Ransom Ware Question...Again


Author
Message
wags1
wags1
Talented Member
Talented Member (104 reputation)Talented Member (104 reputation)Talented Member (104 reputation)Talented Member (104 reputation)Talented Member (104 reputation)Talented Member (104 reputation)Talented Member (104 reputation)Talented Member (104 reputation)Talented Member (104 reputation)Talented Member (104 reputation)
Group: Forum Members
Posts: 83, Visits: 535
So I started making offline copies, once a week, of my Full Image backup files for added protection against ransom ware. I alternate between a USB 3.0 flash drive and a USB 3.0 portable HDD. A little background is required:

I only do image backups not file/folder backups. My backup scheme is full backups every Sunday and incrementals Monday thru Saturday. I keep a total of 4 chains. The backups are written to a Synology NAS drive. The image backup files are password protected. Once a week (as long as I am not traveling) usually on Sunday night or Monday during the day, I connect the USB drive ( as I said I alternate between a USB 3.0 flash drive and a USB 3.0 portable HDD) to my laptop and copy the most recently written full backup image file to the drive and then disconnect it.

So here is the question. I realize it is better to be safe than sorry, but in the scheme described, what is the real exposure? As far as I can tell in order to mount any of the backup image files you would need a copy of MR and then also need my password that is used to protect the files. And even then I don't think you can actually write back to the image backup file. So how could ransom ware even do anything? I'd honestly rather not go thru this once a week manual ritual if I didn't have to as all the other backup functions are totally automated. What am I missing?
Froggie
Froggie
Macrium Hero
Macrium Hero (2.1K reputation)Macrium Hero (2.1K reputation)Macrium Hero (2.1K reputation)Macrium Hero (2.1K reputation)Macrium Hero (2.1K reputation)Macrium Hero (2.1K reputation)Macrium Hero (2.1K reputation)Macrium Hero (2.1K reputation)Macrium Hero (2.1K reputation)Macrium Hero (2.1K reputation)
Group: Forum Members
Posts: 1.2K, Visits: 11K
Wags1... RansomeWare could encrypt the IMAGE file itself (not the files within the image), which would make it useless to you for anything (restoration or mounting).

Some of the newer variants of RansomeWare, instead of encrypting the entire file (which they all used to do), they are now only encrypting a coupla kiobytes of each file which accomplishes two things... it makes almost all the files useless AND is lightning fast in its encryption operation.

So far, none have been seen to be encrypting various FileTypes used by imaging software manufacturers... but don't let that lull you to sleep.
Edited 6 June 2016 8:03 PM by Froggie
L. W. "Dan" Danz
L. W. "Dan" Danz
Proficient Member
Proficient Member (310 reputation)Proficient Member (310 reputation)Proficient Member (310 reputation)Proficient Member (310 reputation)Proficient Member (310 reputation)Proficient Member (310 reputation)Proficient Member (310 reputation)Proficient Member (310 reputation)Proficient Member (310 reputation)Proficient Member (310 reputation)
Group: Forum Members
Posts: 171, Visits: 3.2K
There's another reason to continue your manual method of a safety backup (besides Ransomware):  Mother Nature/Acts of God that destroy your NAS and your laptop.   My advice:  always have an off-site backup for protection. 

  L. W. "Dan" Danz, Overland Park KS  

wags1
wags1
Talented Member
Talented Member (104 reputation)Talented Member (104 reputation)Talented Member (104 reputation)Talented Member (104 reputation)Talented Member (104 reputation)Talented Member (104 reputation)Talented Member (104 reputation)Talented Member (104 reputation)Talented Member (104 reputation)Talented Member (104 reputation)
Group: Forum Members
Posts: 83, Visits: 535
DanDanz - 6 June 2016 8:11 PM
There's another reason to continue your manual method of a safety backup (besides Ransomware):  Mother Nature/Acts of God that destroy your NAS and your laptop.   My advice:  always have an off-site backup for protection. 

Sorry, I forgot to mention that I also use Carbonite to do continuous backups of all my files and folders to the cloud. Just for the case you describe...
Edited 6 June 2016 8:40 PM by wags1
wags1
wags1
Talented Member
Talented Member (104 reputation)Talented Member (104 reputation)Talented Member (104 reputation)Talented Member (104 reputation)Talented Member (104 reputation)Talented Member (104 reputation)Talented Member (104 reputation)Talented Member (104 reputation)Talented Member (104 reputation)Talented Member (104 reputation)
Group: Forum Members
Posts: 83, Visits: 535
Froggie - 6 June 2016 8:01 PM
Wags1... RansomeWare could encrypt the IMAGE file itself (not the files within the image), which would make it useless to you for anything (restoration or mounting).

Some of the newer variants of RansomeWare, instead of encrypting the entire file (which they all used to do), they are now only encrypting a coupla kiobytes of each file which accomplishes two things... it makes almost all the files useless AND is lightning fast in its encryption operation.

So far, none have been seen to be encrypting various FileTypes used by imaging software manufacturers... but don't let that lull you to sleep.

