Question about how Ransomware works....

[jeffw_00]

Hi - My wife runs a small Windows-based business and I want to give her some extra protection against Ransomware.  I already have full daily automatic backups running, but the backup files are stored on an connected live system (so also subject to ransomware).  Because of other facilities i have available, I could connect an external HD that requires it's own power supply, and once a day I could automatically power up the HD, copy files to it, and then power it down.  [if really necessary i could also power off our router during that period].  The hope  is that ransomware can't reach a drive that is powered down, thus giving us a daily -safe- backup.

 

But I admit to knowing little about how Ransomware really works - could it impregnate itself on my drive and data such that after the attack, when I tried to connect that powered off drive to a clean machine, the ransomware would 'wake up' and trash the backup drive?   Could it infect the external drive during one of it's connected periods such that the drive later appears encrypted?   Or am I overly paranoid. 

 

Question really is - is an offline backup that is connected only for the time to transfer ~ 400GB once a day useful extra protection?  Is there a twist to this that -would- work?

 

[And yes, I already run good (ESET) antivirus and email protection, never open attachments from unknowns sources, keep my machines thoroughly updated, and other security "basics".  ]

 

Thanks!

/j

[Digerati]

The way ransomware is able to infect a computer is the same way any malware can. The difference is what happens after infection. Typically, with ransomware, all the files on the system are encrypted. And unless you know the decryption key, they are unreadable to you. 

 

You pay the ransom, the bad guys send you the key to unlock your files, and you are good to go. And for the most part, the bad guys are honest () about it. That is, you pay, they really do give you the key to unlock your files. If they didn't, folks would soon learn it does not pay to pay. 

 

Quote

And yes, I already run good (ESET) antivirus and email protection, never open attachments from unknowns sources, keep my machines thoroughly updated, and other security "basics".

That's really what it takes. I am going to assume the computers are behind a router too, which adds another nice layer of security. 

 

Having an "off-line" (disconnected) backup may offer additional peace of mind, but I doubt it will add anything significant to your security - EXCEPT for "physical" security. That is, everyone should always maintain an "off-site" backup. This is to ensure a bad guy breaking into the home or business does not steal all your computers and the backup drive too. Or a fire, flood or hurricane/tornado destroying the building and everything in it. Or Mother Nature tossing a lightning bolt directly at your service panel. 

[jeffw_00]

thanks for the response! - we are behind a FiOS router.  we do maintain an off-site backup - but it's refreshed much less than daily.  We also have surge suppressors, smoke detectors and the like.  So you're saying that if some malware gets through, the fact that we have a backup from yesterday (most likely) physically disconnected from the system doesn't help?  ok.. 

[Digerati]

5 minutes ago, jeffw_00 said:

So you're saying that if some malware gets through, the fact that we have a backup from yesterday (most likely) physically disconnected from the system doesn't help?  ok.. 

 

No. I never said that. I said, "I doubt it will add anything significant to your security".

 

You are assuming first that malware is going to get through. Through to what? So assuming it is going to infect the computer that lets it through, then what? It is some how going to infect your backup drive? How?

 

Is it possible? Sure. But likely - given the precautions you already are taking? I doubt it. 

 

Where it that backup drive connected? To a host computer or is it hanging directly off your network?

[jeffw_00]

Sorry - let me be clearer -I get that ransomware is a piece of malware.  My scenario is that, despite best efforts, it gets onto my system.  If it immediately encrypts everything and locks it all up then having something off-line (copied at a time that there was no other activity on the computer) seems like it might provide a quick restore.  However, if the malware is more nefarious than that, and somehow (and I'm handwaving here) "infects" everything long before showing itself, then it would also "infect" the off-line drive and there's no benefit.  

 

But your point is well taken - we've kept all sorts of malware (AFAIK) off our systems up to now, if ransomware is no more likely to hit us than anything else then maybe we're ok.  Although - our last defense against all the other malware attacks are our daily backups - made using IFW on both of our systems and then cross-copied (so the image backup of each system/app/data disk is stored on a 'storage" disk on -both- machines). 

 

I would  connect the backup drive to one machine via USB.  I have home control SW so I can write a perl script to power up the drive, copy over the 400GB of backup files, and power it down immediately after.  

 

Thanks!

/j

[raymac46]

In my limited sample size of folks in my neighborhood, the only one who got infected with ransomware did not have decent malware protection running and he clicked on a bad email attachment. I think if you have good security software and are careful your chances of safety are pretty good.

