Ransomware-Safe Backup Question

[Harlequin565]

I have all my data (mainly photos) on my desktop PC. It's copied on file change to my NAS so that I always have a second copy if one gets corrupted/broken. If there's a fire, I'll be grabbing the NAS on the way out the window. If I'm away, the NAS gets disconnected and taken off site.

However, my NAS is mapped as a drive to allow realtime backup to take place, so (according to what I've read) ransomware that crawls through your drives will get the backups too. I use Dropbox and OneDrive for convenience across multiple PCs for other docs, but they are also folders on my PC which sync to the cloud on file change.

In terms of protecting against this specific threat, the only solution I can see is either cloud storage that keeps multiple versions (more cost) or buy an external HD that gets backed up manually then physically disconnected (cost + effort + remembering). Are those pretty much my only options? Ideally I'd like an automated backup that I can do weekly that just pops up with a password before going to modify the backup files - basically preventing automated unwanted encryption.

 

[Wissel]

Interested in this as well.

As a precaution, I backed up all my hard drives to external ones at the weekend (which I hadn't done for a while) and disconnected them. I have most data backed up anyway in cloud storage, but not images and video as they take up so much room.

I also (obviously) did a double check on all the PC's in our house to make sure they were all up to date. As it happened, the Missus has a laptop she barely uses. It hadn't been switched on for quite a while and the specific security patch to fix the weekends malware wasn't installed (it is now).

I read that this malware infects a network once into one system. If malware got into one system that was unprotected, could it spread into protected machines on the same network?

 

[rackhs]

How do you copy them? Some of the home NAS systems offer snapshot-based backups. This would help you in the sense that you could restore to a point in time before the system was exploited. You would only look to lose any data since the last snapshot and current day (so regular snapshots help reduce the impact). If you are using a Mac (don't think so as you state PC, but hey), TimeMachine does gives you something similar.

 

[rackhs]

Interested in this as well.

As a precaution, I backed up all my hard drives to external ones at the weekend (which I hadn't done for a while) and disconnected them. I have most data backed up anyway in cloud storage, but not images and video as they take up so much room.

I also (obviously) did a double check on all the PC's in our house to make sure they were all up to date. As it happened, the Missus has a laptop she barely uses. It hadn't been switched on for quite a while and the specific security patch to fix the weekends malware wasn't installed (it is now).

I read that this malware infects a network once into one system. If malware got into one system that was unprotected, could it spread into protected machines on the same network?

this particular malware has been combined with a worm - so it also spreads around a network looking for systems that it can also exploit (not patched etc.). This is why this particular one has been so heavy hitting.

 

[afasoas]

My solution to this is two 'NAS' boxes.
The second NAS is switched off for 23.5 hours of the day. It's woken up for the backup window by the first NAS using a Wake-on-LAN packet and then shutdown again afterwards.
The second NAS does not have any SMB/Windows shares on it, so other machines on the network cannot access directly. Backups are transferred from the primary NAS using SSH

I run ZFS as a filesystem - which I have snapshotted daily. 60 days of snapshots are retained. The daily snapshots are shipped from the first primary NAS to the second NAS as a way of propogating the backups. So that gives me 60 days worth of 'point-in-time recovery'. Thus if I were hit by a crypto, I should in theory just be able to restore the latest snapshot.

In an ideal world I'd have a third box on a remote site which would be connected via VPN.

 

[Harlequin565]

Some of the home NAS systems offer snapshot-based backups

Are these snapshots stored as files (and therefore susceptible) or hidden away as something else? I'm fairly certain my NAS does snapshots but I never bothered reading up what they were - mainly because I never thought I'd use them. Time to get the manual out.

My solution to this is two 'NAS' boxes.

This sounds like it's about three steps above my technical competence to actually do, although I understand the principle. Plus the cost of another NAS... Thinking about it though, music and movies are replaceable (eventually) It's just the photos and some old documents which would severely reduce the size.

My wife has convinced me to sign up for Amazon Prime which includes free unlimited photo backup (and 5Gb docs which would be plenty). I may investigate this as a weekly thing with a calendar reminder for me to manually back up once a week. Not bothered looking at it yet because we're still in the free trial.
Thanks for the comments guys. Appreciated.

