How to protect from ransomware?

[Selekt0r]

Fantastic!!

Don't suppose you have the time to do a right up of how thats all set up for us Noobs.

I have a spare server(Cheap PC bough from OC that I used to use as a server) that I no longer use. And some spare drives that I could Raid for more storage or buy a couple more to use.

I'm away with work at the moment so can't double-check any of this, but at a high-level it goes something like this:

1) Set up your 'server' and connect it to your network, but don't set up any windows shares (so the server can't be infected across the network if another PC is compromised)
2) Download and install Crashplan on the PC(s) you want to backup, and also the server. Use the same Crashplan account for both.
3) Go into Crashplan on the Server and set up the 'Inbound Backup Settings' (under Settings>General>Inbound Backups from other Computers). Make sure the 'accept inbound backups' is checked, and set the default archive location directory (where the backups will be stored).
4) Go into Crashplan on the PC you want to backup. Select the drives/directories/files you want to backup under 'Files'. The Server should show up as a backup destination. Click on 'Start Backup'.
That's it!

There are other backup settings you can tweak under Settings>Backup (e.g. frequency/versions/time restrictions) and Settings>Network (e.g. restrict network bandwidth utilisation).

Hope this helps/works. Post back if you have any difficulties.

 

[mattyg]

Snip ^^

Thanks Mate, I'll get on this tonight all being well.

 

[pc-guy]

Backup is the only real good way to protect against this sort of things as you cannot protect against human error or ignorance.

I have a spare disk that I use as weekly or bi-weekly backup; but I am currently working towards a networked solution - large capacity NAS. the intent is to have the computer periodically backup to the NAS; the NAS storage being access controlled (needing user and password to access the partitions) will prevent the worm from spreading onto the NAS in case of infection.

The time delayed nature of some ransomware is concerning. But a weekly backup is probably ok as the virus/worm cannot be hibernating for too long otherwise there will be patches and signature updates on the Anti-Virus to detect them and delete them.

 

[Rroff]

will prevent the worm from spreading onto the NAS in case of infection.

Wouldn't even bet on that - while AFAIK they are currently patched against it there are variants like Synolocker that can attack or infect NAS boxes.

To protect against these types of ransomeware old school write once storage and/or other types of storage with a physical write protection switch is best - second best rotating backups to drives stored offline, 3rd best (and not a bad option) is cloud storage with versioning.

 

[Mark M]

Interesting thread but could someone explain to me what whitelisting apps is/does and how to set up a share that windows cant communicate with?

 

[jpaul]

could someone explain to me what whitelisting apps is/does

for whitelisting see get of rid of eveything but ms thread

 

[pc-guy]

Interesting thread but could someone explain to me what whitelisting apps is/does and how to set up a share that windows cant communicate with?

there is no such thing as whitelisting. Hacker can plant worms on perfectly legit website. For instance I read somewhere someone downloaded a hacked version of Handbrake from the official website. and his computer got infected and his files were cryptolocked.

so setting up whitelist is asking for trouble. also hackers with means will be actively targeting these websites so they can get their malware in.

 

[pc-guy]

Wouldn't even bet on that - while AFAIK they are currently patched against it there are variants like Synolocker that can attack or infect NAS boxes.

To protect against these types of ransomeware old school write once storage and/or other types of storage with a physical write protection switch is best - second best rotating backups to drives stored offline, 3rd best (and not a bad option) is cloud storage with versioning.

You are not wrong there. the day they bundle any sort of exploits for NAS system into the worms a lot of people will be screwed. Typical home and home office NAS will be in the realm of 10s TB.

i think cloud is the best solution for these days. tape drive etc are thing of the past and the time it will take to backup even the modest system will be prohibitive.

I am seriously considering Amazon's paid cloud storage.

 

[ChrisD.]

there is no such thing as whitelisting

 

[pc-guy]

you can whitelist all you want but as soon as some clear hacker disguises a hacked software as legit one and get pass the whitelist you are as screwed as the one without whitelist as per my example given regarding downloading the hacked Handbrake.

all security measures in my opinion are always 1 step behind these as the malwares need to be detected first in order to form the necessary signature files for future protection.

So the only real solution is having a good backup. all other measures are preventative but not perfect and can be easily compromised due to user ignorance or error. in a networked environment, the risks of such behaviour are significantly increased.

 

[ChrisD.]

you can whitelist all you want but as soon as some clear hacker disguises a hacked software as legit one and get pass the whitelist you are as screwed as the one without whitelist as per my example given regarding downloading the hacked Handbrake.

all security measures in my opinion are always 1 step behind these as the malwares need to be detected first in order to form the necessary signature files for future protection.

So the only real solution is having a good backup. all other measures are preventative but not perfect and can be easily compromised due to user ignorance or error. in a networked environment, the risks of such behaviour are significantly increased.

A proper whitelist solution takes a SHA 256 hash of the exe, so how is it possible that a hacked version of the program can be executed?

