Protecting your backups from Ransomware

Topic

New Reply

Dear Fred Langa or anyone else that can help

I and many more need help with Ransomware Protection.
I have just finished helping 2 clients that got hit with it. One client admits that he clicked on a link in email that caused his infection. The other client had a windows server 2008 that was hit. On the server I found a Trojan downloader and nothing else. I have not found out how the downloader got on the system except that Malwarebytes was somehow disabled, and had to be reinstalled to get it working again. Some other information I found on the server was. 1 The Ransomware deletes the server log files so you cannot find out who logged in and other information that could have been helpful. The ransomware encrypts more than just you data files. Some system files that might help you trouble shoot the infection and the Totalcmd folder because it’s not in the programs folder. The worst part is its ability to find your backups and encrypt them.

So far the only protection software that seems to be addressing the issue is Malwarebytes. There may be others but I have not found them yet. So this is where we could use some help; protecting the backups. There are a few options like removing the backup device after the backup finishes. This is a manual process that won’t work for businesses and user that want to automate the backup process and not be bothered by having a person do it. So how do you hide the backups from ransomware, Please cover this for an attached drive, a NAS box and a local system, server or PC. I know that a remote FTP server would work, but if the data you are backing up is very large, it’s not a good option. I talked with WD about having the option of hidden shares on their WDMYCLOUD box, but they are not willing to do this.
I’m looking for suggestions and how to processes on protecting the backups Please.

RonB-TX
Retired IT support, still taking service calls.

Reply | Quote

Replies

I can’t think of an easy way to prevent ransomware encrypting your files once it’s loaded. In the case of a server, there should be no internet access anyway, so no chance of infection. Shares will be affected by users, but the server backup takes care of that.

You could set up a process on a server to check some dummy files every day to see if they’ve been altered – on shares. If so you have an infection of some sort and hopefully have caught it early.

cheers, Paul

p.s. MS FCIV will do the trick.

Reply | Quote

So far the only protection software that seems to be addressing the issue is Malwarebytes. There may be others but I have not found them yet.

I use Trend Micro. It claims to protect against Ransomware. I have no reason to doubt their claim, as I have read what is on their website and it looks like they know what they are talking about. I’ve used Trend Micro for over 2 years, and I’ve never got hit with ransomware.

However, your malware protection needs to be installed before an infection hits; otherwise, it is unlikely to be able to protect you from the infection.

Also, the users need to be careful about where they go and what they click on. If the users are careless, then it doesn’t matter what you do; they are vulnerable to getting hit.

So this is where we could use some help; protecting the backups. There are a few options like removing the backup device after the backup finishes. This is a manual process that won’t work for businesses and user that want to automate the backup process and not be bothered by having a person do it.

They could try an online backup service, such as Mozy or Carbonite. But if that is not an option, then they will have to do whatever is necessary if they truly want protection, that is, use two separate external drives for backups, and plug in only one at a time when it’s time to do a backup with that drive.

Plugging and unplugging external drives really isn’t that difficult; do your backups at night, have someone plug in the appropriate drive before they leave for the day, and then unplug it in the morning when they arrive at the office.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

Reply | Quote

Good to know about Trend Micro but it’s just like Malwarebytes, it has to be installed before it can help.
I have some clients that do rotate drives but it is still a human having to remember it and who covers when that person is sick?

I know that a PC or Server can be hidden on a network so a browser won’t find them.
I also know that you can create a share on a WDMYCLOUD that is password protected.
The problem is being able to setup your backup software to furnish the user name and password for that share.
Most backup programs like EaseUS only want the user name and password foe the local PC it’s installed on.
Even though we can setup such shares the backup software is not friendly in using it.
Setting the share’s user name and password to the same as the PC user’s is the same as not having that protection.

Reply | Quote

I’ve been using WinAntiRansom from Ruiware, however, it might not be enterprise-level; one would have to contact Ruiware and get specs.

"Take care of thy backups and thy restores shall take care of thee." Ben Franklin, revisted

Reply | Quote

I installed Malwarebytes Anti Exploit. Does it work? No idea but cheap insurance. However, I also have a calendar reminder to piug in the USB drive at 2 pm on Saturdays. The backup runs at 2:15 and then I disconnect it.