[jeffw_00]

Agreed - but we are running a business here, and my "last resort" safety is my backups, which are vulnerable.  I have an extra drive, so my out-of-pocket is $20 for the enclosure - if it makes me ransonware-proof it may be worth doing (but does it? )

[Digerati]

20 hours ago, jeffw_00 said:

Sorry - let me be clearer -I get that ransomware is a piece of malware.  My scenario is that, despite best efforts, it gets onto my system.  If it immediately encrypts everything and locks it all up then having something off-line (copied at a time that there was no other activity on the computer) seems like it might provide a quick restore.  However, if the malware is more nefarious than that, and somehow (and I'm handwaving here) "infects" everything long before showing itself, then it would also "infect" the off-line drive and there's no benefit.  

Okay, but these scenarios are possible regardless the type of malware involved. 

 

This is why any robust backup plan must involve multiple backups. And some should be a week old or older. And some backups may need to be full image backups, some backups may need to be just the user data. Do you do "incrementals" too?

 

How long do you keep your backups. If you only go back to the previous day, that is not a robust backup plan. 

 

However, you said you are concerned that the malware might infect everything "long before showing itself". That is extremely unlikely. While it is not uncommon for malware to be coded to sit dormant and hidden until triggered by some event, it is even more unlikely your antimalware solution would not find it and negate it. Your security software is not sitting there waiting for the malware to wave flags, yell "over here" and announce its presence. 

 

Your security solution is actively looking for "known bad", and even "suspicious looking" code for every bit of data coming into your system - even before it is saved to disk, or is allowed to execute in memory. And your security solution is constantly looking for "suspicious activity" in your systems virtual memory (RAM plus page file). And then your security solution regularly scans your drives, looking again for known bad and suspicious looking code on your disks. 

 

The point is, the antimalware industry (and they all share information, BTW) is constantly updating their detection methods so it is highly unlikely any malware could sit on your systems for any length of time (let alone "long" times) without being detected. Of course, that assumes you keep your security software current. 

 

20 hours ago, jeffw_00 said:

I would  connect the backup drive to one machine via USB.

 

I personally would change this. Instead of attaching an external drive to a (possibly infected - or simply corrupt) computer, I would use a NAS (network attached storage). A backup device that connects directly to your network via Ethernet. Most of these run a version of Linux. Then I would regularly backup to it as one of my backup copies. 

 

 

[jeffw_00]

HI - Thanks for the response.  My current backup solution is: 

Full image backup once a week

incremental & differential the other 6 days.

All backups are stored 

a) on the same machine, on a different disk

b) on a separate machine.

(all image backups are re-verified on their destination machine)

 

3 weeks of backups are stored locally, Once a month the most recent full backup is stored off-site.  3 months of off-site images are retained.

 

[the above is all 100% automated]

 

The external drive (and it could be NAS just as easily - not sure why that's better?) would capture the most recent full, or differential, and keep about a week's worth of data.  

 

I look forward to your thoughts.

/j

 

[jeffw_00]

So from another source I got an interesting recommendation:

 

I added code to my backup script, to

1) change the file attribute to read-only

2) change the security setting to "Everyone:R".

for all my backup files. 

 

Thus, any malware/ would have to go through a few steps before modifying/deleting the files.  Obviously ransomware doesn't scramble every file on your system (otherwise it wouldn't boot) so most likely it's not going to bother to undo these steps.   clever?  or naive? 

Thanks!

/j

[Digerati]

NAS is better, IMO, because it does not depend on another machine. If the host machine is infected, the malware could much more easily move to any connected device. Plus, a NAS has its own OS. 

[jeffw_00]

No disagreement that NAS is better.   Wondering if the file protection scheme I mentioned has any value.

[goretsky]

Hello,

There is no one single way that ransomware enters a system, or what it does to encrypt the information stored on the computer. 

 

It could be done using purpose-written malware, or by making use of existing software libraries.  The type of encryption can vary greatly, too.  Sometimes the ransomware is a plain old binary program file, sometimes it is a script, and sometimes it is a program that only runs in memory and is never written to disk.

If the ransomware operator is new, they may make mistakes in how the implement the encryption, such as accidentally making it much weaker or doing something programmatically that allows a decryption key to be brute-forced.  The malware operator may also leave a key in a location where it can be found, and so forth.

 

The ransomware operator may notify the victim as soon as they are done encrypting the data files, or they may wait some time in hope of compromising the backups as well.

 

I think the idea of keeping backups offline is fine, however, the one thing I would suggest is periodically restoring a backup and verifying that the operation was performed correctly and that the data which was restored is not corrupt.  This would be something for which an older non-networked computer would be ideal.

 

Regards,

 

Aryeh Goretsky

 

[jeffw_00]

Thanks Aryeh!

 

[Digerati]

On 8/20/2021 at 5:52 PM, jeffw_00 said:

No disagreement that NAS is better.   Wondering if the file protection scheme I mentioned has any value.

