Protecting Against Ransomware

[Drezha]

What’s the best protection against ransomware, other than an offsite or disconnected backup?

My girlfriends parents just got hit with ransomware and they’re using it as the reason to get a new machine (an aging Vista desktop). However, what other steps can they take to prevent it happening again?

They’ve lost some photos but I’m getting Dropbox to roll it all back for them hopefully but other than that, what can they do in the future to protect themselves more?

At the minute, they’re not sure how it happened – one of them could have opened an email. But they’ve also got a son with Downs syndrome. I’ve been able to tell them when Dropbox started getting changed files which might help narrow it down but they’re looking to prevent it happening again.

I don’t think there’s a huge amount they can do, rather than have good backups?

"Everything looks interesting until you do it. Then you find it’s just another job" - Terry Pratchett

[Dave Rice]

Good backups with versioning. Synology gives me all the tools I need to mitigate as much as I can.

Real time: Synology Cloud Station does versioning up to 32 deep and is not time limited.

Daily Backup: Hyper Backup allows you to keep 256 versions (9 months) and has compression and deduplication to keep the size down. A real world example from a client: Source size 133GB, 3o days rotation, total used 106GB. You can also lock a particular backup so that it’s retained.

Archive to AWS: Glacier backup allows you to archive to Amazon. This costs me less than $2 a month for 8 scheduled weekly jobs for myself and some clients. Everything is encrypted before it leaves the site. I have seen and used PC clients but they are really clunky.

[Richard]

It would be very useful to know how and where the problem was started.

As you said it would be useful to put in place some controls,;that they have a son with issues might be relevant or a major player in the red herrings club.

The obvious potential sources gang are e-mails and dodgy web sites that appear to offer things that appeal to specific interests. Music sites used to be a major vector, not usually the valid ones but the ‘moody ones’ that offered exciting back stage views or other exciting inducements to click. However, that was a while back, money making schemes might be another source. I do not know if any of the parental restriction methods would allow some protection, black lists or restricting access to un-vetted e-mail via different, password protected user accounts?

My daughter has her own PC, with her own e-mail account but with supervision and a limited account.

However, sometime adults can be just as bad, one relation actually downloaded and installed a doubtful keylogger, my elder daughter then helped her clear up the mess she had made of her PC all on her own.

In short there is no substitute for taking care over what you open and where you visit. Yesterday my wife was sent a very dodgy e-mail from an unknown source attaching a ‘scan’ (of what?) as an allegedly PDF format item. First question, why? It was permanently deleted, not opened.

[Richard]

Dave, all sage advice, but I thought that some of these nasties will try to encrypt other networked drives, how do you engineer to stop that happening? That appears to be a key need, which can be achieved via a series of removable drives at the cost of considerable user interaction.

[Dave Rice]

That’s where Cloud Station and versioning come in.

The Cloud Station folder on the PC holds the latest version of a file. The Cloud Station folder on the Synology is linked to a database which holds (up to) the last 32 versions of that file. You can restore whichever version you want. However, it requires at least one full copy of any given file as the base version for file history, so the selected shared folders will need doubled disk space. Only the differential data will be kept among different historical file versions.

There are no mapped drives in play here so the ransomware cannot get at the server, it can only encrypt the latest version on the PC. When this is synced to the NAS the original unencrypted file becomes version #2 on the server and is thus preserved.

You can have multiple Cloud Station folders on a PC linked to different folders on the NAS, you don’t have to just have one bucket of synced data. You can also have multiple users of a PC share a Cloud Station folder if it’s somewhere they can all access, like public\documents (one of my clients has this).

Note that the PC Cloud Station folder is a new discrete folder, you don’t enable it on an existing one like a share for instance. It is however enabled on an existing shared folder on the NAS.

[Jukebox]

I have installed a program called CryptoPrevent (free version) which is designed to protect against ransomware. See https://www.foolishit.com/cryptoprevent-malware-prevention. (Don’t be put off by the web address). I have not noticed any adverse effects like slowing the PC down although it’s impossible to say whether it works or not until it doesn’t!

[The Duke]

As they don’t seem to be uber pc savvy, (still using vista) I’d say KISS approach is needed.

You set them up somthing that is simple for you to trouble shoot, and somthing that they don’t have to mess with. Ie just works with their usual work flow.

I use some simple cloud shares, and usb drive stick that lives mostly disconnected.

There are much better solutions, but non more simple. I’ve not got Dave network guru, and I don’t like messing with Windows, I like to be on and off it, I find the more complex a solution (to anything)  I attempt on windows, the more time I spend fixing windows than doing work .

So simple is fine by me.

I may set up an amazon cloud account. As a dump for photos, a type of last resort vault.

[Dave Rice]

Cloud shares would just get encrypted at the same time. If you can write access a file so can the ransomware. That’s where versioning is important i.e. the automatic saving of a previous version of a file. Dropbox does do versioning but is time limited to 30 days.

