How to protect from ransomware?

[siliconjim]

I don't get why people are making this so complicated, just use Macrium reflect to an external drive or NAS, it's miles better than Crashplan.

Yes, this. I back up to a synology NAS, which then uploads using the cloud back up to Dropbox. With Dropbox, my subscription includes recovery of deleted files for up to a year. Hopefully, this should cover any problems.

 

[jpaul]

I am a macrium fan too, for complete disk mirroring (and on a local disc 20mins for 250GB disk) -
But are you talking about complete/incremental macrium disk mirroring, or a different usage mode ?

archiving all of the system files is what I prefer too, but they do take up space and slow down the backup,
and some (earlier in the thread) seem happy to re-install the os+apps in the case of disaster.

 

[Selekt0r]

I don't get why people are making this so complicated, just use Macrium reflect to an external drive or NAS, it's miles better than Crashplan.

Unless that external drive or NAS is only connected for the duration of the backup and then isolated from the source PC(s) then it is at risk from Ransomware/encryption

Yes, this. I back up to a synology NAS, which then uploads using the cloud back up to Dropbox. With Dropbox, my subscription includes recovery of deleted files for up to a year. Hopefully, this should cover any problems.

Does Dropbox support recovery of previous versions of files as well as recovery of deleted files? If so then that's OK. If not....

 

[jpaul]

Unless that external drive or NAS is only connected for the duration of the backup and then isolated from the source PC(s) then it is at risk from Ransomware/encryption

In this context with the crashplan (free version) backup onto a local machine, are you saying that machine would not also have to be isolated after the backup ?
so it has the same risk as Macrium ?

 

[Selekt0r]

In this context with the crashplan (free version) backup onto a local machine, are you saying that machine would not also have to be isolated after the backup ?
so it has the same risk as Macrium ?

The difference with Crashplan is that there are no Windows shares set up, so a potentially infected PC cannot access any of the archived files in order to infect them. This is not (I presume) the case with Macrium or Dropbox, where the archive process works across Windows shares and any backup files will be accessible to the infected PC and hence at risk of encryption.

By the way, it looks like Dropbox does store previous versions of files for 30 days ( https://www.dropbox.com/help/security/recover-older-versions ) and you have the option to pay to get 'Extended Version History'. This may be good enough for some, but I'd rather have my backups a bit more isolated.

 

[ChrisD.]

Macrium can back up to a Windows share or regular network share.

I don't like Dropbox due to their privacy (or lack of with the new CEO a few years ago).

All my documents are in OneDrive, I pay £80 a year I think which gives me 5 copies of Office, 3 for mobile devices and 1TB of storage. I'm unsure of version history but I just checked one of my files and it goes back to 2015. I'd need to see if I have older files or lookup their retention policy.

 

[edscdk]

This may already have been covered in this thread, but I am not wading back through 7 pages (apologies if it has).

I read that one of the most effective defences against ransomware is encryption, for example Bit locker - the theory being that encrypted data cannot be further encrypted.

Is this the case? or an old wives tale?

thanks

it would be an old wives tale, however I doubt an old wife would be that stupid..

best defence is an offline backup, good AV and common sense (I lack all 3 but I don't have any important data)... having the data already encrypted will not help... unless it happens to be on an un-mounted drive when you are infected

 

[mattyg]

Since uninstalling Kaspersky I have had no connection issues with crashplan all backups running.

It does seem to be always backing up though not an issue as I've not noticed any slow downs. so once its done the bulk its looks like its only incremental.

Not sure I'm brave enough to try a restore yet (I know waiting to see if it works after a crash is just stupid though)

May get an old laptop to test with


Unless anyone can explain how to check

 

[Selekt0r]

Macrium can back up to a Windows share or regular network share.

Both of which would be vulnerable to a ransomware/encryption attack.

Since uninstalling Kaspersky I have had no connection issues with crashplan all backups running.

It does seem to be always backing up though not an issue as I've not noticed any slow downs. so once its done the bulk its looks like its only incremental.

Not sure I'm brave enough to try a restore yet (I know waiting to see if it works after a crash is just stupid though)

May get an old laptop to test with

Unless anyone can explain how to check

You shouldn't need to uninstall Kaspersky. Just open TCP Port 4242 on the Kaspersky software firewall (see link in my earlier post).

To test the restore just choose to restore to a different location rather than the original

 

[mattyg]

Both of which would be vulnerable to a ransomware/encryption attack.



You shouldn't need to uninstall Kaspersky. Just open TCP Port 4242 on the Kaspersky software firewall (see link in my earlier post).

To test the restore just choose to restore to a different location rather than the original

Cheers. I did open TCP port 4242 but still had issues. It may have still been User error. But after kaspersky it all ran smooth. It was only a trial so hadn't paid for it.

Currently testing on my desktop. Then I'll move onto my work Laptops.

Most files folders that we need are on dropbox. As we can be on the road a lot and still need access to our Worksheets and accounting software etc.

My main concern and probably the main reason for the backups is I could lose a day or more reinstalling and setting up a new laptop for instance if it got stolen or the dog ate it..

So in that instance backing up as a drive image would be the only real way to go. So may not be an option unless I use Macrium. (can't seem to find an image backup on crashplan)

 

[Selekt0r]

My main concern and probably the main reason for the backups is I could lose a day or more reinstalling and setting up a new laptop for instance if it got stolen or the dog ate it..

So in that instance backing up as a drive image would be the only real way to go. So may not be an option unless I use Macrium. (can't seem to find an image backup on crashplan)

No, Crashplan doesn't do drive image backups. You could always create a drive image using Macrium and then include that image/directory in your Crashplan backup set, however that will obviously be quite large... And you'd have to be really unlucky to suffer from a Ransomware attack on the day your laptop gets stolen/damaged so probably not strictly required

 

[andicole0]

Has anyone any thoughts on Malwarebytes, anti ransomware beta?
Andi.