Anything that makes it more difficult for the bad guy adds value. By far, most bad guys, unless they are targeting you (or your organization) specifically because they know for a fact, you have something of value for them, are lazy opportunists. They go for the easy pickings. So when they meet resistance, they tend to move on. 

 

We have to remember, there is no perfect solution. If a determined, experienced bad guy wants in, chances are he or she will find a way to get in. This is where you need to make sure your operating systems and real-time security solutions are current, and you and all your users don't simply open the door and invite the bad guy in. That is, the users must not be "click-happy" on unsolicited links, downloads, popups, and attachments. And frequent constant reminders to all your users about the risks of being "click-happy" is being prudent too. 

 

Since the user is ALWAYS the weakest link in security (we are only human, after all) you have to assume the worst. And not just from the bad guys, Mother Nature, but from ourselves too. 

 

Oh, backups stored to the NAS can be encrypted too. 

 

Quote

the one thing I would suggest is periodically restoring a backup and verifying that the operation was performed correctly and that the data which was restored is not corrupt

This is so important. Too many times I have seen folks set up elaborate backup plans, then they never test them to see if they work, or practice restoring so they know the procedures. 

 

One last thing. Did you know that Windows 10 has ransomware protection built in? The only thing is, it is not enabled by default. You might want to check it out. How to enable Ransomware Protection in Windows 10.

[jeffw_00]

Thanks.  I trust my "users" (only one - my wife :-)) to be doing the right thing.  The thing about that ransomware protection is that you have to be using Windows Defender and I think overall ESET is better.   Thanks for all the advice - very helpful indeed!

[Digerati]

Well, that's up to you. I personally don't care what security program people use as long as they use a decent one and they keep it current. 

 

FTR, I've been using Microsoft Defender (formally Windows Defender) on all our systems here since W7 when it was in its Microsoft Security Essentials (MSE) iteration - with no issues. I think it is important to note we don't have to drive around in an Abrams tank to remain safe. We just need a current vehicle that is properly maintained (kept current) and most importantly, we need to drive defensively. Same with security software. 

 

I am not suggesting you change. If you like ESET and its been working for you, then great! By all means, stick with it.

 

And I am not trying to start a debate over which is better. All I am saying is, don't discount Microsoft Defender because you have heard some claim it is not capable of protecting us. It is. And there are 100s of millions of safe and secure users out there as proof. 

 

And remember, you have to wonder, what incentive does ESET, Norton, McAfee, BitDefender, Kaspersky, Avira, and all the other aftermarket solutions have to actually rid the world of malware? The answer is "none"! That would put them all out of business. For Microsoft, on the other hand, if malware went away, they would stop getting blamed for the security mess the bad guys put us in, and the security mess all those aftermarket solutions failed to prevent - since it was them who whined and cried "monopoly" to Congress and the EU that it was their job to stop malware when Microsoft wanted to put A/V code in XP. Yes, Microsoft did want to rule the world but that's for a different discussion. MS was forced to leave the A/V code out of XP, or risk being broken up Ma Bell style. 

 

We see how well Norton, McAfee and others did. It makes you wonder why Norton and the others, Congress and EU have all been totally silent about Microsoft including anti-malware code in W8, W10, and now W11. 

 

Oh, and regardless your primary solution, you should always have a secondary scanner on hand for double checking. I use and generally recommend Malwarebytes for that. For what its worth, Malwarebytes has never found anything Defender (or me, as the user and weakest link) let through. And just for the record, the real-time version of Malwarebytes Premium and Microsoft Defender play real well together. That is, you can run both at the same time without worry of conflicts, or the hogging of resources. Worth checking out when/if you get another computer, or want to try something else. 

 

 

[Bookmem]

In the early days of ransomware, individuals were the targets because they were "easy pickings".  Lock the consumers PC and pretend to be MS and charge a fee to unlock.  But today, unless you are careless about opening links in emails or iffy websites, you aren't likely to be hit by an attack that encrypts your data.  Those attacks are usually aimed at orgs with "deep pockets".  But there is an inexpensive trick to lessen your vulnerability.  Use two routers.  Put a cheap PC  to use for emails and normal browsing behind the first router.  Then chain from the first router to the WAN port of the second router and put your main system behind it, and use a different subnet.  It is hard enough to hack through the first router.  Even noticing the second one, much less hacking it to, is highly unlikely unless the target is KNOWN to be very valuable.  Just my two cents worth.

Edited August 23, 2021 by Bookmem

[jeffw_00]

Thanks Digerati and Bookmem - good ideas all!

[abarbarian]

Would a VPN help with security for you ?

 

What Is a VPN, and Why You Need One

 

What Is A Business VPN, And How Can It Secure Your Company?

 

You can buy routers specifically for vpn use.

 

Best VPN routers 2021: top routers for Virtual Private Networks

 

All the above links are just for information generally. You would need to do some more research if you were to go that route.