Reply | Quote

Malwarebytes Anti Exploit, like SpywareBlaster, works quietly, NotInYourFace – with no alert! alert! alert! noise. I plan on adding to my computer later on in freebie mode.

"Take care of thy backups and thy restores shall take care of thee." Ben Franklin, revisted

Reply | Quote

To all thanks for taking the time to post your replies.
More and more virus protection vendors are claiming to cover ransom-ware, still remains to be seen just how good they are.

The problem which no one has yet offered any solutions to yet is:
How do you have auto-backups that backup to a system or device that can be made secure without human intervention?

The Ransom-ware must not be able to get to the backups even if they are online on the local network.
The simple and easy solution would be password protection on the share where the backups are placed.
Even though this is now possible, the system keeps storing the password to make the access easier for the user.
If Microsoft would add an option, check box to never add this password to the credentials it would help.
Or if the backup software vendors would add the ability to have a separate user name and password for both the source and destination.

I know there are a lot of smart people out there, someone should have the answer.

Reply | Quote

“…The problem which no one has yet offered any solutions to yet is:
How do you have auto-backups that backup to a system or device that can be made secure without human intervention?” RonB
Excellent question! Ron, awhile back I decided against creating and running any sort of automated unattended backup routine for my home [3] computers. I actually want to see [glancing at them from time to time] my home computers’ greenies march across their respective bars from 0-100% — assuring me that I probably have made a restorable backup. For years, I have had only a very few restore failures due to logical error of one of two assigned to each computer ext HDs.
Now, for business or industry, unless each end-user enjoys watching the greenies, it’s best to create and implement automated unattended [trusted always but verified now & then] backups.

"Take care of thy backups and thy restores shall take care of thee." Ben Franklin, revisted

Reply | Quote

Roland,
This is the problem automated backups in a business.
So me question still remains, how best to protect the backups?

Reply | Quote

Roland, This is the problem automated backups in a business. So my question still remains, how best to protect the backups?

I didn’t see that you were posting about backups for businesses and industries; my bad!

"Take care of thy backups and thy restores shall take care of thee." Ben Franklin, revisted

Reply | Quote

I don’t have this difficulty since I am not a business and it is not a problem to manually plug and unplug a USB drive for backup purposes.

However, if I wanted automation, my proposed solution would be to have one, two or more USB drives that would be used for backup in sequence. To avoid the need to manually plug and unplug, I would select drives that need a power connection in addition to the USB data connection. All the data connections can be permanent but the power connections would be controlled by time switches. Switches that operate over seven days are quite inexpensive so a different drive can be used for each day of the week if required.

Reply | Quote

If you are backing up to a dedicated network volume, you can use a scheduled task to map a drive prior to the backup starting and remove it after. That’s still not fool proof because if the server/workstation is infected, it can go after that mapped drive as soon as it gets mapped.

You can get more elaborate by using a series of volumes, with each one dedicated to a single nights backup. That would expose only one volume at a time. But that’s not a particularly easy system to setup.

Reply | Quote

Excellent topic, and one which I have been looking at also.
re: business – this affects both BUSINESS, AND home.

re: turning on drive, and running backup – this is not a reliable solution, if the ransomware happens to be running in the background, because if it is a mapped drive or actuall drive letter, the ransomware can hit that backup drive. As the original person noted, having a hidden drive is more appropriate.

I hve these same questions; how to use my current equipment (external drives, a WD My Cloud, Amazon cloud backup) and have them be protected from having CURRENT files corrupted by ransomware, so an answer is still needed

WHAT I DO currently
1. Program called Syncovery (a synchronization program), I run it manually, to the external sources. Syncovery just added a parameter for unattended mode, “ransomware flag”, which HALTS the unattended operation of more than “X” percent of files in the destination are going to be changed; YOU select the percentage, and YOU have to figure out why they would be changed, BUT it halts the operation.
ALSO, syncovery allows for versioning, so that multiple versions of files can be stored on destination, SO that if the drive is protected from CURRRENT corruption, then only the latest file versions would be affected if source was, thus preserving the older versions, for recovery.
BUT, same problem exists, if backing up to a external drive with a drive letter; if ransomware is ACTIVE, then it can corrupt that drive.