 

[ecoleman]

I use Backblaze. $5/month and everything backs up automatically.

https://www.backblaze.com/

You can also go back and download older backups should you end up in a situation where you have backed up encrypted files.

 

[rackhs]

Are these snapshots stored as files (and therefore susceptible) or hidden away as something else? I'm fairly certain my NAS does snapshots but I never bothered reading up what they were - mainly because I never thought I'd use them. Time to get the manual out.

essentially, think of them as point in time. this is what your system, files etc. looked like at that moment in time.

you take a back up at 9am. you then take a snapshot at 10am. your system gets exploited at 10:15. you restore from the snapshot taken at 10am.

companies implement snapshot technology (there are different ways, but don't worry too much about that now, they look to achieve the same thing) which essentially makes a backup of the changed files since the last backup/snapshot. so you could have lots of snapshots (as per afasoas's comment). this means that you can restore to any of those point in times.

 

[sirch]

you take a back up at 9am. you then take a snapshot at 10am. your system gets exploited at 10:15. you restore from the snapshot taken at 10am.

I really don't know but I am interested, is it not possible that the Malware does a low-level read/write encryption of the NAS drive and so all snapshots are encrypted? I guess if the NAS is not mounted as a drive but only accessed via NAS backup software it could be OK.

 

[Harlequin565]

essentially, think of them as point in time. this is what your system, files etc. looked like at that moment in time.

So, I've just snapshotted my "everything apart from movies" folder which was 511Gb. It took about 5 seconds to create a 900Mb file. A quick Google tells me there are many different types of Snapshots but that some can't recover from total data loss (which I'm imagining a crypto would effectively cause). The Netgear site doesn't tell me what type mine - RN104 - takes but reassures me that I can click 'n' restore if necessary. I'm not convinced.

I really don't know but I am interested, is it not possible that the Malware does a low-level read/write encryption of the NAS drive and so all snapshots are encrypted?

This was my concern. The snapshot isn't visible in Explorer - if that means anything. A system like @afasoas mentioned would definitely prevent access though.

 

[rackhs]

So, I've just snapshotted my "everything apart from movies" folder which was 511Gb. It took about 5 seconds to create a 900Mb file. A quick Google tells me there are many different types of Snapshots but that some can't recover from total data loss (which I'm imagining a crypto would effectively cause). The Netgear site doesn't tell me what type mine - RN104 - takes but reassures me that I can click 'n' restore if necessary. I'm not convinced.

it can get very confusing, I know.

Have a look at this for a high level - https://kb.netgear.com/000036750/ReadyNAS-Protection-against-Ransomware
and this for more detailed information - https://kb.netgear.com/23353/How-do...orage-system-use-snapshots-to-protect-my-data

(for NetGear snapshots - other companies might do things slightly different)


EDIT -

just to give a bit more information after re-reading the first link

"Snapshots of your files help prevent against ransomware because snapshots are read-only, and ransomware cannot make changes to that data. If your live data has been affected, you can revert a snapshot of a share that has been affected back to the time where the files were unaffected"

so what will happen is 1 of 2 things. Either, the snapshot makes a copy of all your data and make it read only so THAT COPY can't be changed OR it will take a copy of the links to all your data and lock that data. Then, when you (or the ransomware) change anything, that is written as new data. So the original data is again, unchanged. Either way, a snapshot essentially creates a 'locked' (in a good way) copy of your data that can't be changed. But you can restore from it.

 

[afasoas]

Most snapshotting systems are copy-on-write.
So that means if you mutate a file on the file system, a new version of that file is created.

I haven't looked at the Netgear NASes in particular, so I've no idea how their snapshotting works, but I would imagine as it's independent of the OS you are using on your desktop computer/laptop, then a crypto-virus would not be able to encrypt anything in the snapshot.

Now, with the snapshot being copy-on-write, there is a question over how snapshots are retained. They could be retained indefinitely, they could be retained for a period of time, or they could be retained whilst there's enough disk space avaiable. In the latter scenario, if as the disk fills up snapshots are automatically deleted (like they do under Windows using the Volume Shadow Copy service) a crypto-virus could effectively encrypt all your files and leave you with no snapshots to restore from.

