Backups and Ransomware

Topic

New Reply

It seems to me that backing up is a fruitless endeavor………in terms of ransomware.

OK, I’m a bit jaded on the topic.

But, can’t a ransomware form of malware simply infect (encrypt) your backup regardless of where that backup is located ?

I was looking around at the available backup/anti-ransomware programs and even Macrium with MIG has it’s limitations.  I”m not even sure if these programs would help at all.  Perhaps none.

So wouldn’t the (almost) best way be to simply backup locally and then “unplug” the backup device?

Suggestions, Comments and Critique ?

 

Reply | Quote

Replies

Mike wrote:

So wouldn’t the (almost) best way be to simply backup locally and then “unplug” the backup device?

Yes. You need at least a backup copy on “unpluged” device.

2 users thanked author for this post.

JohnW, cmptrgy

Reply | Quote

[Vincenzo]

My backup drive is unplugged when not running. But even so, i’ve read that some ransomware could put a time bomb in, such that the encryption does not happen right away, which could defeat even that.
I also do cloud backup, Carbonite on one, iDrive on another. And I back up my 3 main computers to each other over the network.

But ransomware is kind of rare, and other things that are fully protected by backup are much more common. So I consider backup of primary importance.

• This reply was modified 5 years, 7 months ago by Vincenzo.
• This reply was modified 5 years, 7 months ago by Vincenzo.

Reply | Quote

Vincenzo wrote:

My backup drive is unplugged when not running. But even so, i’ve read that some ransomware could put a time bomb in, such that the encryption does not happen right away, which could defeat even that.

Eh? An unplugged drive cannot change its contents. Well unless it’s just the data line that’s unplugged AND the thing is a NAS or something with its own operating system or some such and it’s the latter that’s infected with the ransomware.

What is possible with a suitable device driver is that the encryption happens right away, but initially is keyed to open transparently.

So, to be sure, should verify that the backup device is readable on another computer.

Reply | Quote

[Vincenzo]

mn– wrote:

Vincenzo wrote:

My backup drive is unplugged when not running. But even so, i’ve read that some ransomware could put a time bomb in, such that the encryption does not happen right away, which could defeat even that.

Eh? An unplugged drive cannot change its contents. Well unless it’s just the data line that’s unplugged AND the thing is a NAS or something with its own operating system or some such and it’s the latter that’s infected with the ransomware.

What is possible with a suitable device driver is that the encryption happens right away, but initially is keyed to open transparently.

So, to be sure, should verify that the backup device is readable on another computer.

Plant a ransomware time bomb: When ransomware encrypts data, the encryption it generally does so as soon as or shortly after it gets onto the corporate network. Now it’s been observed that ransomware is being launched as a form of an advanced persistent threat. The malware used to launch the attack will infect data, including all the backups, for months before encrypting all that data.

(No, nothing happens when it is unplugged. When you plug it in again, after the bomb date, the files get encrypted.)

https://blog.barracuda.com/2017/09/22/ransomware-attacks-have-entered-the-realm-of-the-insidious-and-vile/

• This reply was modified 5 years, 7 months ago by Vincenzo.

1 user thanked author for this post.

rc primak

Reply | Quote

Yes, non-executable files being “infected with ransomware” means that the files on disk must be encrypted already and depend on the ransomware driver to be transparently opened between then and the trigger date.

Because that’s the only way to retroactively destroy backups that are not currently present.

Hence, take the physical media to a separate, clean machine to verify. AND use multiple media sets so if you lose older backups on currently connected media, you’ll have another set available.

2 users thanked author for this post.

cmptrgy, rc primak

Reply | Quote

mn– wrote:

Yes, non-executable files being “infected with ransomware” means that the files on disk must be encrypted already and depend on the ransomware driver to be transparently opened between then and the trigger date.

Right.  In order to deliver the time bomb, the malware would have to disguise its presence during the latency period.  It would not wait until the time is up before encrypting everything, though, as that can take hours and hours on a large disk, giving the victims the chance to interrupt it.  It would have to silently encrypt the data on the disk, but also decrypt it on the fly for the unsuspecting user, so that the presence of the malware is not advertised.

The idea would be that it would hide its presence long enough to allow the non-encrypted versions to eventually be removed from the backup chain.

The question I have, though, is if the backup is restored while the PC has no internet access, and the RTC date is set to, say, the moment the backup was started (the same time and date that would be reflected in the shadow copy), how would the malware know to pull out the key?  The PC could quite easily be restored to the exact state it was in when the backup was performed, i.e. when the malware was still in its waiting stage.

I would expect that at this point, if the user (who by this point was fully aware that ransomware was present, as it would have already demanded payment) attempted to file-copy the important files (which would be decrypted as they were read into the copy buffer), the malware would attempt to re-encrypt the newly written file as it was written to another fixed disk on that system.  But what if the data were to be written to an FTP server or network share (on an uninfected machine, perhaps one not running the same OS), or emailed to someone?  These kinds of things would be quite common occurrences in business settings, I would think, and if the malware (still in the lie and wait phase) tried to encrypt the data being sent to a machine not able to decrypt it on the fly, not only would that require a big step up in sophistication on the part of the malware to get into the network stack, but it would also signal its presence, as the the recipient of the file (which could not be encrypted transparently at the disk level, as the recipient machine would be clean) would notice it was scrambled.  That would be a dead giveaway that something was wrong, and the time bomb would be ruined.

