Page 1 of 3 123 LastLast
Results 1 to 15 of 38
  1. #1
    2 Star Lounger
    Join Date
    Oct 2014
    Location
    Denison, TX
    Posts
    141
    Thanks
    0
    Thanked 4 Times in 4 Posts

    Protecting your backups from Ransomware

    Dear Fred Langa or anyone else that can help

    I and many more need help with Ransomware Protection.
    I have just finished helping 2 clients that got hit with it. One client admits that he clicked on a link in email that caused his infection. The other client had a windows server 2008 that was hit. On the server I found a Trojan downloader and nothing else. I have not found out how the downloader got on the system except that Malwarebytes was somehow disabled, and had to be reinstalled to get it working again. Some other information I found on the server was. 1 The Ransomware deletes the server log files so you cannot find out who logged in and other information that could have been helpful. The ransomware encrypts more than just you data files. Some system files that might help you trouble shoot the infection and the Totalcmd folder because itís not in the programs folder. The worst part is its ability to find your backups and encrypt them.

    So far the only protection software that seems to be addressing the issue is Malwarebytes. There may be others but I have not found them yet. So this is where we could use some help; protecting the backups. There are a few options like removing the backup device after the backup finishes. This is a manual process that wonít work for businesses and user that want to automate the backup process and not be bothered by having a person do it. So how do you hide the backups from ransomware, Please cover this for an attached drive, a NAS box and a local system, server or PC. I know that a remote FTP server would work, but if the data you are backing up is very large, itís not a good option. I talked with WD about having the option of hidden shares on their WDMYCLOUD box, but they are not willing to do this.
    Iím looking for suggestions and how to processes on protecting the backups Please.

    RonB-TX
    Retired IT support, still taking service calls.

  2. #2
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,207
    Thanks
    49
    Thanked 989 Times in 919 Posts
    I can't think of an easy way to prevent ransomware encrypting your files once it's loaded. In the case of a server, there should be no internet access anyway, so no chance of infection. Shares will be affected by users, but the server backup takes care of that.

    You could set up a process on a server to check some dummy files every day to see if they've been altered - on shares. If so you have an infection of some sort and hopefully have caught it early.

    cheers, Paul

    p.s. MS FCIV will do the trick.
    Last edited by Paul T; 2016-08-02 at 12:43.

  3. #3
    WS Lounge VIP mrjimphelps's Avatar
    Join Date
    Dec 2009
    Location
    USA
    Posts
    3,411
    Thanks
    447
    Thanked 406 Times in 378 Posts
    Quote Originally Posted by RonB-TX View Post
    So far the only protection software that seems to be addressing the issue is Malwarebytes. There may be others but I have not found them yet.
    I use Trend Micro. It claims to protect against Ransomware. I have no reason to doubt their claim, as I have read what is on their website and it looks like they know what they are talking about. I've used Trend Micro for over 2 years, and I've never got hit with ransomware.

    However, your malware protection needs to be installed before an infection hits; otherwise, it is unlikely to be able to protect you from the infection.

    Also, the users need to be careful about where they go and what they click on. If the users are careless, then it doesn't matter what you do; they are vulnerable to getting hit.

    Quote Originally Posted by RonB-TX View Post
    So this is where we could use some help; protecting the backups. There are a few options like removing the backup device after the backup finishes. This is a manual process that won’t work for businesses and user that want to automate the backup process and not be bothered by having a person do it.
    They could try an online backup service, such as Mozy or Carbonite. But if that is not an option, then they will have to do whatever is necessary if they truly want protection, that is, use two separate external drives for backups, and plug in only one at a time when it's time to do a backup with that drive.

    Plugging and unplugging external drives really isn't that difficult; do your backups at night, have someone plug in the appropriate drive before they leave for the day, and then unplug it in the morning when they arrive at the office.

  4. #4
    2 Star Lounger
    Join Date
    Oct 2014
    Location
    Denison, TX
    Posts
    141
    Thanks
    0
    Thanked 4 Times in 4 Posts
    Good to know about Trend Micro but it's just like Malwarebytes, it has to be installed before it can help.
    I have some clients that do rotate drives but it is still a human having to remember it and who covers when that person is sick?

    I know that a PC or Server can be hidden on a network so a browser won't find them.
    I also know that you can create a share on a WDMYCLOUD that is password protected.
    The problem is being able to setup your backup software to furnish the user name and password for that share.
    Most backup programs like EaseUS only want the user name and password foe the local PC it's installed on.
    Even though we can setup such shares the backup software is not friendly in using it.
    Setting the share's user name and password to the same as the PC user's is the same as not having that protection.
    Last edited by RonB-TX; 2016-08-02 at 17:30.