My 'NASes' are fully fledged Ubuntu-based servers running ZFS. For those that are interested, FreeNAS is a good choice because it uses ZFS and thus supports the ZFS style snapshots. Of course you need to provide your own hardware for running it on.

I'd use a strong username/password combination for securing the NAS box as sophisticated malware could try and compromise it with a bruteforce attack and wipe out all of your snapshots. Don't store these credentials on your desktops, except in a secured password database.

 

[afasoas]

I use Backblaze. $5/month and everything backs up automatically.

https://www.backblaze.com/

You can also go back and download older backups should you end up in a situation where you have backed up encrypted files.

I think cloud backups are a great idea if
a) you have the bandwidth
b) they can be completely automated and run from your NAS/server rather than a desktop client
c) you are using them in addition to an on-site data
d) your backup data is stored redundantly and securely

I've looked into cloud backup solutions a number of times and I've found finding one with a Linux client I can run on my server without a GUI (or without installing a myriad of insane packages) that also fit my other criteria to be problematic.

 

[rackhs]

Most snapshotting systems are copy-on-write.
So that means if you mutate a file on the file system, a new version of that file is created.

I haven't looked at the Netgear NASes in particular, so I've no idea how their snapshotting works, but I would imagine as it's independent of the OS you are using on your desktop computer/laptop, then a crypto-virus would not be able to encrypt anything in the snapshot.

Now, with the snapshot being copy-on-write, there is a question over how snapshots are retained. They could be retained indefinitely, they could be retained for a period of time, or they could be retained whilst there's enough disk space avaiable. In the latter scenario, if as the disk fills up snapshots are automatically deleted (like they do under Windows using the Volume Shadow Copy service) a crypto-virus could effectively encrypt all your files and leave you with no snapshots to restore from.

My 'NASes' are fully fledged Ubuntu-based servers running ZFS. For those that are interested, FreeNAS is a good choice because it uses ZFS and thus supports the ZFS style snapshots. Of course you need to provide your own hardware for running it on.

I'd use a strong username/password combination for securing the NAS box as sophisticated malware could try and compromise it with a bruteforce attack and wipe out all of your snapshots. Don't store these credentials on your desktops, except in a secured password database.

agreed. although it looks like NetGear use a re-direct on write -

"Snapshots contain references to data on a shared folder"

 

[Harlequin565]

Thanks for your help guys. Every day is a schoolday. I'm trying to avoid cloud for some of the reasons mentioned above, but also cost. If I'm paying, I want it to meet all my needs.

My "anti-virus" protection for the last few years has been don't go to gambling sites and don't go to pron sites and don't click on emails from people you don't know. Simple stuff. Problem with these viruses is how they worm their way in through stuff that *other* people get up to. I'm just glad I don't run a business.

 

[Harlequin565]

...and this for more detailed information...

Curse you. Some more associated reading and now I've found an article about bit rot. To quote "Want to feel despair? Do a Google search for how to protect against bit rot."

Who says ignorance isn't bliss?

On the plus side, I've set up daily snapshotting (which SMARTly turns old snapshots into weekly and monthly as time passes) I've got around 3Tb of spare space on the NAS which will be fine until my wife & I decide to find all episodes of MST3K ever and stick them on there. When that happens it just rolls off the oldest copies.

Final edit: The Netgear also allows you to allow/prevent access to the Snapshot (I'm guessing so you can access it from a PC) which I've left unticked - so it's invisible to my PC OS.

 

[Mr Badger]

I have two external hard drives that I alternate when backing up files (backing up one, once per week). One of these is kept off site in case of loss due to theft or fire. I disconnect my computer from the internet before connecting the external hard drive and during any backing up of files and unplug the HD again before reconnecting to the internet.

I also ensure that my antivirus software is up to date and carry out a full scan before each backup session. It may not totally prevent a wipe-out due to a malware/virus infection (particularly as these things get more advanced), but I doubt anything can protect 100% against fate and/or sheer bad luck?

However, it would still be a complete pain in the neck to have to wipe my PC hard drives and do a complete re-install, so prevention is my first line of defence. I'm very careful when deciding whether or not to open emails (regardless of whether or not I know the sender), and I don't go clicking on any links contained within them or opening any attachments unless I'm certain who they are from and I'm expecting an attachment of that particular file type. Hopefully, then my antivirus software will catch anything I do miss!

