Macrium 6 and Cryptolocker


Author
Message
lovelyjubbly
lovelyjubbly
Proficient Member
Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)
Group: Forum Members
Posts: 131, Visits: 494
I'd like to find out what we can do to protect our Clients from Cryptolocker encrypting our Image Backups?

Most of my clients are using USB external drives.

One such client got hit by Crypto and all her documents were encrypted.

Fortunately it didn't encrypt our Macrium backup images, however I've read that some variants go for all files on all attached drives.

How do ensure the nasties can't get at our Backup Images?

Thanks, and well done re V6 Smile

Froggie
Froggie
Macrium Hero
Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)
Group: Forum Members
Posts: 1.6K, Visits: 17K
In my case, the backup of my images is done into a fully protected folder that any RansomeWare task cannot get access to.  I use FolderGuard and any storage device/folder may be protected.  If those attached storage volumes don't have to share lots of access with other processes, this method should protect you.  If they do, then place your images in a specific folder and protect that folder instead.  But remember... that folder will only be protected on the system that has the protecting software installed.  If the attached device/folder is shared, the protection will not be shared.
Richard V.
Richard V.
Most Valuable Professional
Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)
Group: Forum Members
Posts: 2K, Visits: 8.1K
Reflect's backup images are just files.  As with anything else, the only kind of immunity that is absolute (or nearly so) is disconnected isolation from any potential sources of infection and other damage.  I use rotation in swappable drive bays for off-site protection myself, but USB-(dis)connected externals would do just as well.

Regards, Richard V. ("Arvy")
https://forum.macrium.com/uploads/images/afc5d4fe-5d25-4e25-be94-185e.png

Edited 26 February 2015 2:23 PM by Arvy
Seekforever
Seekforever
Master
Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)
Group: Forum Members
Posts: 1.1K, Visits: 24K
Like Arvy says, the only thing approaching absolute protection is to physically remove the backup from the PC and this includes networked PCs and NAS. This means unplugging the backup device. Malware is not written with the same constraints as regular programs so you cannot rely on other methods providing the same level of security as isolation. They may improve the safety considerably but you have no way of knowing if they will protect against all malware.

Having more than one removable drive provides better protection and if you are serious about protecting your files you should be using more than one and rotating it. Securing data files is much, much more important than preserving a Windows and applications installation. That can always be put back.


Edited 26 February 2015 3:31 PM by Seekforever
Merlin
Merlin
Talented Member
Talented Member (192 reputation)Talented Member (192 reputation)Talented Member (192 reputation)Talented Member (192 reputation)Talented Member (192 reputation)Talented Member (192 reputation)Talented Member (192 reputation)Talented Member (192 reputation)Talented Member (192 reputation)Talented Member (192 reputation)
Group: Forum Members
Posts: 114, Visits: 3.1K
The best way is not to have the drive connected, but a question.
Froggie, with Folderguard, do you need to unlock the folder for the image to proceed, then relock it?
Or is there some way to give Macrium access to the folder and no other processes?
If the folder needs to be unlocked, anything can happen.

Edited 26 February 2015 11:32 PM by Merlin
Drac144
Drac144
Master
Master (1.7K reputation)Master (1.7K reputation)Master (1.7K reputation)Master (1.7K reputation)Master (1.7K reputation)Master (1.7K reputation)Master (1.7K reputation)Master (1.7K reputation)Master (1.7K reputation)Master (1.7K reputation)
Group: Forum Members
Posts: 1.2K, Visits: 4.1K
I don't know how those encryption programs work.  I assume it takes them some time to encrypt every file.  Not sure if it possible to notice what is going on and power off the computer to prevent all files from getting hit.  If the program starts on drive C and works its way up the drive letters, it might be possible to realize email or other software no longer works before other files are hit. 

While I keep a copy of my weekly full backup on a normally disconnected external drive, I could lose up to a weeks worth of data if I were to get hit by such a virus.
lovelyjubbly
lovelyjubbly
Proficient Member
Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)
Group: Forum Members
Posts: 131, Visits: 494
Thanks Frog,

I can't seem to find Folder Guard on the web, first 2 Google results give:

http://www.winability.com/folderguard/

http://www.folder-guard.com/

which seem to be unwell.

Froggie
Froggie
Macrium Hero
Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)
Group: Forum Members
Posts: 1.6K, Visits: 17K
Merlin, any type of Explorer access is blocked without a password.  At the program level it gets an ACCESS DENIED.

Yes, you can allow certain processes access to the protected area based on program name and hash.  I've given only my file replication software access to the special folder... everyone else needs password access.
lovelyjubbly
lovelyjubbly
Proficient Member
Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)
Group: Forum Members
Posts: 131, Visits: 494
Thanks to everyone who's replied re unplugging the usb drive.

Unfortunately I have real trouble getting my Clients to plug it in !

No way would I be able to get them to plug in and remove the drives.

I'm hoping Macrium will respond to this.

What about password protecting the backup in Macrium, would that do any good?

Froggie
Froggie
Macrium Hero
Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)Macrium Hero (2.8K reputation)
Group: Forum Members
Posts: 1.6K, Visits: 17K
LovelyJubbly, that is the program, authored by Winability.
GO

Merge Selected

Merge into selected topic...



Merge into merge target...



Merge into a specific topic ID...




Reading This Topic

Login

Explore
Messages
Mentions
Search