  5. #5
    Silver Lounger RolandJS's Avatar
    Join Date
    Dec 2009
    Location
    Austin metro area TX USA
    Posts
    1,735
    Thanks
    95
    Thanked 130 Times in 127 Posts
    I've been using WinAntiRansom from Ruiware, however, it might not be enterprise-level; one would have to contact Ruiware and get specs.
    "Take care of thy backups and thy restores shall take care of thee." Ben Franklin revisited.
    http://collegecafe.fr.yuku.com/forum...-Technologies/

  6. #6
    Star Lounger
    Join Date
    May 2011
    Posts
    84
    Thanks
    2
    Thanked 2 Times in 2 Posts
    I installed Malwarebytes Anti Exploit. Does it work? No idea but cheap insurance. However, I also have a calendar reminder to piug in the USB drive at 2 pm on Saturdays. The backup runs at 2:15 and then I disconnect it.

  7. #7
    Silver Lounger RolandJS's Avatar
    Join Date
    Dec 2009
    Location
    Austin metro area TX USA
    Posts
    1,735
    Thanks
    95
    Thanked 130 Times in 127 Posts
    Malwarebytes Anti Exploit, like SpywareBlaster, works quietly, NotInYourFace - with no alert! alert! alert! noise. I plan on adding to my computer later on in freebie mode.
    "Take care of thy backups and thy restores shall take care of thee." Ben Franklin revisited.
    http://collegecafe.fr.yuku.com/forum...-Technologies/

  8. #8
    2 Star Lounger
    Join Date
    Oct 2014
    Location
    Denison, TX
    Posts
    141
    Thanks
    0
    Thanked 4 Times in 4 Posts
    To all thanks for taking the time to post your replies.
    More and more virus protection vendors are claiming to cover ransom-ware, still remains to be seen just how good they are.

    The problem which no one has yet offered any solutions to yet is:
    How do you have auto-backups that backup to a system or device that can be made secure without human intervention?

    The Ransom-ware must not be able to get to the backups even if they are online on the local network.
    The simple and easy solution would be password protection on the share where the backups are placed.
    Even though this is now possible, the system keeps storing the password to make the access easier for the user.
    If Microsoft would add an option, check box to never add this password to the credentials it would help.
    Or if the backup software vendors would add the ability to have a separate user name and password for both the source and destination.

    I know there are a lot of smart people out there, someone should have the answer.

  9. #9
    Silver Lounger RolandJS's Avatar
    Join Date
    Dec 2009
    Location
    Austin metro area TX USA
    Posts
    1,735
    Thanks
    95
    Thanked 130 Times in 127 Posts
    "...The problem which no one has yet offered any solutions to yet is:
    How do you have auto-backups that backup to a system or device that can be made secure without human intervention?" RonB
    Excellent question! Ron, awhile back I decided against creating and running any sort of automated unattended backup routine for my home [3] computers. I actually want to see [glancing at them from time to time] my home computers' greenies march across their respective bars from 0-100% -- assuring me that I probably have made a restorable backup. For years, I have had only a very few restore failures due to logical error of one of two assigned to each computer ext HDs.
    Now, for business or industry, unless each end-user enjoys watching the greenies, it's best to create and implement automated unattended [trusted always but verified now & then] backups.
    "Take care of thy backups and thy restores shall take care of thee." Ben Franklin revisited.
    http://collegecafe.fr.yuku.com/forum...-Technologies/

  10. #10
    2 Star Lounger
    Join Date
    Oct 2014
    Location
    Denison, TX
    Posts
    141
    Thanks
    0
    Thanked 4 Times in 4 Posts
    Roland,
    This is the problem automated backups in a business.
    So me question still remains, how best to protect the backups?

  11. #11
    Silver Lounger RolandJS's Avatar
    Join Date
    Dec 2009
    Location
    Austin metro area TX USA
    Posts
    1,735
    Thanks
    95
    Thanked 130 Times in 127 Posts
    Quote Originally Posted by RonB-TX View Post
    Roland, This is the problem automated backups in a business. So my question still remains, how best to protect the backups?
    I didn't see that you were posting about backups for businesses and industries; my bad!
    Last edited by RolandJS; 2016-08-11 at 10:55.
    "Take care of thy backups and thy restores shall take care of thee." Ben Franklin revisited.
    http://collegecafe.fr.yuku.com/forum...-Technologies/

  12. #12
    New Lounger
    Join Date
    Dec 2009
    Location
    UK
    Posts
    1
    Thanks
    0
    Thanked 1 Time in 1 Post
    I don't have this difficulty since I am not a business and it is not a problem to manually plug and unplug a USB drive for backup purposes.