 

[Harlequin565]

so prevention is my first line of defence

Mine too. Unfortunately with 20something daughters, wives, friends and various other folk visiting and needing to get on the network, if they've got something nasty, I suspect it'll be more common in future for these things to propagate across. I did consider "guest" wifi in my house but thought it was a bit rude. Esp for SWMBO.

 

[neil_g]

You should always have an off site backup. Trying to remember a drive while evacuating a building is a bad idea.

2 USB drives rotated off site to my work drawer. Combined with my local server backup.

 

[john.margetts]

I would have thought that cloud storage was more susceptible to hacking than storage on your own system. At home, you can be certain as to how well you are managing your operating system. With cloud storage, you are relying on the other chap to keep his system secure. The extent of the recent attack has shown us that the professionals are not very good at keeping their systems secure!

 

[petersmart]

Frankly as far a i'm concerned ANY backup system which is permanently connected to a computer or a network is eventually going to be in trouble where malware is concerned.

No important data should ever be kept on a PC - I have known people lose all their photographs and other important data when their PC has crashed or failed.

The more important something is to you the more backups you should have and on different media.

 

[frod]

Firstly reduce your attack vectors, so uninstall Java, Flash and any email clients and stick to webmail for email and ensure your preferred Web browser is auto updating OK.

If you haven't already, create a separate administrator account and downgrade your everyday account to an unprivileged user.

Personally I prefer to use sftp rather than permanently mapped fileshares, but you need to be comfortable with scripting and setting up ssh keys to achieve automation like that.

You could just put 'net use' statements in your backup scripts to only map and disconnect the share when required.

I would caution against any kind of Windows based snapshot solution as the first thing many of the ransomware programs do is delete any shadow copies.

 

[Box Brownie]

Firstly reduce your attack vectors, so uninstall Java, Flash and any email clients and stick to webmail for email and ensure your preferred Web browser is auto updating OK.

If you haven't already, create a separate administrator account and downgrade your everyday account to an unprivileged user.

Personally I prefer to use sftp rather than permanently mapped fileshares, but you need to be comfortable with scripting and setting up ssh keys to achieve automation like that.

You could just put 'net use' statements in your backup scripts to only map and disconnect the share when required.

I would caution against any kind of Windows based snapshot solution as the first thing many of the ransomware programs do is delete any shadow copies.

Much of what you describe is surely either businesses with good it support to construct & monitor..........or the more tech savvy individual who is prepared & happy to work under a constrained "system".

Sadly(?) there has become a high reliance on the likes of Java and Flash to 'deliver the user experience....' and I surmise that will not change anytime soon!

Has there been any analysis of the vector by which the average home/small business user was infected by ransomware??? IMO in common with many issues 'pilot error' is a common cause e.g. clicking on links in emails where caution should advise otherwise.

 

[afasoas]

One approach I quite like, particularly if you are self-employed or run a business, is using separate devices for any business-related activities and personal/miscellaneous activities.
I also advocate using non-business devices for spiking/trialling any new software.

An extra step is keeping business devices in a separate network - which can be achieved fairly cheaply given that a number of routers these days support the concept of a guest network.

Firstly reduce your attack vectors, so uninstall Java, Flash and any email clients and stick to webmail for email and ensure your preferred Web browser is auto updating OK.

Generally I disable flash, java and java script in the browser except on trusted sites. Webmail could be subject to a MITM attack or even subject the user to specially crafted html so restricting a user to webmail for security purposes just leads to a false sense of security.

If you haven't already, create a separate administrator account and downgrade your everyday account to an unprivileged user.

This is good advice and the absolute least you should do.

Personally I prefer to use sftp rather than permanently mapped fileshares, but you need to be comfortable with scripting and setting up ssh keys to achieve automation like that.

The approach is inconvenient to say the least. If using SSH keys, ensure they are encrypted with a passphrase which isn't recorded in the local keychain. Again, sophisticated malware will be able to obtain them eventually anyway with a key logger. As previously suggested, separate devices and network for business stuff.

You could just put 'net use' statements in your backup scripts to only map and disconnect the share when required.

I wouldn't condone using 'net use' and temporarily mapping shares - chances are that any half sophisticated crypto will find the script or even just scan the network for any devices that have smb ports open and go from there, not to mention if temporarily mapping shares, unsophisticated malware could still just get lucky.