AMAZON CLOUD –
I use syncovery to back up data to this, using syncovery. Problem with amazon is that versioning does not work that great, so only the latest version can be stored (the way syncovery works) (you COULD set up OLD VERSION directory yourself, to duplicate stuff). BUT, since it is not a drive letter, I do not believe that active ransomware could corrupt the existing files; THUS, the syncovery ransomware parameter would halt uploading corrupted new versions if the “X” percentage of change was noted.

SpiderOak –
Again, a cloud backup, which also includes versioning. This runs in the background. BUT, it is not a drive letter or mapped drive. SO, if ransomware hit, the CURRENT version would get screwed up, but PRIOR versions would not. THUS, could recover older versions. BUT, it is more expensive than other cloud sources, BUT that cost would definitely be negated if you got hit with ransomware.

WD My Cloud
As this is N.A.S., it has potential for some protection, BUT as noted above, the username/password gets stored, and it gets mounted as a drive, and thus could be hit by the ransomware.
The prior suggestion to W.D. to HIDE this, and allow it to be accessed similar to regular cloud storage, has LOTS of merit,and I don’t believe W.D. understands this, and also does not understand that this could be a MARKETING tool for them to add security.

FULL IMAGE backup of C: drive
I use Paragon Hard Disk Suite, to do weekly image backups of the C: drive (my data is mostly on d:, which uses the above methods), so that if ransomware hit the full system, I have potential to get back to a recent workable image.
I have also RECOVERED images to test viability, and they work.

SO, more info is needed on this topic, any other contributions are appreciated, and possibly WINDOWS SECRETS could step in and add some information on protecting the drives.

thanks
nick

Reply | Quote

Nick,
That is a really good reply and it seems that you have spent a good deal of time on the subject
A recent client that got hit and I was able to restore his system to the previous day with a backup that was on the WDMYCLOUD.
When you make the shared folder on the NAS password protected Ransom-ware is less likely to get at it.
The problem is the only backup software I have found to date that handles the extra password protection is Acronis.
I have also used a mount and dismount for a local external drive.
The backup software issues the mount before the backup and the dismount after.
This offers some protection, just hope that ransom-ware is not present during backup.
I just started looking at a Linux box “QNAP TS-251+ ” because it lets you hide and or password protect shares.

Backing up to an FTP server will keep ransom-ware out of the backups.

Yes I was hoping to have more feed back or suggestion from Windows Secrets but it has not happened.

Ron

Reply | Quote

Backing up to an FTP server will keep ransom-ware out of the backups.

There is another option which is to use virtual machines. You can have a server with one or more virtual machines on it and backup the images. The server is not connected to the outside world so is not at risk. If one of the VM’s becomes infected, it can be removed and replaced fairly quickly.

You can even have a VM on workstations that is used to interface with the outside world while the workstation is kept isolated. The VM is used for web browsing and email and other such activities. It doesn’t even have to be a Windows VM, it can be any OS.

Reply | Quote

Graham,
I’m not seeing the full picture here. How is a VM protecting your backup files?
If the VM has access to the backups then a VIRUS inside the VM can access them also.

Ron

Reply | Quote

I’m not seeing the full picture here. How is a VM protecting your backup files? If the VM has access to the backups then a VIRUS inside the VM can access them also.

The VM does not have access to the host OS unless you set it up that way. The host OS can backup the entire VM without exposing itself to anything on it.

Reply | Quote

Just thinking out loud here: If you booted from a live linux distro, which only runs in RAM, you could backup your data without windows running. If you didn’t save changes to the distro (or remove the boot media after it loads) it could never become infected. Thoughts?

Mark

Win 11 home - 24H2
Attitude is a choice...Choose wisely

Reply | Quote

Mark
Good idea except I do not know how to automate this process.
This work as a manual process but can’t see it in a live business where systems are up 24×7.

Reply | Quote

Ron

The “live business where systems are up 24×7” part is well above my pay grade:)

Mark

Win 11 home - 24H2
Attitude is a choice...Choose wisely

Reply | Quote

two items
re: mount, and unmount – as you noted, problem exists if ransomware is lurking

re: thread, subscription –
i got notification of the first reply to my reply, for this thread; then i hvae not gotten any other emails to indicate replies received. How to get notifications of all replies to the threads in these forums?

also, FTP – any way to make the WD MyCloud as an FTP?

again, i would have hoped there would be more input to this thread, as this topic is very pertinent to current malware attacks.
thasnk
nick

Reply | Quote

FTP WD MY Cloud has FTP but they do not support it on the local LAN only from the router VIA the WEB.