I guess that is what I'm not getting. Even with a copy of MR and the password I can't write back to the image file. I don't see how the ransom ware is going to encrypt anything if it can't write to it. Like I said, I'm sure I don't fully understand how ransom ware works and how it would encrypt the image files. 
Edited 6 June 2016 8:40 PM by wags1
wags1
wags1
Talented Member
Talented Member (104 reputation)Talented Member (104 reputation)Talented Member (104 reputation)Talented Member (104 reputation)Talented Member (104 reputation)Talented Member (104 reputation)Talented Member (104 reputation)Talented Member (104 reputation)Talented Member (104 reputation)Talented Member (104 reputation)
Group: Forum Members
Posts: 83, Visits: 535
And just for completeness, the Synology NAS is a two bay NAS that I have setup as Raid 1 using two 2 TB HDD's. It provides continuous monitoring of both drives and will send me an email if either of them reports any issues or begins to degrade. It provides hot swap capability of the HDD's. 
Drac144
Drac144
Expert
Expert (885 reputation)Expert (885 reputation)Expert (885 reputation)Expert (885 reputation)Expert (885 reputation)Expert (885 reputation)Expert (885 reputation)Expert (885 reputation)Expert (885 reputation)Expert (885 reputation)
Group: Forum Members
Posts: 592, Visits: 2.4K
Ransomware does not use MR so it does not have to follow the same rules - like not writing back to the file.  It also does not care about passwords.  It is not trying to read the data from the file.  It just takes the data that is there (encrypted or not) and encrypts it and saves it back to the file.  It is running as a high privileged OS task so most rules do not apply to it.  All it cares about is making your computer unusable so you will pay them money to get your computer working again.

Saving files to external drives that are only connected to the system while copying the files, is a very good way to protect yourself.  But, as has been said, most ransomware does not bother with backup files.  Not sure why.  But, also as suggested, that could change. 


Richard V.
Richard V.
Most Valuable Professional
Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)Most Valuable Professional (4.1K reputation)
Group: Forum Members
Posts: 2K, Visits: 8K
@Wags1 -- A computer "file", regardless of any other factors that you mention, is merely a set of bits and bytes that are ordinarily organized in such a way as to be recognizable by the application that is designed to read them.  Encryption doesn't have to recognise or understand the file's contents.  It just reorganizes them according to some pattern that can only be "unscrambled" by providing the required password "key", and a second or subsequent encryption just repeats the process, again without any need to understand anything at all about either the preceding encryption, or its "key", or the original unencrypted file's contents.


Regards, Richard V. ("Arvy")
https://forum.macrium.com/uploads/images/afc5d4fe-5d25-4e25-be94-185e.png

Edited 6 June 2016 9:41 PM by Arvy
Froggie
Froggie
Macrium Hero
Macrium Hero (2.1K reputation)Macrium Hero (2.1K reputation)Macrium Hero (2.1K reputation)Macrium Hero (2.1K reputation)Macrium Hero (2.1K reputation)Macrium Hero (2.1K reputation)Macrium Hero (2.1K reputation)Macrium Hero (2.1K reputation)Macrium Hero (2.1K reputation)Macrium Hero (2.1K reputation)
Group: Forum Members
Posts: 1.2K, Visits: 11K
wags1 - 6 June 2016 8:33 PM
Froggie - 6 June 2016 8:01 PM
Wags1... RansomeWare could encrypt the IMAGE file itself (not the files within the image), which would make it useless to you for anything (restoration or mounting).

Some of the newer variants of RansomeWare, instead of encrypting the entire file (which they all used to do), they are now only encrypting a coupla kiobytes of each file which accomplishes two things... it makes almost all the files useless AND is lightning fast in its encryption operation.

So far, none have been seen to be encrypting various FileTypes used by imaging software manufacturers... but don't let that lull you to sleep.

I guess that is what I'm not getting. Even with a copy of MR and the password I can't write back to the image file. I don't see how the ransom ware is going to encrypt anything if it can't write to it. Like I said, I'm sure I don't fully understand how ransom ware works and how it would encrypt the image files. 

Wags1, Reflects PASSWORD protection is only for users of REFLECT.  It keeps unauthorized users from modifying existing backups when imaging and doesn't allow unauthorized users from accessing the content of the backups.

As Drac has said, with FileSystem level protection, those files can be modified by rogue tasks with enough privs.

Offline copies are the best approach without using Windows kernel-level protection mechanisms.
Edited 6 June 2016 9:16 PM by Froggie
wags1
wags1
Talented Member
Talented Member (104 reputation)Talented Member (104 reputation)Talented Member (104 reputation)Talented Member (104 reputation)Talented Member (104 reputation)Talented Member (104 reputation)Talented Member (104 reputation)Talented Member (104 reputation)Talented Member (104 reputation)Talented Member (104 reputation)
Group: Forum Members
Posts: 83, Visits: 535
Thanks for the replies! Now I know what I didn't know... ; - ) Seems like the manual process that I have put in place is the only safe way to protect from ransom ware. Seems like a good opportunity for MR to come up with a more automated way to protect against ransom ware. I'm not a big fan of manual processes.
GO

Merge Selected

Merge into selected topic...



Merge into merge target...



Merge into a specific topic ID...




Reading This Topic

Login

Explore
Messages
Mentions
Search