I would caution against any kind of Windows based snapshot solution as the first thing many of the ransomware programs do is delete any shadow copies.

Should add that this is certainly the case on clients, but not definitely the case on Windows Server. If the client is compromised, the crypto has to worm its way onto the server - which in the case of WannaCrypt was entirely possible. It's still worth using VSS snapshots, but it's still entirely possible the Volume Shadow Copy Service deletes historic snapshots as the current snapshot grows to fill the space allocated for snapshot storage. So it's important to ensure there's plenty of disk space and increase the amount of space available to snapshots.[/quote]

 

[Mr Bump]

personal users
set everything to auto update
use an online cloud backup solution like hubic that does regular backups and keeps previous versions of files.
nuff said

 

[Major Eazy]

I have all my data (mainly photos) on my desktop PC. It's copied on file change to my NAS so that I always have a second copy if one gets corrupted/broken. If there's a fire, I'll be grabbing the NAS on the way out the window. If I'm away, the NAS gets disconnected and taken off site.

However, my NAS is mapped as a drive to allow realtime backup to take place, so (according to what I've read) ransomware that crawls through your drives will get the backups too. I use Dropbox and OneDrive for convenience across multiple PCs for other docs, but they are also folders on my PC which sync to the cloud on file change.

In terms of protecting against this specific threat, the only solution I can see is either cloud storage that keeps multiple versions (more cost) or buy an external HD that gets backed up manually then physically disconnected (cost + effort + remembering). Are those pretty much my only options? Ideally I'd like an automated backup that I can do weekly that just pops up with a password before going to modify the backup files - basically preventing automated unwanted encryption.

There are more options...

Update your anti-virus and keep it up-to-date.
Update your Operating System and keep it up-to-date.
Turn on the firewall.
Do not open suspicious emails, specially those with attached files.
Do not download "anything" from the Internet, unless you are sure of it.
Do not just scan your main computer only, but also scan your external drive too, including the backed up drive.
And few stuff like that.

All of those should be done in the first place because they are your first line of defence. Back-Up is your last line of defence. What's the point of backing up if you let the viruses and worms infected your computer in the first place? The reason most people find their backed up data infected is mostly because they never bothered with the first line of defence, like saying it cost money to pay for a good anti-virus, or are too lazy to update those.

It is pointless to lock the stable door after the horse has bolted.

So what you suggested is not pretty much your only options, you do have a few more options.

 

[Harlequin565]

Back-Up is your last line of defence.

And that's kinda what I was after help with. I'm comfortable with all the preventative methods I use. My bigger concern was covering myself against when those methods fail, and trouble copies itself across to my backup - esp from teenage laptops that are riddled. It's a Risk: Very Low, Impact: High scenario rather than someone who takes no preventative measures then wants help to guard against everything (Risk:High, Impact:High).

This thread fortunately has lots of good advice for anyone - no matter their circumstances. Off site backups & separate machines are something I would absolutely consider if my business depended on it (we still have tapes-in-a-safe at work), and as photos are the only unrecoverable data - I may still consider a monthly backup of photos to the cloud. As mentioned above though, cloud cost/security/connectivity as well as the bandwidth requirements make it less attractive.

Thanks to all that have taken the time to reply.

 

[mbscad]

I would be interested to know how many people offering suggestions here have tried (and had success) with restoring their backup files to a rebuilt system.
I ask this because the one time you find out that your backup isn't adequate is when you need to restore it.
I had a problem last year with a disk image taken from SSD which I tried to restore to a spinning HDD (windows) and it failed miserably.
The same software works perfectly on conventional HDD to HDD so without trying it, I would never have known nor suspected that it wouldn'w work.

 

[rackhs]

I have used TimeMachine on a Mac to restore before and it worked. Used some home-written scripts as well. But you are right, backups can fail and you don't know until it is too late.

In terms of backups not working, this is something that snapshots can be really useful for. Once you have taken a snapshot, most implementations will let you mount the snapshot as a new/separate read-only file system. This way, you can see that things are ok.

From a backup-specific way, the only true way to tell is to try a test restore with a backup every once in a while. This might just be a few files or an entire restore - but then you need to have the space for that.