 

[jpaul]

I guess the whitelist tools do protect against hacked dll's too ?
[I just updated my notepad++ release where they had sealed up a wiki leaks CIA hack where plugin dll's could be executed if a fake dll was located in correct folder]

 

[Selekt0r]

Interesting thread but could someone explain to me ... how to set up a share that windows cant communicate with?

The point is that you don't set up a share. Ransomware will (generally) rely on being able to access your files through Windows drive letters or UNC paths (e.g. \\server\share). If you use something like Crashplan to perform the backups then it uses its own proprietary protocols for transferring the data between PCs/servers, and this is not something that the ransomware can piggy-back on.

 

[mattyg]

The point is that you don't set up a share. Ransomware will (generally) rely on being able to access your files through Windows drive letters or UNC paths (e.g. \\server\share). If you use something like Crashplan to perform the backups then it uses its own proprietary protocols for transferring the data between PCs/servers, and this is not something that the ransomware can piggy-back on.

So in essence. I have an old PC with loads of HDD space. I have win10 running crashplan. Put it in the loft/under the stairs connect it to the router/switch. I then ask Crashplan on my office pc to save backups to the PC under the stairs(backup)

How do I stop the Backup PC accessing the internet for updates etc. Or do we still want it to auto update etc.

I assume after doing all this the Backup PC is ONLY to be used for this type of Backup.. And not to be used as a "NAS" for media etc

 

[Selekt0r]

Yes, that's it. The old PC/server can still access the internet for updates etc., so it makes sense to have a decent antivirus on it, but the point it that it isn't used for anything like browsing/email etc. so is much less likely to get infected directly.

In theory you could set up a windows share which allows read-only access, or which allows access only to a different drive/directory to the Crashplan backups to use for media etc. but frankly I prefer to keep my backups as isolated as possible.

 

[pc-guy]

A proper whitelist solution takes a SHA 256 hash of the exe, so how is it possible that a hacked version of the program can be executed?

that will work, but these paid services database of exe and dll files, do they include obscure programmes? if they don't then it can be exploited. that's why to an extent blacklist exe are better from user experience point of view. which is what AV and malware detector try to do. But the problem is you can test your virus or malware online against a database to see if it is detectable. in effect you can engineer a virus to be non-detectable by the latest AV and launch your attack.

ultimately even whitelisting will not stop someone open up a phishing email with doc that has malicious code in it or direct to a website where the embed worms are.

so really the fall back is the use of backup.

 

[stockhausen]

<SNIP>
So the only real solution is having a good backup.
<SNIP>

I'm not quite sure how a "good backup" will cope with delayed activation.

So in essence. I have an old PC with loads of HDD space. I have win10 running crashplan.
<SNIP>

I'm not certain that an "Old PC" will actually run Windows 10, no matter how much HDD you have.

As a matter of interest, would "an old PC with loads of HDD space" running Linux support Crashplan.

 

[KIA]

that will work, but these paid services database of exe and dll files, do they include obscure programmes? if they don't then it can be exploited.

In terms of Windows (ignoring Windows 10 S), whitelisting is more of an enterprise feature. sysadmins don't want their users to execute obscure applications, hence white listing.

ultimately even whitelisting will not stop someone open up a phishing email with doc that has malicious code in it or direct to a website where the embed worms are.

Actually, whitelisting combined with reducing user privileges can be incredibly useful in these situations.

In your email example, the malicious code may attempt to download and run a binary, which is where the whitelisting comes in.

You'll have to define what an embed worm is.

Nothing's perfect, it's all about layered defence.

 

[pc-guy]

In terms of Windows (ignoring Windows 10 S), whitelisting is more of an enterprise feature. sysadmins don't want their users to execute obscure applications, hence white listing.
Actually, whitelisting combined with reducing user privileges can be incredibly useful in these situations.

In your email example, the malicious code may attempt to download and run a binary, which is where the whitelisting comes in.

You'll have to define what an embed worm is.

Nothing's perfect, it's all about layered defence.

You are right, you can restrict user access and also user ability to open files and so on. But it is not practical in a home networking environment. For a large organisations maybe but at some point you have to give some control back to users so they can do their job. But in any case, the protections are as good as the people implementing them and using them. And nothing is fool proof unfortunately.

 

[Selekt0r]

I'm not quite sure how a "good backup" will cope with delayed activation.

As long as the PC which contains the backups does not get compromised, AND you have full versioning/history then you are fine. Even if all of your files get encrypted several months after your PC is originally infected, the unencrypted originals will still be in your backup archive. The worst-case scenario would be a slow/progressive encryption process over a period of time as you would not know when to restore from.

As a matter of interest, would "an old PC with loads of HDD space" running Linux support Crashplan.

Yes, Crashplan does run on Linux, which might be a good option on an old/low-spec PC. But I've found it to be fine on a modest Windows setup.