can a mirror image with MR recover from WannaCray and other such maleware?


Author
Message
JoeZ
JoeZ
Junior Member
Junior Member (54 reputation)Junior Member (54 reputation)Junior Member (54 reputation)Junior Member (54 reputation)Junior Member (54 reputation)Junior Member (54 reputation)Junior Member (54 reputation)Junior Member (54 reputation)Junior Member (54 reputation)
Group: Forum Members
Posts: 26, Visits: 58
I see that there is another malware like WannaCry now rampaging across the planet. I've read that they will lock up a hard drive.

But if you have a full backup from Macrium Reflect and a good recovery media- can you recover from such an attack? The media are saying there is no way to recover- they must be wrong.

Joe
jphughan
jphughan
Most Valuable Professional
Most Valuable Professional (4.9K reputation)Most Valuable Professional (4.9K reputation)Most Valuable Professional (4.9K reputation)Most Valuable Professional (4.9K reputation)Most Valuable Professional (4.9K reputation)Most Valuable Professional (4.9K reputation)Most Valuable Professional (4.9K reputation)Most Valuable Professional (4.9K reputation)Most Valuable Professional (4.9K reputation)
Group: Forum Members
Posts: 3.4K, Visits: 25K
The regular media often gets the details of tech news wrong, and even the tech-centric media can get the details of security news wrong (don't even get me started on regular media covering security news....).  What they mean by "irrecoverable" is that once the data is encrypted, there is no "back door" mechanism to recover the data on that disk short of paying the ransom to obtain the unlock code -- because unfortunately the attackers are using strong encryption that does not have any known vulnerabilities.  But that assumes you don't have any kind of backups, which sadly many people do not.  But to answer your question, it depends on what you mean by "mirror image".  Do you mean a "disk image" or a "clone", the latter of which is often considered a mirror?

If you have an disk image backup that was either stored at a location that was offline at the time of the attack or at a location that was online BUT the ransomware didn't encrypt the backup files (many ransomware packages only target certain file types), then you can boot into Rescue Media and restore from a backup captured prior to the attack and be fine.

If you have a clone, it's another story.  If the most recent clone job ran BEFORE the infection, you MIGHT be fine. However, if the clone target disk was online when your source disk got infected, the ransomware might have gone after the data on the target disk simply because it found the disk there.  If the clone target disk was offline and the most recent clone job was pre-infection, the target is probably fine, unless maybe your ransomware laid dormant on your source disk for a long period before taking action, but that's not how these typically work.  But obviously if you ran a clone job ran AFTER the infection, your clone would be unsafe, and possibly unusable since any files encrypted on the source at the time of the clone would also be encrypted at the destination.  And even if you had some files that were recoverable at the destination, the ransomware program would have been cloned over, so it would probably finish the job whenever you booted from the target. Theoretically an AV scan might be able to clean the clone target before you booted from it, but I'd personally still be concerned about the safety of that disk, and removing the ransomware program that way would also remove any opportunity to recover any files that had been encrypted if you don't have any other backups of them.  In that situation, I would probably back up whatever data I could that was still accessible and start from scratch.

One of the benefits of backups over clones is that the former gives you multiple points in time from which to restore, whereas a clone, while it has conveniences of its own, only ever has a single "state", and if that's too new for your liking, you're stuck.

Edited 28 June 2017 10:27 PM by jphughan
JoeZ
JoeZ
Junior Member
Junior Member (54 reputation)Junior Member (54 reputation)Junior Member (54 reputation)Junior Member (54 reputation)Junior Member (54 reputation)Junior Member (54 reputation)Junior Member (54 reputation)Junior Member (54 reputation)Junior Member (54 reputation)
Group: Forum Members
Posts: 26, Visits: 58
I'm not sure of the difference between a disk image and a clone. I presume a clone is another drive exactly as the one you want backed up- not connected to the computer. I do disk images and with differentials.

If I have the disk images (along with associated differentials) stored on external hard drives which always remain connected - are they likely to be infected/attacked also?

I'm not terrible worried about this problem- it seems to be mostly with big companies- I'm just a single user- but I'm curious.

My backup system is that I store the disk images to 3 drives- one is a 2nd internal drive, then I have 2 external drives but I always keep the external drives connected to the computer. Is this a risk? If so- I suppose I should disconnect them if such a threat is more widespread. I rotate my backups so that I do one every day- each day to another of those 3 drives. I never gave a thought to the fact that malware might attack external drives.

My AV software is McAfee and it's always updating- I presume it's likely to catch such malware. I realize AV software isn't going to catch the early victims.

