and replaced en mass.

The question - since I have no air gap, only slow upload time delay and a versioning system in the middle, if I was to be hit with Malware, will it spread?

Whilst annoying, I don't really care so much about the reinstall process##

Thanks for any tips.

Crap… just worked out I don't have a backup for my windows 10 upgrades on 1 laptop and desktop or know how to keep backup of license. Whoops.
Computing

Comments

  • cmdwedge on 10/06/2016 - 00:03
    +1

    Really consider running MBAM full on your PCs. I run it alongside my AV, and it just does a really great job. It'll trap any nasty PDFs or websites.

    https://www.malwarebytes.org/mwb-download/

    Lifetime Pro licenses go on sale from time to time. Perhaps just pay for one year now and then when the inevitable lifetime license appears, jump on it. Probably one of the best deal on Ozbargain for me!

    • grang on 10/06/2016 - 00:12

      thanks. I'll have a look. I run Avira AV

      • scrimshaw on 10/06/2016 - 00:28
        +2

        Also look into CryptoPrevent
        https://www.foolishit.com/cryptoprevent-malware-prevention/

        It automatically applies a set of Group Policy rules which helps to block cryptomalware from encrypting your files.

        And yes it is legit, don't let the unfortunate name of the domain scare you.

        However it only blocks a certain type of crypto locker, so you should still educate your family on not to open any attachments from unknown sources, even if it appears to be from a well-known sender (e.g phishing emails seeming sent from AusPost, AGL, Woolworths et cetera have been used to scam people into downloading stuff)

      • Clear on 10/06/2016 - 07:27
        +3

        Another one that is free/premium is Malwarebytes Anti-Exploit. It runs in the background and protects you against zero day vulnerabilities that ransomware often use.

        They'll have an anti-ransomware tool out later this year. I tested it during beta and it managed to stop a lot of variants I threw at it.

        This article explains a lot of these programs very well. I can vouch for HitmanPro.Alert.

      • grang on 10/06/2016 - 12:00

        @cmdwedge the full run was really uneventful with only 1 minor exception for an unlocker I use… Which is great news.

  • WalterPPK on 10/06/2016 - 08:22
    +2

    The current version of Veeam Endpoint Backup is free and it has an option to automatically unmount the destination drive after each backup. That way, the drive can't be reached from Windows file sharing and is thus insulated from any attack. I find it really good and reliable.

    Unfortunately most AV software today is good at locating malware just after it's started encrypting your files, so you really need to plan ahead to prevent damage and make recovery easy, rather than relying on an AV program to protect you.

    If you have a NAS use it's own internal backup routines to cover yourself. Use Windows "file history" to a seperate, dedicated share on it. Keep your shares seperate with seperate accounts, keep critical backup shares isolated from your general day-to-day shares so that if you do get hit and happen to have your music share mounted with it's admin password, all the crypto will hit is your music folder (which is backed up anyway, by the NAS, to a different folder that your PC can't even touch directly).

    Oh, and keep ISOs of the boot disks for your backup programs somewhere handy.

    It takes some planning, but good backup beats a big clean-up any day.

  • Clear on 10/06/2016 - 08:37
    +2

    Crap… just worked out I don't have a backup for my windows 10 upgrades on 1 laptop and desktop or know how to keep backup of license. Whoops.

    Magic Jellybean Keyfinder will tell you your Windows keys. Chrome might have a hissy fit about it being unsafe as it does find licenses for other programs too.

    Belarc Advisor will do it too.

  • fruit on 10/06/2016 - 10:22
    +1

    Buy a mac.

    Just kidding.

  • nanonoise on 11/06/2016 - 13:56
    +1

    Some thoughts based on my experience from dealing with ransomware in business environments.

    1. Never run as a local administrator account. Learn how to work with software that is pedantic about this. Sometimes you may have to temporarily grant local admin and log off and back on to install some software, then remove admin again. Some software is happy to work with elevating privileges to a different admin account, some just must install as the local user with admin privileges.

    2. Implement software restriction policy (only easily done if you have Pro version of OS). SRP is so good it almost removes the need for an AV at all. This is basically what Cryptoprevent is doing (mentioned above).