I have been looking at a QNAP box. it seems to give me all the options I need, like Hidden folder with password protection and they support FTP.
If you are using FTP or you have to furnish the full path plus credentials, then Ransom-ware won’t see the backup folder even if it is active at the time.
Only the backup software knows about the backup location.
The only problem here is you may be backing up already corrupted files so you need a retention period or more than one backup.
As nasty as ransom-ware is you will know your are corrupted with in a few hours.

Ron

Reply | Quote

To test for ransomware, create a few static dummy files and test them every day with FCIV – see post #2

cheers, Paul

Reply | Quote

Paul
The flaw in this test is: Ransom-ware is getting picky about what they go after.
So where do you put these files and how often do you check them. Once a day is too late.
The 1st one I looked at was a single PC, got all the files in My Documents, all on the flash drive and some system files.
The second was a server and it had all weekend to do it’s work. The server was only used for backups.
It got all the backup files but not the external unmounted drive. So recovery was painless.
The third was a medical server that runs a data base application via software called Office Mate.
On this server the only encrypted files were in the Office Mate folder, this included patient documentation and databases.
Nothing else was touched on the server. Recovery was a restore from an image backup from the day before, lost one day of work.

So, even if you were checking your files every hour, a lot of damage can happen in an hour.
Ransom-ware is as big a problem as bad as if not bigger than hacking and stealing information data.

Just to day a friend of mine that is a programmer and very careful got infected and he uses a MAC.
Of the 4 I looked at it seem that the source is somewhere in Russia.
I think you know how much help the World is going to get in stopping the Russians.

Ron

Reply | Quote

Malware updates are at least a day behind so short of preventing all read/write access on your computer, my test is as good as it gets.
(A couple of doc / xls files in Documents is where I’d test.)

cheers, Paul

Reply | Quote

Paul
I think that by the time you detect ransom-ware with your test it’s already too late.

I think we are getting a little off the path here.
The post in the beginning was about how to protect your backups from ransom-ware.
So far the best suggestions are:
An FTP server to backup to.
A hidden folder on the network that can only be reached by the full path.
Folders that are password protected.
Drives that can be mounted for the backup then unmounted after the backup.

I currently know how to implement all of these but was hopping to get some new suggestions from some of the PROs that use this forum.

Ron

Reply | Quote

Paul
…
I think we are getting a little off the path here.
The post in the beginning was about how to protect your backups from ransom-ware.
So far the best suggestions are:
An FTP server to backup to.
A hidden folder on the network that can only be reached by the full path.
Folders that are password protected.
Drives that can be mounted for the backup then unmounted after the backup.
currently know how to implement all of these but was hopping to get some new suggestions from some of the PROs that use this forum.

Ron

Hi Ron and others,
I like the approach of an electrical connection to a USB memory or NAS that can be off when not in use, so ransomeware can not touch it.
Rather than an external time switch, I would prefer relays/switches that can be controlled from the computer. Lots of USB or ethernet controlled relays seem to be available on ebay for <$20.

So the sequence would be;
1. turn on relay #1 to power up NAS #1 or similar device, make a backup, turn off relay #1.
2. after x hours repeat with relay #2 and device #2
3. after 2x hours repeat with relay #3 and device #3, etc

When the ransomware acts, at worst it will encrypt the currently connected backup, but you have other multiple good backups.

If the virus hides itself for some time before acting, several backups will contain the virus in its dormant state, but the files are not yet damaged and should be recoverable.
The time span across the multiple backups should be longer than the interval between when a virus starts to act and when users notice loss of files or the ransom is requested and the backup process is halted.

I have not tried this approach but it seems practical and secure as the relay control and backup invocation can be handled by a batch file which the virus will not find or understand.

Reply | Quote

we have already affected by Ransomware. total system is affect after reinstall the system now working, mainly affect pdf, word and excel files.