It would stand to reason that, strategically, the malware would not attempt to intercept these things, or even file copy operations to a USB stick, to avoid advertising its presence too early.  So those things could be used to rescue the data from the restored (encrypted) hard drive, if my guess is correct.

It can’t be that easy to defeat the time bomb, can it?

If you do incremental or differential backups, you’ll also note that the size of the backup files suddenly gets really huge, as the amount of changed files/sectors is suddenly much larger than expected.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

Reply | Quote

Ascaris wrote:

It would stand to reason that, strategically, the malware would not attempt to intercept these things, or even file copy operations to a USB stick, to avoid advertising its presence too early.  So those things could be used to rescue the data from the restored (encrypted) hard drive, if my guess is correct.

It can’t be that easy to defeat the time bomb, can it?

Yes it can… for this category of malware. With the theory that having to do all that is a significant enough effort that victims might prefer to pay.

This is kind of rare in the wild for a good reason but does exist.

(All kinds of nasty things could be avoided with a good enough backup procedure, but conversely, from how much those things still happen we can deduce that the good enough backups really aren’t common enough…)

1 user thanked author for this post.

Ascaris

Reply | Quote

[Bundaburra]

If running a local backup to an external device, disconnect from the Internet before plugging in the backup device, firing up the backup program and running the backup.  When finished, unplug the backup device before reconnecting to the Internet.  That will reduce the risk of anything nasty getting on to the backup device.

Windows 10 Pro 64 bit 20H2

• This reply was modified 5 years, 7 months ago by Bundaburra.

1 user thanked author for this post.

rc primak

Reply | Quote

Nope, that won’t change a thing, unless your backup program goes to the internet to download malware and install it just before the backup.

cheers, Paul

Reply | Quote

I believe a strong protection against ransomware is a cloud backup that does “versioning”, saves previous versions of your files. Carbonite, iDrive, possibly the new Norton 360 backup (I am testing it now)

1 user thanked author for this post.

rc primak

Reply | Quote

… and OneDrive:

Ransomware detection and recovering your files

Restore your OneDrive

Using OneDrive Restore to Recover From a Ransomware Attack

1 user thanked author for this post.

rc primak

Reply | Quote

[Vincenzo]

Looks like One Drive Restore of all files is only for 365 subscribers:

https://support.office.com/en-us/article/restore-your-onedrive-files-48cc6a72-1aca-412c-a670-e6f5b563c1c6?ui=en-US&rs=en-US&ad=US

Office 365 subscribers can use Files Restore to undo all the actions that occurred on both files and folders within the last 30 days

• This reply was modified 5 years, 7 months ago by Vincenzo.
• This reply was modified 5 years, 7 months ago by Vincenzo.

1 user thanked author for this post.

rc primak

Reply | Quote

My strategy is to run a full system drive image every evening, M-F, to an always attached USB HDD.

But since ransomware can encrypt any drive path that is accessible when the computer is running, I keep a second USB hard drive offline, and then once a week I make a full image to that as well, then unplug it when the image task is finished and store that drive in a safe location.

I probably should also store a 3rd copy offsite, or on a cloud storage service in the event of a theft or natural disaster, but I haven’t crossed that bridge yet…

Windows 10 Pro 22H2

1 user thanked author for this post.

rc primak

Reply | Quote

Great discussion and lots of information, I’m glad I asked.  Thank you.

 

What would be real interesting would be to hear what Woody or Susan are doing ??

Reply | Quote

The best protection against ransomware is not to download programs from dodgy sources.

cheers, Paul

Reply | Quote

I back up my key files to an external USB drive weekly, then unplug it and put it away.  It is not a 100% perfect defense against ransomeware, but it increases my odds of being safe; if I somehow get a ransomeware infection, the odds are small that it will still be doing its encrypting pass, and I haven’t noticed that, during the five minutes it takes to back up my files and unplug the drive.

I think the average home user does not have to plan for the Russians to be targeting them in particular, in which case things are hopeless; the more-likely scenario is stumbling across the wrong web site at the wrong time and acquiring a new virus; for that scenario, you can improve your odds of survival a lot by using several safe computing practices as part of a defense in depth strategy.  For me, an unplugged backup drive is part of that.

1 user thanked author for this post.

rc primak

Reply | Quote

gtd12345 wrote:

if I somehow get a ransomeware infection, the odds are small that it will still be doing its encrypting pass, and I haven’t noticed that, during the five minutes it takes to back up my files and unplug the drive

That’s against whole-disk ransomware.

File-level ransomware is a bit different, this might not help much against that, but fortunately these are rather rare.

Still, I’d very much recommend verifying the backup media on a second, known-clean computer.