So, in conclusion, if I have a disk image on a drive that was not infected- my primary internal hard drive which was infected by one of these wannacry type malware- which locked up the files- can be restored by the usual methods, that is, a restore media- which in my case are flash drives. Whatever damage was done to drive is overcome by rewriting the entire disk with the image.

I'm amazed that the press doesn't inform people about such methods to protect their systems- they do talk about backups but not about being sure to do it the right way- not just backing up created files, but the entire drive.
Joe



jphughan
jphughan
Most Valuable Professional
Most Valuable Professional (4.9K reputation)Most Valuable Professional (4.9K reputation)Most Valuable Professional (4.9K reputation)Most Valuable Professional (4.9K reputation)Most Valuable Professional (4.9K reputation)Most Valuable Professional (4.9K reputation)Most Valuable Professional (4.9K reputation)Most Valuable Professional (4.9K reputation)Most Valuable Professional (4.9K reputation)
Group: Forum Members
Posts: 3.4K, Visits: 25K
Yes, you're using disk image backups. A clone does indeed copy one disk over to another one as opposed to storing a copy of the source disk as a file on the target.

Ransomware for the most part has targeted specific file types -- PDFs, Word/Excel documents, etc. -- but that is not always the case, so you should not assume your backup files are safe simply because Reflect image files are a relatively uncommon file type.  And you should absolutely not assume that data on external hard drives is safe.  Ransomware has been known to go after secondary hard drives, mapped network drives, and flash drives that are inserted (both encrypting files on them and sometimes even infecting them so that the next computer they're plugged into gets immediately infected if Autoplay is enabled, which it is by default).  Finally, you also should not assume that you're less of a target simply because you're an individual person.  Big companies are the ones who end up in the news because the impact is larger and therefore more newsworthy, since ransomware can literally infect an entire network from a single computer, and also because there are often stories of huge ransoms being paid and/or huge downtime.  One company was in the news last week for paying a record ransom of USD $1 million to unlock dozens of Linux servers that had been infected, an amount that they negotiated down with the ransomers from an initial demand of $4.4 million.  But again, that's just what's in the news.  Ransomware doesn't know or care who you are or whether your PC is personally owned or a corporate asset.  If the bad guys can get ransomware onto your PC by getting you to click on a malicious link in an email or webpage or even by compromising a legitimate site you visit to have it deliver malware to visitors, then they'll happily start locking up your data and demand ransom.  Occasionally they have keyboard layout checks to avoid infecting their home country (e.g. "If this user has the Russian keyboard layout selected, don't do anything."), but if those checks don't exist or you don't happen to satisfy them, then you're a target.

If you're rotating your backups between two external disks anyway, then I would strongly recommend keeping them online only when you actually need them.  If you have both nearby anyway, you could rotate them daily.  However, another potential benefit of offline backups in a rotation is that you can take them off-site to protect against natural disaster, theft, etc.  Of course doing that means it's usually not feasible to rotate them as frequently (maybe weekly rotations work better in that scenario), but that extra protection might be worth the risk of the offline disk having backups up to a week out of date. Reflect can be configured to use the unique disk ID to identify its backup destinations rather than the default drive letter method, in which case backups would continue even if the disk rotation results in different drive letters being assigned at different times. The benefit of having backups on an internal disk when you've already also got backups going to TWO other external drives isn't immediately apparent to me, but obviously that internal disk can't be taken offline as easily.  On the subject of multiple backups though, make sure that you're actually performing independent backup jobs to all of your targets.  If you're just performing backups to one and copying the generated image files over to the other, multiple backup sets with the same ID can and has caused problems with Reflect, including causing a user who intended to delete only one copy of a set finding that ALL of the copies of that set had been deleted.

In terms of AV, recent ransomware has relied on previously unknown exploits within Windows and Web browsers, which has meant that even being fully current on AV definitions and patches has not always been a safeguard. I avoid third-party AV solutions entirely for a whole laundry list of reasons, including the fact that they tend to cause problems with legitimate applications (such as Reflect!), but that's a separate discussion.

But yes, if your primary hard drive gets infected, you can boot into Rescue Media and restore an image backup from before the incident, and then as long as the malware wasn't lurking dormant on your PC for a while before springing into action (and therefore being copied into your backups for a long time before you noticed anything), you'll be ok. And if it does turn out that dormant ransomware seems to be lurking in old backups because you keep getting infected after restoring, then at the very least you'd be able to roll back to an even earlier backup or even reinstall your OS manually and you'd still be able to extract your important files from those backups newer backups. However, again be aware that any OTHER drives that were attached may also have been infected, and if you don't have backups of them from which to restore, you'd be stuck on that front.