 

[jpaul]

No, Crashplan doesn't do drive image backups. You could always create a drive image using Macrium and then include that image/directory in your Crashplan backup set, however that will obviously be quite large... And you'd have to be really unlucky to suffer from a Ransomware attack on the day your laptop gets stolen/damaged so probably not strictly required

If you have a ransomware attack you will need to do a re-install too - no ? (not sure if you agree/disagree)
A re-install is probably prudent; it may have encryped system files that are not part of crashplan backup,
so you would need a disc mirror to avoid the multi-day(I agree) re-install mattyg refers to.

The macrium drive images should be kept on a disc that is not online eg.a caddy(icybox) where you physically remove the rotating drives after storing image - so should be ransomware safe;
albeit, macrium is not giving the ease of a daily incremental backups like crashplan .... so - need a hybrid approach.

 

[mattyg]

No, Crashplan doesn't do drive image backups. You could always create a drive image using Macrium and then include that image/directory in your Crashplan backup set, however that will obviously be quite large... And you'd have to be really unlucky to suffer from a Ransomware attack on the day your laptop gets stolen/damaged so probably not strictly required

Oh great now you've bloody jinxed it......Look out for the thread.....

 

[mattyg]

If you have a ransomware attack you will need to do a re-install too - no ? (not sure if you agree/disagree)
A re-install is probably prudent; it may have encryped system files that are not part of crashplan backup,
so you would need a disc mirror to avoid the multi-day(I agree) re-install mattyg refers to.

The macrium drive images should be kept on a disc that is not online eg.a caddy(icybox) where you physically remove the rotating drives after storing image - so should be ransomware safe;
albeit, macrium is not giving the ease of a daily incremental backups like crashplan .... so - need a hybrid approach.

HDD space is cheap. Losing Data is expensive.

I may buy a couple of 4TB drives stick them in my backup PC. Do as suggested above. Run crashplan as it is but do a Clone with Macrium and then crashplan can back that up too. It may be overkill but if the clone is only twice a week or so then I'm happy with that.

Unless it doesn't work.

I Have 2 laptops. A desktop, the backup PC and a synology NAS.

 

[ChrisD.]

HDD space is cheap. Losing Data is expensive.

I may buy a couple of 4TB drives stick them in my backup PC.

Or just spend £80 a year on Office 365 and have all important data in your OneDrive? It does version history plus you get several copies of Office for your laptops and desktop.

I doubt you have more than 1TB you could afford losing unless you have a shed load of RAW image files or video files.

You can even Macrium reflect to your NAS, and then upload the image file to OneDrive through an app on the NAS.

You get version history in case the worst happens.

 

[mattyg]

Or just spend £80 a year on Office 365 and have all important data in your OneDrive? It does version history plus you get several copies of Office for your laptops and desktop.

I doubt you have more than 1TB you could afford losing unless you have a shed load of RAW image files or video files.

You can even Macrium reflect to your NAS, and then upload the image file to OneDrive through an app on the NAS.

You get version history in case the worst happens.

Already have 1TB Onedrive (office 365 subscription) Lots of photos (nikon D810 so big'sh files)
1TB dropbox


Just added it all up.....Dropbox and Onedrive about 40Gb.
Crashplan C: and program files 650Gb, I think I need a clear out/Clean up. And then I go can all belt and braces. I'm sure I have a lot of rubbish that I could archive now and only backup whats newer.

I should be pretty much covered with what I have...Which is all the more ridiculous that I haven't sorted this yet.

 

[Raumarik]

you can whitelist all you want but as soon as some clear hacker disguises a hacked software as legit one and get pass the whitelist you are as screwed as the one without whitelist as per my example given regarding downloading the hacked Handbrake.

all security measures in my opinion are always 1 step behind these as the malwares need to be detected first in order to form the necessary signature files for future protection.

So the only real solution is having a good backup. all other measures are preventative but not perfect and can be easily compromised due to user ignorance or error. in a networked environment, the risks of such behaviour are significantly increased.

You are assuming that whitelisting tech can't include hashing, inspection of the exe etc. Which they can. You've also got to do several things in order to screw your PC over to the degree where that "disguised" application can run, download it from a hijacked (rare) or dodgy site (browser might pick this up), install it (which due to whitelisting will prompt or prevent you from doing), have it not be picked up by AV/malware protection, have a compatible OS for the malware to run in (many don't work on all Windows OS), then have it capable of getting back to the C&C servers, which may well be blocked by your home router etc.

Even if we take the first couple of steps there that's manual user intervention in order for it to get on the PC, that's STILL far better than most peoples protection.

 

[Raumarik]

You are right, you can restrict user access and also user ability to open files and so on. But it is not practical in a home networking environment. For a large organisations maybe but at some point you have to give some control back to users so they can do their job. But in any case, the protections are as good as the people implementing them and using them. And nothing is fool proof unfortunately.

I restrict on my own PC, my wife's and my daughters. All at home, all with literally no issues week on week.

Nothing is fool proof, but saying things can't be done and giving poor advice (such as whitelisting doesn't exist) is laughable.

 

[jpaul]

I restrict on my own PC, my wife's and my daughters. All at home, all with literally no issues week on week.

Do you use a whitelisting product ? seems you may use MSE/UAC from earlier posts.


I 'usually' check the checksum on zip/exe downloads, and cross-check against a few download sites, which would, presumably, have avoided handbrake scenario discussed earlier, unless they rigged that.