Macrium 6 and Cryptolocker


Author
Message
lovelyjubbly
lovelyjubbly
Proficient Member
Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)
Group: Forum Members
Posts: 131, Visits: 494
Scott (3/11/2015)
Hi all.

Just to let you all know we have published an article in our Knowledgebase with some information and advice on this issue:

Protection Strategies Against Ransomware

Hope you find it useful.



I must say I found that response underwhelming Sad

Backup to DVD, not with 100 + GB Images.

FTP,  again, I'm not sure this is entirely practical.

I'd like to see something built into Macrium so that there is an option to "lock" the images unless Macrium is manipulating the file.

Trapper
Trapper
New Member
New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)
Group: Awaiting Activation
Posts: 8, Visits: 148
I'd like to see something built into Macrium so that there is an option to "lock" the images unless Macrium is manipulating the file.


Although not built into MR, Froggie explained how to do exactly this in the 2nd post in this thread.  It's dead simple to do with FolderGuard.

In my case, the backup of my images is done into a fully protected folder that any RansomeWare task cannot get access to.  I use FolderGuard and any storage device/folder may be protected.  If those attached storage volumes don't have to share lots of access with other processes, this method should protect you.  If they do, then place your images in a specific folder and protect that folder instead.  But remember... that folder will only be protected on the system that has the protecting software installed.  If the attached device/folder is shared, the protection will not be shared.                               


Besides protecting your MR files with FolderGuard, you can also protect other backed up data files with FolderGuard against ransomware type viri.  Simply add the appropriate  .exe to FolderGuard's Trusted List, and then only the allowed processes / programs are granted access to your protected files.  It's dead simple and effective. 

I've used FolderGuard for many years. It's a great program.
http://www.winability.com/folderguard/
                               
morph
morph
New Member
New Member (47 reputation)New Member (47 reputation)New Member (47 reputation)New Member (47 reputation)New Member (47 reputation)New Member (47 reputation)New Member (47 reputation)New Member (47 reputation)New Member (47 reputation)New Member (47 reputation)
Group: Forum Members
Posts: 27, Visits: 109
Hi - I've read through these replies and have a probably noob question.

If you set the MR backup file as READ_ONLY won't that prevent such apps crypting the file (without first changing the permissions itself)?  That would seem to be an easy way to at least stop most of the problem.  If that is seen as reasonable, is there a "trivial" VB/BAT/Powershell script that someone could post to set the perms as RO after MR has finished?  Are there repercussions of doing this wrt MR and its retention policy, i.e. does a RO file also prevent MR deleting that file when it comes round to recycling space?

Mike
PS: EDIT after looking at how my (Linux-based) QNAP NAS and it's Samba server work (allowing Windows to access it natively through a shared exported folder) I have found that permissions do not work as expected.  I set them on a sample file on the NAS to (UNIX) 444 which is r--r--r-- (read only) and then was still able to edit that file directly from my PC over the mapped drive :-(

So .. the read-only permissions probably only work with true NTFS local drives.  Even setting the owner of the file on the NAS to be a unique person (not the guest or admin) did not help.  The SMB process (and thus so would cryptolocker) still overwrote my file.  The only way I could get it to do this was to change ownership to "admin" which then thwarted any attempt to edit/overwrite the file.  So ... that would seem to be the only way if you are using a NAS, to actually enforce read-only.
Edited 18 January 2016 4:18 PM by morph
lovelyjubbly
lovelyjubbly
Proficient Member
Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)Proficient Member (223 reputation)
Group: Forum Members
Posts: 131, Visits: 494
                                    

I'm testing a program called Secure Folders (SF) below which looks promising.

I found it on the Wilders Forums:

http://www.wilderssecurity.com/threads/secure-folders-to-protect-folders-and-use-as-anti-executable.369503/page-11

If you go to the following youtube page, there's a demo and download link:

https://www.youtube.com/watch?v=051WlQRsG0U&feature=youtu.be

You'll see how it fares against a range of Ransomeware.

I'm testing it on an external usb drive with just 1 folder:

Folder = Macrium Reflect System Backup, set to Read Only in SF.

The only allowed program to write to this folder in SF is Reflect.

This way I can backup all my user's computers using Macrium Reflect, and not have to worry about them having to remember to unplug their usb drives after backups.