    However, if I wanted automation, my proposed solution would be to have one, two or more USB drives that would be used for backup in sequence. To avoid the need to manually plug and unplug, I would select drives that need a power connection in addition to the USB data connection. All the data connections can be permanent but the power connections would be controlled by time switches. Switches that operate over seven days are quite inexpensive so a different drive can be used for each day of the week if required.

  13. The Following User Says Thank You to awbridge For This Useful Post:

    mrjimphelps (2016-08-11)

  14. #13
    5 Star Lounger
    Join Date
    Dec 2009
    Location
    Delaware, US
    Posts
    1,172
    Thanks
    19
    Thanked 99 Times in 88 Posts
    If you are backing up to a dedicated network volume, you can use a scheduled task to map a drive prior to the backup starting and remove it after. That's still not fool proof because if the server/workstation is infected, it can go after that mapped drive as soon as it gets mapped.

    You can get more elaborate by using a series of volumes, with each one dedicated to a single nights backup. That would expose only one volume at a time. But that's not a particularly easy system to setup.
    Graham Smith
    DataSmith, Delaware
    "For every expert there is an equal and opposite expert.", Arthur C. Clarke (1917 - 2008)

  15. #14
    Star Lounger
    Join Date
    Mar 2011
    Posts
    60
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Excellent topic, and one which I have been looking at also.
    re: business - this affects both BUSINESS, AND home.

    re: turning on drive, and running backup - this is not a reliable solution, if the ransomware happens to be running in the background, because if it is a mapped drive or actuall drive letter, the ransomware can hit that backup drive. As the original person noted, having a hidden drive is more appropriate.

    I hve these same questions; how to use my current equipment (external drives, a WD My Cloud, Amazon cloud backup) and have them be protected from having CURRENT files corrupted by ransomware, so an answer is still needed

    WHAT I DO currently
    1. Program called Syncovery (a synchronization program), I run it manually, to the external sources. Syncovery just added a parameter for unattended mode, "ransomware flag", which HALTS the unattended operation of more than "X" percent of files in the destination are going to be changed; YOU select the percentage, and YOU have to figure out why they would be changed, BUT it halts the operation.
    ALSO, syncovery allows for versioning, so that multiple versions of files can be stored on destination, SO that if the drive is protected from CURRRENT corruption, then only the latest file versions would be affected if source was, thus preserving the older versions, for recovery.
    BUT, same problem exists, if backing up to a external drive with a drive letter; if ransomware is ACTIVE, then it can corrupt that drive.

    AMAZON CLOUD -
    I use syncovery to back up data to this, using syncovery. Problem with amazon is that versioning does not work that great, so only the latest version can be stored (the way syncovery works) (you COULD set up OLD VERSION directory yourself, to duplicate stuff). BUT, since it is not a drive letter, I do not believe that active ransomware could corrupt the existing files; THUS, the syncovery ransomware parameter would halt uploading corrupted new versions if the "X" percentage of change was noted.

    SpiderOak -
    Again, a cloud backup, which also includes versioning. This runs in the background. BUT, it is not a drive letter or mapped drive. SO, if ransomware hit, the CURRENT version would get screwed up, but PRIOR versions would not. THUS, could recover older versions. BUT, it is more expensive than other cloud sources, BUT that cost would definitely be negated if you got hit with ransomware.

    WD My Cloud
    As this is N.A.S., it has potential for some protection, BUT as noted above, the username/password gets stored, and it gets mounted as a drive, and thus could be hit by the ransomware.
    The prior suggestion to W.D. to HIDE this, and allow it to be accessed similar to regular cloud storage, has LOTS of merit,and I don't believe W.D. understands this, and also does not understand that this could be a MARKETING tool for them to add security.

    FULL IMAGE backup of C: drive
    I use Paragon Hard Disk Suite, to do weekly image backups of the C: drive (my data is mostly on d:, which uses the above methods), so that if ransomware hit the full system, I have potential to get back to a recent workable image.
    I have also RECOVERED images to test viability, and they work.

    SO, more info is needed on this topic, any other contributions are appreciated, and possibly WINDOWS SECRETS could step in and add some information on protecting the drives.

    thanks
    nick

  16. #15
    Star Lounger
    Join Date
    Dec 2009
    Location
    Wisconsin, USA
    Posts
    56
    Thanks
    10
    Thanked 12 Times in 11 Posts
    Just thinking out loud here: If you booted from a live linux distro, which only runs in RAM, you could backup your data without windows running. If you didn't save changes to the distro (or remove the boot media after it loads) it could never become infected. Thoughts?

    Mark

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •