Proper backup procedure in response to threats such as Cryptolocker

[Icecold]

Lately it seems like ransomware and other malware that either cause corruption to local files or encrypts them(and demands payment to decrypt) have become more prevalent. I have ran into software like this several times recently 'in the wild'

This has me re-thinking backup strategy both for home, and small business. I've always followed basic rules such as have a current backup that is on a drive that is not part of the local system(in case power supply fails or something and takes out everything in the machine), RAID is not a backup, etc. My concern, though, is I could be left with a backup that is encrypted by malware. I am not concerned about my own machine either at home or work being infected by malware as I follow security practices that should prevent it, but it doesn't mean that another machine on the network wouldn't become infected and access my server's network share and start encrypting the files on it.

I am hoping some people on this forum could share their own backup procedure that may help give me some ideas. Currently I have made 2 offline backups(which is good procedure anyways), and plan on purchasing more backup hard drives so I can rotate out the offline backups to have backups from different dates. My concern is that either a system malfunction or malware will cause the data on my server to not be good anymore, and, prior to me realizing that, I will overwrite my good backup with bad data from the server. My first step to avoid silent corruption will be to migrate to a FreeNAS server with ZFS. Nevertheless, the possibility of malware encrypting all my data is still there. I am also going to be extra careful of what permissions are set on my share which should help prevent rogue software from overwriting or deleting all of my files.

What are people doing to prevent this issue? Checking the date modified on your files? Or comparing the hash of each file to one that is known good prior to making a backup?

I am also going to purchase a Blu-Ray burner and burn discs with anything that I really wouldn't want to lose(and make sure to put Parity files on the discs as well) but this will be a time consuming process and I'm not sure about long term stability of Blu-Ray discs. Either way, this is cheap enough that it seems like a decent plan just in case.

I appreciate any insight, thanks.

 

[corkyg]

I will continue to use my duplicate drive system on all computers. If such a corruption occurs, I would immediately power down and clone my duplicate drive back to the infected one. That takes me about 10 minutes on any machine including my laptop.

The main thing is to have a good anti-malware program in effect to prevent the infection in the first place. I use MalwareBytes Pro plus MSE on all systems. So far, that defense has not yet been developed according to Snopes:

http://www.snopes.com/computer/virus/cryptolocker.asp

 

[Cerb]

You'd want to have versioned backups, so that affected files could be retrieved. Whether done by a program like Acronis, or a NAS running ZFS with some scripts to make archival snapshots, or rotating backup HDDs, you want to be able to have backups with some small range of ages, so that you would lose as little work as possible, but be able to be assured that you have backups not contaminated.

 

[John Connor]

I do two things. 1) I use DVDs (soon to be Mdisk) to back up the most critical files. 2) I use an external HDD and clone the whole hard drive with OS.

Cryptolocker is largely spread via an attachment through E-mail. This post might help you mitigate the issue. http://forums.anandtech.com/showpost.php?p=35687653&postcount=31

 

[Charlie98]

Because of a recent SSD drive failure, I backup my main drive every night with Acronis. The Acronis image saved my acorns a few weeks ago and has proven it's worth, I have no doubt it would do the same if my computer came down with a virus.

 

[code65536]

The main thing is to have a good anti-malware program in effect to prevent the infection in the first place.

Anti-malware is like the airbag in your car. It's the last-ditch defense. It's the defense that you do not want to see deployed, because if AM software actually does its thing, that means that something has already gone seriously wrong. And just like airbags, AM don't always work. Black hats know that people have AM software and they typically test their malware against AM software and tweak it so that the AM software can't detect them. After their malware has had time to wreak some havoc, the AM companies will have finally acquired samples and updated their definitions, at which point, the black hats make more tweaks to duck back under the radar.

The best way to stay alive in a car crash is to not get into a car crash. Similarly, the best way to protect yourself from stuff like this is to not execute suspicious code in the first place. Turn off the hiding of executable extensions:

reg add "HKLM\SOFTWARE\Classes\comfile" /v "AlwaysShowExt" /t REG_SZ /d "" /f
reg add "HKLM\SOFTWARE\Classes\exefile" /v "AlwaysShowExt" /t REG_SZ /d "" /f
reg add "HKLM\SOFTWARE\Classes\piffile" /v "AlwaysShowExt" /t REG_SZ /d "" /f

And then teach your users one simple rule (write it down and tape it to their computer, if necessary), "never open an exe file from the Internet".

I've seen too many people install AM and think, "I've got AM, I'm protected!" That's a very dangerous false sense of security. The best possible safety feature of a car is a careful, defensive driver. The seat belts and airbags exist only as an extra margin of safety if something goes wrong, and in no way are they a substitute for proper driver education.

 

[corkyg]

("never open an exe file from the Internet") Learned that rule about 25 years ago. Agree fully. Security and protection come in layers - user discip0line is perhaps the most important layer.

I have another safeguard as well - Mailwasher Pro. It lets me see all email prior to downloading, and I can delete them from the POP server without ever accepting them. I only accept email and phone calls from people I know. And attac hments are studied before opening.

 

[aigomorla]

i never understood why microsoft windows is set to default in hiding known extensions.

i always make it show extensions.... and i never run a .exe from an untrusted source.

 

[Icecold]

While I understand that the first issue is preventing malware or corruption from reaching the data to begin with(which I feel I've already done to the best of my ability), and I appreciate any feedback there has already been, I was hoping there would be some more backup suggestions. I am focusing on small business backups as well as home, but trying to keep it affordable for small business.

What I've come up with so far:

1. Keep a 'hot' backup hard drive that is connected to the machine and backs up nightly.

2. On a Linux machine that I have in the same building but on a separate circuit(in case of power surge), have it reach across the network once a week at an off time and pull a backup. The idea here is that, if I, or we, haven't noticed in a week that the data is gone or unusable it must not be commonly accessed data, and the Linux machine will not have any shares on it, which will prevent other computers on the network from causing issues with the data stored on there. Also, a properly secured Linux machine that is not used for web browsing, email, etc. should not be very vulnerable.

3. Have 2 'monthly' external hard drives that are rotated out. This step will be done manually, not on a scheduled job. First, do a directory command on the file server and output it to a text file, throw in Excel / LibreOffice calc and sort by date modified. If there are an extremely large amount of files that were modified at the same time / date and it's recent, it will need further attention. I have ran into viruses that connect to any available network share and insert Javascript exploit code in any HTML files, put malicious code in MS Office macros, etc. As long as this step checks out fine, make a full backup to the hard drive, and then follow the same step with the other hard drive the next month and keep rotating them. If space allows, do not overwrite the previous monthly backup, but make a new one.

4. Every 6 months burn BluRay discs(with parity files) and store offsite. 1TB of usable space(after parity files) should be about 50 BluRay discs which are ~$30. I'm not sure this step is worth it for small business, but I may do some testing with this for some files at my house that I'd prefer to have another backup of.

This seems like it could be accomplished for a few hundred dollars and seems to fulfill any needs that I can think of. Thoughts?

 

[code65536]

The key is to cycle your backup hard drive.

Day 1: Back up to drive A; B and C are physically disconnected
Day 2: Back up to drive B; A and C are physically disconnected
Day 3: Back up to drive C; A and B are physically disconnected
etc.

Common refrains that I've seen from chatter about this worm is that automated backups overwrote the good data with newly-corrupted data or that the malware got access to the backups. Rotating only monthly means that you could potentially lose a month's worth of data--that's a lot to swallow.

 

[Icecold]

The key is to cycle your backup hard drive.

Day 1: Back up to drive A; B and C are physically disconnected
Day 2: Back up to drive B; A and C are physically disconnected
Day 3: Back up to drive C; A and B are physically disconnected
etc.

Common refrains that I've seen from chatter about this worm is that automated backups overwrote the good data with newly-corrupted data or that the malware got access to the backups. Rotating only monthly means that you could potentially lose a month's worth of data--that's a lot to swallow.

I like this approach, but my concern is if only some of the data is corrupted(somebody notices the ransomeware on their pc and task kills it, restarts their pc, unplugs the network cable, etc. and it doesn't have a chance to finish) and it could take awhile to notice that, say, a particular client's data, or a specific set of data on your PC such as your vacation pictures have been affected. By this point, drives a, b and c have all went through their backup procedures and all have corrupt data instead of the good data on them.

Maybe do that in addition to steps 2 and 3 that I listed? It was shortsighted on my part, but I never really paid a ton of attention to the possibility of either a user maliciously deleting data, or malware or something else intentionally corrupting out all data on a drive or share.

 

[code65536]

Maybe do that in addition to steps 2 and 3 that I listed?

Yea, that's reasonable.

 

[Phynaz]

Cloud backup.

 

[corkyg]

Cloud backup.

That is a good thing, however, useless without an Internet connection.

 

[aigomorla]

Keep all data on NAS.
Allow only 1 PC to change file on NAS, all other PC / family members PC / Untrusted PC allowed to only READ.
Dont download anything .exe on that one machine which has write access to NAS.