Let me know if I've missed something....

                                 

CubaMadre
CubaMadre
New Member
New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)New Member (12 reputation)
Group: Forum Members
Posts: 8, Visits: 289
lovelyjubbly - 26 February 2015 6:05 AM
I'd like to find out what we can do to protect our Clients from Cryptolocker encrypting our Image Backups?


Only my backup user has permission to write at the backup medias, some users are allowed to read backup medias!
_No_ admin has write permission!
(as others suggested, offline disks is an additional way to protect your backups).
Software whitelisting helps to keep your system clean.
Regards,
CubaMadre;



Seekforever
Seekforever
Master
Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)Master (1.6K reputation)
Group: Forum Members
Posts: 1.1K, Visits: 24K
While programs like Secure Folder and modifying permissions can help protect your data, you still run into the terrorist paradigm, you have to right 100% of the time, the malware only needs to be right once. We can also go into the situation that nobody can do computer protection that nobody will ultimately find a way around.  So while these solutions offer a benefit, the safest solution is to physically keep a copy of the data off the system. Forgetting about malware, it is always a good idea to have copies stored off-line and off-site in case of lightning strikes or power surges that take out the whole system and fire or theft that takes your whole system period.
Edited 22 March 2016 4:40 PM by Seekforever
Stephen
Stephen
Macrium Representative
Macrium Representative (1.2K reputation)Macrium Representative (1.2K reputation)Macrium Representative (1.2K reputation)Macrium Representative (1.2K reputation)Macrium Representative (1.2K reputation)Macrium Representative (1.2K reputation)Macrium Representative (1.2K reputation)Macrium Representative (1.2K reputation)Macrium Representative (1.2K reputation)Macrium Representative (1.2K reputation)
Group: Administrators
Posts: 466, Visits: 9K
Ransomware has become quite a scary type of malware. Everyday we get tickets from our customers worried (some even terrified) of the consequences. 

Here are some tips on how I deal with the ransomware threat.


Education
Most malware infections originate from suspicious emails, websites and installing questionable software.
I've always helped users identify suspicious email and advised them not to open attachments unless they are expecting the email and they know the sender.
Don't stay too long on websites that have questionable content or are full of advertisements. If someone sends you a link don't click on it unless you trust the sender.
Try to avoid installing software unless you have a business/personal need for it and have read reviews. It is also a good idea to test software in a virtual machine first.

Technical
A good spam filter (local or on the mail server) should also help prevent malware and phishing emails getting through. *
A web content filter will help prevent users from visiting websites they shouldn't visit however, if you are not in a business environment this is likely something you won't have available (some ISPs in the UK do provide a content filter). A good parental web filter or modern antivirus should help detect malicious and compromised sites. Sophos offer a free AV with web filtering for home use, I personally use this.
A good firewall that has IP reputation features should help protect your network (more relevant for business). Most malware "calls home" to function or install its payload. Blocking the access to these IP's help prevent further infection. Firewalls appliances from Sophos, Untangle and ThreatStop are good choices. 
Installing an modern antivirus is also a must. Some vendors are now targeting ransomware specifically and are worth a look. 
           Malwarebytes Anti-Ransomware
           HitmanPro
Keep you computer and installed software patched. Especially browsers and use ad-blocking extensions if you can.

Minimising Impact
Log on to Windows using an account without administrative privileges, if you do get a malware infection this should limit the effect. For example If you logon as a domain administrator and get infected, the malware will have full access to all your systems where, if Bob from sales gets an infection it will be limited to the areas he has access to.
Take regular backups and have backups stored offsite. (Thanks SeekForever)
Log file/folder changes on a network share. 

Dealing with an Infection
You only have two option when dealing with modern ransomware:
1) Pay up (not recommended)
2) Restore from a backup.

This is by no means an exhaustive list but it gives an idea of what can be done. If you would like to add to my tips I will happily pin the post for all to see.

* If you wish to discuss firewalls/spam filters etc please open a thread in the watercooler



Kind Regards

Stephen

Next Webinar

See our reviews on

Trustpilot Logo
Trustpilot Stars


GO

Merge Selected

Merge into selected topic...



Merge into merge target...



Merge into a specific topic ID...




Reading This Topic

Login

Explore
Messages
Mentions
Search