Reply | Quote

I won’t bite.

cheers, Paul

Reply | Quote

… This is a manual process that won’t work for businesses and user that want to automate the backup process and not be bothered by having a person do it.

Right here is where the problem is. At this time IMHO we are nowhere near to a system switch (soft- or hardware) that would dependably prohibit any encryption.

The only working option I currently know of is “to be bothered” and manually disconnect the backup media when the backup process has finished.

Reply | Quote

gw,
Yes your idea may work, but I prefer something that is already savable like Mount and un-mount the external device.

Reply | Quote

Hi RonB, Graham,
My view is that a device or a VM must be live and accessible at some machine code level for Windows/Linux to find it and mount it, so the virus can use the same tools that are used by Windows or Linux to find a VM, NAS or other device in the unmounted state.
This is not possible if a relay removes power from the device or breaks its network connection when a backup is not in progress.
If the external device is a USB memory stick connected by a USB cable, then it is easy to open the cable sheath and wire a relay to open/close the red wire in the cable as this provides power for the USB stick. [dont mess with the other wires which carry the data]
For total isolation, each USB cable could have a domestic timer to operate the relay at a set time, complemented by a batch prog to check the memory is available at the expected time and then run the backup.

Reply | Quote

Protecting against ransomware begins when you choose which Windows operating system to buy. Get the Professional version or higher, which have the Software Restriction Policy option. Using the Parental Controls may be a way to duplicate the Software Restriction Policy option in Windows versions below the Professional level. Windows Server software also has the Software Restriction Policy option. For ransomware to activate, it must execute its program, but when the Software Restriction Policy is enabled, ransomware, or any other type of malware, cannot execute. So, it just sits there until it gets cleaned out and deleted by the next antivirus software scan. I don’t practice “safe browsing” on the internet. I go almost anywhere. Yet, the Software Restriction Policy, antivirus software (free Avast), Chromium-based browser (Chromodo), standard user account, and Windows Firewall have combined to prevent anything of any significance from compromising my computer for several years, and I occasionally run into some nasty stuff, although not ransomware. I should give some credit to Yahoo which seems to do an excellent job of screening out junk email that might contain something nefarious, although I do have to occasionally pluck out a legitimate email from the junk pile.

For this to work effectively, users must have a user account without administrator access (a standard user account). If ransomware gets into a user account, the account then becomes similar to a sandbox with the Software Restriction Policy preventing the ransomware from executing. Since you want to run automatic backups, which should be run from the administrator account, then the Software Restriction Policy will have to be enabled for the administrator account also, which will create some inconveniences, such as having to right click your mouse on some shortcuts to get the “Run as administrator” function and enter the administrator account password. These inconveniences will also occur in the user accounts. I have 23 software programs on my computer and two have that type of inconvenience. I’ve never enabled the Software Restriction Policy in the administrator account, so don’t take my word for it that it will work properly with your automatic backup scenario. Test first before going live.

Enabling the Software Restriction Policy is not just a matter of turning it on. There are some adjustments that need to be made. This fellow has good instructions on what to do: http://www.mechbgon.com/srp/index.html I do most of what he suggests, although I have not got around to Step 6. Here’s some more information about the Software Restriction Policy: http://www.computerworld.com/article/2485214/microsoft-windows/cryptolocker-how-to-avoid-getting-infected-and-what-to-do-if-you-are.html

Reply | Quote

cloudsandskye
Your reply is well written and I thank you for it.
Now that the client has been hit once, I believe they will be more willing to this than before.
I just now got them to stop using the server as a workstation.
One problem I have is that the medical software they are using requires admin access.
I will read the write ups and see if any of it can be used.

Ron

Reply | Quote

One way to connect an external drive is to use a clock power controller which connects/dis connects the drive at a specified time and day. Fisher Scientific and InterMec have several, some are battery backed up.

Reply | Quote

Do these controllers safely eject the drive before powering down. If not don’t you run the risk of corruption of the drive?

Eliminate spare time: start programming PowerShell

Reply | Quote

No, they do not need to safely eject the drive. The drive does a safe eject automatically on power fail and this is what you are doing. You must make sure the backup is complete, so you set up the power up window for enough time to do the backup. You have to be careful in using this method just as you must be careful in any method.

Reply | Quote