WRT to your SSD-HDD restore failure, would need more information to understand why this failed.

 

[Harlequin565]

I would be interested to know how many people offering suggestions here have tried (and had success) with restoring their backup files to a rebuilt system

In 5 years I've restored four times from my NAS backup to PC - 1 Win10 upgrade, 1 OS disk swap, and twice when Win10 went glitchy and I just re-installed. I've also restored from PC-NAS when I lost two disks within 24 hours of each other. I tend not to bother with disk images because I'd rather have fresh installs when I do it (In my head - it's a spring clean too). Just got a text file with all the programs I need to re-install, and the locations of all my UserData to copy over (as well as configs, Lightroom bits & pieces etc) Longest job is moving my photos back. I'd hate to think how long restoring from the cloud would take on my connection. City dwellers would probably do better on that front.

 

[frod]

Sadly(?) there has become a high reliance on the likes of Java and Flash to 'deliver the user experience....' and I surmise that will not change anytime soon!

Java? Really?

 

[Deleted member 49549]

as far as i am concerned, almost any backup can fail due to ransomware. even my off site hard disc is not a guaranteed protection - if i get infected just before i rotate, then rotate the backups before the ransomware alerts me of its presence, both of those backups could be hit.

Multiple backups of various kinds is my answer. i use time machine, a cloud backup provider, a nas with a few attached usb drives, and an off site rotation. i am also looking at exporting a selection to optical media as jpeg. That will cover two potential issues - it will be a ransomware / virus proof backup. And it will mean when i pop my clogs they will be the easily digested versions of my photographs - can't see my wife / sons wanting to wade though all the crap stuff i don't want to delete to find the interesting photos.

Currently investigating the best media, but it appears Mdisc offers a very long lifespan (1000 years in the sales blurb, and DoD tested apparently, but haven't investigated that fact)

 

[Deleted member 49549]

Java? Really?

When I disable Java on a browser, that definitely reduces functionality of many sites.
Eg it is what most photographers really on when they disable right click on their web sites. It also deliveredany galleries.

 

[afasoas]

When I disable Java on a browser, that definitely reduces functionality of many sites.
Eg it is what most photographers really on when they disable right click on their web sites. It also deliveredany galleries.

I think you mean javascript. Not to be confused with java. Or java.

 

[Harlequin565]

As an aside, I've signed up for Amazon Prime and am using their "Upload without Sync" feature and unlimited photo backup to basically shovel everything to the cloud. As it's not on sync there's no way to get to it without going to the website and deleting it. No drives mapped to it, no "always on" connection to it. I think I'll probably do a quarterly update to it, adding the most recent photos. This will become my emergency backup if my connected stuff all gets crypto'd.

I can stand to lose even up to a year nowadays, but those family photos of the kids/babies and old neg scans are irreplaceable.

 

[petersmart]

I have 2 PCs - an i3 for surfing which is so locked down even 3 letter agencies couldn't crack it - and an i7 used for editing - which is NEVER connected to the Internet!

In this way I am reasonably certain no virus can ever get to me.

 

[broc]

I have 2 PCs - an i3 for surfing which is so locked down even 3 letter agencies couldn't crack it - and an i7 used for editing - which is NEVER connected to the Internet!

In this way I am reasonably certain no virus can ever get to me.

How do you 'service' the i7 system with Windows Updates?

 

[john.margetts]

How do you 'service' the i7 system with Windows Updates?

If the system is working fine, there is no need for updates. Most updates seem to be security updates which would just not be relevant.

 

[rackhs]

If the system is working fine, there is no need for updates. Most updates seem to be security updates which would just not be relevant.

this is not necessarily true. they quite often are security updates because they have found a security flaw/hole and are fixing it. By NOT installing the updates, you are leaving yourself potentially open. This was a major part of the recent ransomware attack where the systems didn't have the latest patches.

 

[petersmart]

How do you 'service' the i7 system with Windows Updates?

Simples - I don't and never have!

My i7 is NEVER connected to the Internet and only ever has my own photos or DVDs on it while being edited, once finished they are backed up to an external drive which is only connected as long as it takes to update.

Nothing of any value is ever left on either PC so even if it were possible for a virus to get on there is nothing that matters.

And as with my surfing PC all my work is done inside VMs using XP Pro.