    3. Run your backup software as a different user account to shares that only that account can access. As long as you run as a different user without admin rights then if you hit something nasty it won't have permissions to do anything on the share.

    4. AV is never going to be 100% effective at blocking ransomware. All the ransomware events i have been involved with, none were noticed by AV. My recommendations these days is Webroot. It does things a lot differently than other AV products in that it sandboxes unknown processes until it knows whether something is good or bad. Bonus 6 month trial of Webroot can be had here: http://www.nab.com.au/personal/banking/nab-internet-banking/…

    Windows 10 free upgrade activation is tied to the hardware. Simply reinstall Windows 10 on the same hardware and it will licence itself again automatically.

    • grang on 11/06/2016 - 17:01

      Thanks nanonoise… this is very good… didn;t know about the Win10 lic remembering your hardware/making some kind of reference key…

    • noz on 15/06/2016 - 17:08

      You make some good points. I have a couple of my own to add:
      - Do NOT disable UAC!! If you disable this (and you are running as administrator), then you will be allowing all applications to run with elevated (administrator) privileges. If you keep UAC enabled, and every time you get the UAC prompt, ask yourself "does this app need to have elevated permissions?" (and click "No" if it shouldn't) then you will keep the worst of malware away.
      - If you have a file which you are suspicious of, then upload it to this site and let it scan it for you: https://virusscan.jotti.org/en
      It will scan your uploaded file against a number of different virus/malware scanners.

  • jv on 16/06/2016 - 10:31

    Anti-virus software and account restrictions will not always prevent at attack.

    The only thing you can do is to regularly backup and ensure the backups cannot be accessed from any computer that is being used.

    What I've done for people in the past is to do daily backups of all data to a network drive. From there, the NAS does a backup onto an external drive connected to the NAS. The external drive cannot be accessed from any computer on the network. On top of this, the external drives are rotated on a weekly basis so that one is always available offline and offsite.

    • j03 on 17/06/2016 - 11:05
      +4

      on top of all that….

      you can also restrict folder access to your backup repository. There is a reason why many backup programs allow you to optionally specify a specific user credential to access its repository. Make use of it.

      haven't seen a ransomware that takes ownership of folder permissions "yet".

      For Windows Users.
      1. Create a specific backup user. eg backupz
      2. login using that user. eg backupz.
      3. Create your backup repository folder, or take ownership of it.
      4. Remove all users/groups in that folder. If you need to remove inheriting permissions or need to take ownership on that folder do that.
      5. Add only the backupz user for that folder.
      6. Logout & login using your normal user account that you use to schedule your backups.
      7. On your backup program, specify the backupz user credentials.

      • jv on 17/06/2016 - 11:06
        -1

        good suggestion…

    • grang on 19/06/2016 - 21:25

      yeah, that sounds good for SME/Enterprise…

      Probably not practical on the home front for offline backups (I do have a few loose harddrives I occasionally backup to to create an air-gap….)

      I am quite surprised there isn't a tool that routinely checks for encrypted files on your computer and warns you that a file is no longer accessable…?

      • j03 on 20/06/2016 - 04:19

        Its applicable to any settings (standalone local pc, client/workstation, domain, etc). Its about extending your methods to protect your valued data. Should not restrict yourself to a single point of recovery. Since many also use their NAS for backups (hopefully they also cold store backups/offline), it's wise to secure a backup repository.

        If you know your ways, you can have things as practical and automated as you want. Just ask if you don't know. What do u want? Scheduled, Press a button type, click on an icon, run when u plug in your usb drive, etc? But thats probably a whole new thread in itself.

        As with a tool that routinely checks for filenames/encrypted files… its more difficult on a standalone pc. You can however make use of FSRM in a windows server settings. https://community.spiceworks.com/how_to/100368-cryptolocker-…

        Problem is… now that the crooks know of this type of early alert, they've upped the ante and developed ransomware that also encrypts the filenames (meaning it will rename files into some randomly generated encrypted name. eg. if you had a file called project2k16.docx the ransomwares may encrypted it to a file called say.. ASDFGA4323ASFADF4322312).

        • grang on 28/06/2016 - 23:20

          thank you. That is very insightful…

Login or Join to leave a comment
Login Join