Need to change something on NAS... Remote to that one machine which has access and do it that way.


Untrusted PC gets nuked... who cares its there fault for downloading something stupid so wipe it and tell them to stop clicking links like a blind man.
Sad to say people DONT learn until they lose everything.... and then after that they are paranoid enough NOT to click things blindly.

 

[Phynaz]

That is a good thing, however, useless without an Internet connection.

Use Crashplan and make your own cloud.

 

[GagHalfrunt]

Question on other methods to protect files. As hard drives grow larger and larger it gets more and more difficult to find decent backups. 2TB to a cloud or a series of DVDs would be a real headache. Can a hard drive be protected from CryptoLocker by password protecting it or some other pre-encryption system that you have the key to so that the malware can't reach those areas of the PC without the supplied password?

 

[Cerb]

Yes. Remove power or data cables. You can further encrypt a drive, but just having it not connected is the safest. Cryptolocker is likely to not be the last of its kind, and in all likelihood, is not the worst we're going to see, either.

Also, you can have an older local backup restored, then check and see what's missing from something like a cloud backup. As long as you can sort by mod date, it shouldn't be that hard to handle. Then, you don't have 2TB to look through, just that much to have sorted.

 

[mEmeNT0m0RI]

The backup that would run in parallel with regular one but does not back up changed files (new ones only)

 

[SeanFL]

Just went through a cryptowall cleanup at a school. It encrypted the local pc, and also reached into all the shares it could on the synology. My current thinking is to have the synology backup to an external usb 3 drive every few days, then have it backup to a different directory on the external drive the next week, then back to the other. And/or figure out versioning and keep 2-3 versions of every file?

 

[Cerb]

Where I work, the main file server backs up to another server, that backs up to yet another server. As long as a problem can be caught within a few days, there will some live backup ready to be restored.

When I set up personal backups, if someone has enough space (most people can't use 100GB, much less 1TB), I do just that sort of setup, with rotating backup jobs. There might be a Monday backup, Wednesday backup, and so on, so that there can be several days in which to catch problems other than deletion or PC death. Problem is, for ransomware, you want some isolation, like the NAS backing up to a computer, but with other PCs not having access to that computer, so the ransomware won't infect the backups. If the external drive is only read/written to by the NAS, except in the case of verification or recovery (IE, no network shared access!), that should suffice on the cheap.

 

[Z15CAM]

Cloud, Cryptolocker.. etc is all Marketing CRAP considering you can Backup to a dependable storage media.

 

[Phynaz]

There's no such thing as dependable media. And where are you storing it? Next to the computer?

 

[BonzaiDuck]

I like to think I've personally avoided all this misery -- for 20+ years of internet access and flagrant use of e-mail.

But I have the "fam-damn-ily" in my household LAN. Mom's Inbox contains some 1,500 undeleted, unsorted messages and enough spam that would give me nightmares -- waking and sleeping. The elderly are "Publishers' Clearinghouse" obsessive. I suspect PCH as being a minefield of malware. I'm overwhelmed trying to clean up the fam-damn-ily's messes. Since I know all the family e-mail passwords (because I set them up -- couldn't have done it themselves), I'm contemplating a "Big Brother" approach of monitoring their e-mail receipts at the ISP through web-browser access, just to keep tabs on what kind of crap they're adding to their Outlook PST's.

My brother has "wised up" considerably since I had to rescue his computer in 2005 from the disastrous result of accessing porno sites and dismissing Kaspersky "red-box" warnings, but he could do better, even so.

As for my latest troubles with "their" systems, I think I'll post my first thread on "Security."

The thing with backups -- you'd have to catch the infection -- become aware of it -- before you infect your backup. Alternatively, your safest restoration would come from very stale backups.

I've got so much on my plate taking care of the family and working double-time to clean up their digital messes, that there's less time to do the manual side of routine backups. I rely on WHS to backup the whole house; I turned off "HomeGroup" to enforce a reliable security regimen.

With any worry that something like Cryptlocker could infect my systems, I'm already having nightmares about the possible nightmares.

 

[Cerb]

The thing with backups -- you'd have to catch the infection -- become aware of it -- before you infect your backup. Alternatively, your safest restoration would come from very stale backups.

That's why there's the need for multiple versions. Not paying for software with a gazillion features, or wanting to really learn to make Rsync or ZFS sing and dance, big HDDs and multiple automatic backup jobs can do the trick, so long as some set of them are not visible to the potential contagious patients .