As for reporting being lacking, I wholeheartedly agree, and that goes back to the regular media often not doing a great job on tech reporting.  I suspect most reporters might not even understand the difference between an image backup and having a backup of your important files -- never mind the distinction between backups, clones, and syncing -- although in fairness just having a backup of your important files somewhere out of reach of malware would be enough to recover.  It would be less convenient than an image since you'd need to reinstall Windows from scratch (I suppose some might just use that as an excuse to buy a new PC....), but you'd have your data.

Edited 29 June 2017 4:02 PM by jphughan
JoeZ
JoeZ
Junior Member
Junior Member (54 reputation)Junior Member (54 reputation)Junior Member (54 reputation)Junior Member (54 reputation)Junior Member (54 reputation)Junior Member (54 reputation)Junior Member (54 reputation)Junior Member (54 reputation)Junior Member (54 reputation)
Group: Forum Members
Posts: 26, Visits: 58
Thanks for the great replies! Not only do I really like Macrium Reflect, compared to Acronis True Image (which I used for several years), I like this forum very much as all my past questions were also answered very expertly.

Joe
dyhs
dyhs
Proficient Member
Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)
Group: Forum Members
Posts: 164, Visits: 640

"I have 2 external drives but I always keep the external drives connected to the computer. Is this a risk?"

Yes it is a risk. Windows sees them as local drives, but a virus (any virus, not just ransomware) can see them too.
I would not rely on USB external drives as my only backup.
Even if you disconnect the USB drives every time, you need to connect them again when you perform a backup, so a risk is still there.
Besides, if you disconnect the disks, you won't be able to schedule backup jobs.
I would backup my data on a network disk (like NAS storage on your LAN) and only access to it via Macrium Reflect, not via Windows Explorer, usually.
If you already told Windows to "remember" the NAS credentials, you can have it "forget" them in Windows Control Panel - Credential Manager.
Personally I keep both scheduled backups on the network disk and independent, manual backups on USB external drives.

One more thing: ransomware and viruses are not the only threat to your precious data. If you keep all your backups on the disks physically connected on the side of your PC, and an angry elephant walks over it... BigGrin
(elephants apart, think of electrical shocks, thieves, fires, dogs, cats, and so on).



Tags
Edited 1 July 2017 2:14 PM by dyhs
Clinton Wright
Clinton Wright
Junior Member
Junior Member (89 reputation)Junior Member (89 reputation)Junior Member (89 reputation)Junior Member (89 reputation)Junior Member (89 reputation)Junior Member (89 reputation)Junior Member (89 reputation)Junior Member (89 reputation)Junior Member (89 reputation)
Group: Forum Members
Posts: 56, Visits: 284
JoeZ - 30 June 2017 11:55 AM
Thanks for the great replies! Not only do I really like Macrium Reflect, compared to Acronis True Image (which I used for several years), I like this forum very much as all my past questions were also answered very expertly.

Joe

My exact thoughts, I switched over back in 2012 with my introduction to UEFI, Acronis did not figure it out for several years. I started here with just the free edition to clone/Image my OS SSD. at the time MR was the only program I could find that could accomplish this and end up with a booting Disk/SSD. after a couple of years Acronis still did not have a working solution for UEFI, I found MR Working flawlessly and made the big switch to paid version for all my units. These forums are really great usually someone will help you figure out where your going wrong or let you know quickly you need to submit a tech support ticket. Tech support is very good here too fast responses and logical responses to your issues. I recommend it every where I go.

JoeZ
JoeZ
Junior Member
Junior Member (54 reputation)Junior Member (54 reputation)Junior Member (54 reputation)Junior Member (54 reputation)Junior Member (54 reputation)Junior Member (54 reputation)Junior Member (54 reputation)Junior Member (54 reputation)Junior Member (54 reputation)
Group: Forum Members
Posts: 26, Visits: 58

dyhs,

You said, "I would backup my data on a network disk (like NAS storage on your LAN) and only access to it via Macrium Reflect, not via Windows Explorer.."

I've never had an external drive plugged into my home network- I have several plugged into the 3 computers on the network. I presume plugging in a network external drive will set itself up without my help. But how can I get it to only be accessible via MR? My knowledge of networking is limited. I like the idea, though.

I think I still have an extra slot on my router for this purpose. What's nice is that these external drives are pretty cheap.

Joe
dyhs
dyhs
Proficient Member
Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)Proficient Member (267 reputation)
Group: Forum Members
Posts: 164, Visits: 640
You might want to take a look into your router's shared storage settings in case they allow for user/password credentials.
GO

Merge Selected

Merge into selected topic...



Merge into merge target...



Merge into a specific topic ID...




Similar Topics

Reading This Topic

Login

Explore
Messages
Mentions
Search