Ransomware question

Topic

New Reply

Will macrium images defeat ransomware if I ever get infected? Does this malware infect the MBR or BIOS so images wouldnt be effective?

 

Reply | Quote

Replies

DriftyDonN wrote:

Will macrium images defeat ransomware if I ever get infected?

What it does is allow restoring back to a point where there was no infection.

DriftyDonN wrote:

Does this malware infect the MBR or BIOS so images wouldnt be effective?

Hard to say what with some newer computers having software that allows making BIOS adjustments after Windows is running but possible.

 

Before you wonder "Am I doing things right," ask "Am I doing the right things?"

1 user thanked author for this post.

cmptrgy

Reply | Quote

One thing to consider is the location of that system image. If it’s on an external drive that is plugged into the computer in question, probably it won’t save you – it’s like to also be involved in any malicious encryption involved in the ransomware.

That’s one reason that having off-site and non-connected backups is essential.

3 users thanked author for this post.

NetDef, DriftyDonN, cmptrgy

Reply | Quote

You can’t have a definitive answer for “ransomware”. Ransomware is not one software, there are many different ransomware codes.

Some I saw were pretty basic. They only encrypted some files with specific extensions so if you used Thunderbird instead of Outlook, for example, you were safe for emails. Others “locked” your computer, but they were not very sophisticated either.

However, even if some ransomware didn’t need to be sophisticated to bring money to their author, it doesn’t mean that some others are not.

So you need to treat it like any other malware risk. Reduce your risk of having the BIOS compromised by patching it if security patches are issued and do everything you can to protect the BIOS.

Have a backup done regularly that you don’t leave plugged in. If you want to also add an automatic image every day to something that you leave connected or an internal hard drive, you can be lucky and have a ransomware that would not encrypt the image backup itself if not sophisticated. That lazy solution is better than nothing in addition to a regular backup on an external drive to recover some files, but I am of the school of thought that you should restore from clean backup, then maybe go get some files on a backup that you aren’t as sure isn’t infected instead of blindly restoring the whole local backup and possibly its encrypted malware that hid itself from antiviruses. I prefer to have a clean image that I don’t update for OS and restore data separately, because what if the malware has been there for a while without activating? I find it easier to just start from a clean customized image and add data from the regular backups, from cleaner images to more risky ones if necessary.

If you do get infected, you would clean the computer first with an external antivirus to check for BIOS, MBR issues, then you would restore the clean image using a CD without booting in Windows first, then you could restore data.

1 user thanked author for this post.

NetDef

Reply | Quote

I make all my backup images on external devices(ssd) that are only connected when I am using backup or restore. Seems backing up to the same device you are ‘backing up’ (imaging) would sort of defeat the purpose! I am mostly interested in general answers, especially with regard to BIOS or other locations that may be hidden by the malware. Thanks to all for your replies!

D

Reply | Quote

I certainly agree that, “backing up to the same device you are ‘backing up’ (imaging) would sort of defeat the purpose”.
I don’t think I know anyone who does that.

Image or Clone often! Backup, backup, backup, backup......
- - - - -
Home Built: Windows 10 Home 64-bit, AMD Athlon II X3 435 CPU, 16GB RAM, ASUSTeK M4A89GTD-PRO/USB3 (AM3) motherboard, 512GB SanDisk SSD, 3 TB WD HDD, 1024MB ATI AMD RADEON HD 6450 video, ASUS VE278 (1920x1080) display, ATAPI iHAS224 Optical Drive, integrated Realtek HD Audio

Reply | Quote

Ransomware that includes rootkits, or any malware that corrupts firmware, is growing for sure.

In the few cases I have worked where the BIOS appeared to be corrupted by malware, an offline flash of either a BIOS upgrade, or reflashing the same version of the BIOS via a clean USB BIOS image overwrote the problem in the firmware. (Most newer mainboards support flashing from a USB drive.)

On top of that I recommend clearing all partitions from the hard drive (some malware creates a hidden partition – but tools like GParted can see and erase them) then repartitioning, reformatting, and either complete a clean install or restore a safe known clean image from Macrium or your favorite imaging utility.

Be aware that some server and high end workstation hardware also has other firmware systems like remote management (Dell and HP), or Intel management that may also need to be flashed in the event of a rootkit like infection.

So far (knock on wood) I have never seen an infection that could not be cleared from firmware with studious application of safe restoration methods.

~ Group "Weekend" ~

1 user thanked author for this post.

DriftyDonN

Reply | Quote

I cannot stress this strongly enough: your safe backups or images should be stored OFFLINE — as in not connected except for that window of time when you are creating or refreshing that backup.

Rotating backups work nicely with this model. One or more are always disconnected from the system.

This is because it’s become very common for ransomware to go after any backups it can find connected to your system during the encryption phase of the infection. We’re also seeing this type of malware delete shadow copies on the infected system.

~ Group "Weekend" ~

Reply | Quote

NetDef wrote:

Ransomware that includes rootkits, or any malware that corrupts firmware, is growing for sure.

In the few cases I have worked where the BIOS appeared to be corrupted by malware, an offline flash of either a BIOS upgrade, or reflashing the same version of the BIOS via a clean USB BIOS image overwrote the problem in the firmware. (Most newer mainboards support flashing from a USB drive.)

On top of that I recommend clearing all partitions from the hard drive (some malware creates a hidden partition – but tools like GParted can see and erase them) then repartitioning, reformatting, and either complete a clean install or restore a safe known clean image from Macrium or your favorite imaging utility.

Be aware that some server and high end workstation hardware also has other firmware systems like remote management (Dell and HP), or Intel management that may also need to be flashed in the event of a rootkit like infection.

So far (knock on wood) I have never seen an infection that could not be cleared from firmware with studious application of safe restoration methods.

I am a simple no LAN, home bound user so there would be no network implications. I have multiple images on 2 external SSD’s. I used to do daily backups on magnetic tape daily when I worked for a living so redundancy is a habit. I am just not too informed re: ransomware. I use Bitdefender  2019 as AV. I do NOT backup or image anything on the pc I am using…ever. Nor do I leave the external SSD’s connected.

Note: This thread is purely hypothetical (at this point!)

Are you suggesting that in the case of an attack it would behoove me to  airgap the pc, flash the BIOS (handy USB BIOS flash), then repartition and format the ssdrive, all prior to restoring my latest image via WinPE platform? I would have thought restoring the macrium image would have taken care of the partitioning/format at least…I understand the BIOS would not be part of the restore procedure. I get the procedures you are describing and they are indeed a complete wash,rinse repeat!

Would a supervisor password on the UEFI/BIOS protect from attacks?

Thanks for the replies!

D

 

Reply | Quote