(Oh and then there’s the removable media security… once tested a security product that managed to autoactivate BitLocker-To-Go on SD cards on connect. Caused some data loss because camera couldn’t cope with that, fortunately nothing unique.)

1 user thanked author for this post.

rc primak

Reply | Quote

mn– wrote:

That’s against whole-disk ransomware.

File-level ransomware is a bit different, this might not help much against that, but fortunately these are rather rare.

Whole-disk ransomware is common but file-level ransomware is rare?

My understanding is exactly the opposite: There are only two or three known examples of whole-disk ransomware (Petya, Mamba, Diskcoder) but many thousands of strains of file-level ransomware.

Reply | Quote

Any thoughts on backing up to a hard drive which is always offline except during backups?  I use Powershell scripts to go online immediately prior to a backup, and then go back offline immediately following a backup.  Is that a reasonably effective approach?  It would seem that the window for exposure is fairly narrow…

Reply | Quote

I think so. But don’t take an anonymous voice as your only opinion. I wanted to introduce an optional way to view the goal of isolated backups. You don’t mention if you have this fully automated for convenience.

I would suggest that you do not, two reasons. Any automated process could easily be mimicked by the bad guys and you would be blind to it. Also, when you do not directly observe a process, it is easy to forget about it. It is easy to push aside that annoying error to get on with the task at hand. Then months latter you find you have no recent backup, at the worst possible time. But there are two moments available to introduce this purposeful oversight.

The first is how I read your brief question. That is you chose to initiate the backup at your convenience. This suggests you are present and already observe the system is in good order before making the latest good copy. Then also verify that good copy is isolated before setting it aside. This might be figurative, you don’t actually move it anywhere but you have logically disconnected the drive.

I’ll now introduce the idea that only a single backup is like not having a backup at all. So you should have more than one. I like a first of the year, first of the month, and at least two drives of current ongoing backups, used in rotation. Having more than one gives opportunity for another, similar process: swapping.

Using this method, you go ahead and automate the backup process itself to some idle hour when you are not even around. It will probably never fail, or it might. So it becomes your duty to verify the process did happen without apparent error. Only when you are satisfied that you now have a newest good copy, do you physically remove that drive and swap it with the older backup drive in the current rotation. Now that copy is in place to receive the next automated backup.

This second method allows for other good backup practices. Like having at least one backup stored offsite (at least in a different room), and being able to choose when to archive a milestone or overwrite to reduce storage needs. This added flexibility may be unnecessary to your needs. I just wanted to show that verifying every time is important. And there is another way to do it.

Reply | Quote

Bruce wrote:

Any thoughts on backing up to a hard drive which is always offline except during backups?  I use Powershell scripts to go online immediately prior to a backup, and then go back offline immediately following a backup.  Is that a reasonably effective approach?  It would seem that the window for exposure is fairly narrow…

I mentioned earlier that my strategy is to use a secondary external drive that remains offline except during backups, and then is stored safely offline afterwards.

My system drive and primary external backup drive remain connected, and with both protected from physical data theft by BitLocker full drive encryption.

I also use security software with strong anti-ransomare features. If it detects file encryption behavior, it automatically blocks that process.

Paranoia level: 5 on a 10 scale…

 

Windows 10 Pro 22H2

Reply | Quote

If you are concerned about ransomware leaving time bombs then you need a more robust backup system.
My preference is for a NAS with snapshots, such as FreeNAS. If you make snapshots once per day and keep them for 6 months you will be able to roll back to a version of the files before they were encrypted, even if the encryption happened weeks ago. This gives you backup without having to take the system offline.

cheers, Paul

Reply | Quote

And as a bonus, frequent snapshots will also protect against accidental overwriting and related issues.

Some people like to continue work from an old file… and some of these have an unfortunate tendency to forget to copy the file.

1 user thanked author for this post.

Indoda

Reply | Quote

Paul T wrote:

If you are concerned about ransomware leaving time bombs then you need a more robust backup system.
My preference is for a NAS with snapshots, such as FreeNAS. If you make snapshots once per day and keep them for 6 months you will be able to roll back to a version of the files before they were encrypted, even if the encryption happened weeks ago. This gives you backup without having to take the system offline.

cheers, Paul

AFTER READING JUST A LITTLE ABOUT FREENAS, iT APPEARS TO BE overkill for the home user w/ 1 – 3 systems running windows.

Reply | Quote

Agreed, but we are talking paranoia…

cheers, Paul

Reply | Quote

DriftyDonN wrote:

AFTER READING JUST A LITTLE ABOUT FREENAS, iT APPEARS TO BE overkill for the home user w/ 1 – 3 systems running windows.

Depends on what data you’re storing on your home systems. Also on your work habits.

Paul T wrote:

Agreed, but we are talking paranoia…

Oh, for that a snapshotting NAS is far from sufficient.

There are people whom I’ve advised to use archival-grade write-once backup media and two good fire/disaster-proof safes, one of them offsite.

By the time you’ve done any kind of research as a hobby for some decades, you might have accumulated a whole lot of data that’d be a bother to recreate.

(Yes, I know some amateur historians and such. Interviewees tend to be old and…)

Reply | Quote