I’ve never heard of Crypto Locker before and I’ve done a lot of research into the whole ransomware thing. I can see how it works (it’s quite crude and if it worked why doesn’t Kaspersky etc. use the same technique)?  and it’s just a matter of time until a way is found around it, which it has in common with all other defences. That’s why I concentrate on how to mitigate against it’s effects rather than hoping I can keep it out.

[Drezha]

Dave Rice wrote:

Good backups with versioning. Synology gives me all the tools I need to mitigate as much as I can. Real time: Synology Cloud Station does versioning up to 32 deep and is not time limited. Daily Backup: Hyper Backup allows you to keep 256 versions (9 months) and has compression and deduplication to keep the size down. A real world example from a client: Source size 133GB, 3o days rotation, total used 106GB. You can also lock a particular backup so that it’s retained. Archive to AWS: Glacier backup allows you to archive to Amazon. This costs me less than $2 a month for 8 scheduled weekly jobs for myself and some clients. Everything is encrypted before it leaves the site. I have seen and used PC clients but they are really clunky.

That was my initial thought last night when asked about it. Except, rather than get them to purchase a Diskstation, next time I’m over in Ireland, I can set it up to back it up to my Synology over here, so they’ll also have offsite backup. That also provides the benefit that if it happens again, I can log on to the NAS here and restore all the files manually for when they sort the computer out (it’s also not limited by 30 days version history like Dropbox is). I think that in the past though they’ve had limited broadband as I was looking at possibly setting up Crashplan for them to backup to my computer. Last time I was over, I setup Crashplan on the PC to backup to an external drive in case of PC failure, but that was encrypted as well (apparently – I’ve not checked myself, but someone local to them apparently said it was).

Looking at the files that got encrypted in Dropbox, they were hit by the Sage 2.2 ransomware – $2000 to unlock them all! Makes spending some money on backups worth it!  I think they’re lucky that most of the farming stuff is done online and so are the accounts.

 

Dave – I think in this case, it wouldn’t even create a version as it changes the extension to .sage and therefore would just cause a mass deletion of the standard files. However, I would still be able to restore them easily enough!

"Everything looks interesting until you do it. Then you find it’s just another job" - Terry Pratchett

[Dave Rice]

The charity I look after have 2 branches and use Cloud Station to share files between them. The site where the NAS is located is only ADSL so the upload is <1MB. This doesn’t have any noticeable effect in everyday use, your average document is very small, but the initial upload of 1.5 GB (8,700 files in 1,371 folders) can take all day. So I “seed” the new Cloud Station folder with files backed up from another PCs folder (or the server). All it then has to do is verify the files which it can do without downloading them.

From a business point of view a Synology DS115j w/ 1x 2TB WD Red Hard Drive and an external 2TB drive for backups is only £200 ex vat. (although I would always recommend a 2 bay for a RAID array which would add £100). You’d spend that on a desk and chair.

[Drezha]

Hadn’t thought about the seeding – that could work out fairly well. I’ll look into somehow getting the files onto a USB disk and sent over perhaps to start with. But if they’re comfortable with the data residing on my NAS, it may well be fairly good solution, as I backup my NAS offsite, currently via huBic and Hyper Backup and I’m experimenting with the Amazon Drive Backup option as well with the free trial – I’m still a bit wary about Glacier, though I see the costs are a bit more straight forward now and would only cost me $1 a month for about 250GB.

My DS116 is excellent (and a better step up from the DS115j that I used to have and passed to my Dad). With my Chromecast though, I’ve been trying to play items that aren’t encoded for it, so at some point I may consider the DS216play, just so it doesn’t cause issues (but I’ll see). However, getting them to pay out for an extra piece of hardware when they’ve just got to pay out for a new computer might be a hard sell.

"Everything looks interesting until you do it. Then you find it’s just another job" - Terry Pratchett

[Ed P]

Dave’s advice is good but a bit costly for most folk, and Cloud backups may be a bit too complicated — obviously depends on the person. However if it is SOHO stuff then they should invest in something like Dave’s solution.

It does not take much to make a clean install, and personal files rarely total >32Gb so I would just advise them to do regular backup copies of all their Docs folder onto a few 32Gb USB sticks (Grandfather, father etc copies) . Put them somewhere safe, and make it a weekly habit. If they have a lot of Music copy that off onto another stick and just update it once/month.

[Dave Rice]

The other answer is to keep everything in the cloud using Google Docs with no local folder. It’s well up to running a small business. Keep the accounting package online too.

I’m sure it could in theory be done using Office Online but I’ve not tried it.

[Drezha]

I believe all the farm stuff is online – I’ve not been told to much about the workings, just can it be fixed (and recommendations for a new machine  :wacko: ) But was told that the farm package can be updated on the phone using an app (tracking the cows – injections and pregnancies I guess? It’s a dairy farm.) If all the accounts and farm stuff is online, then there probably isn’t a huge need for a NAS and backing up to mine might be sufficient.

The USB sticks is probably a good one. GF’s mum does burn photos to DVD every now and then but she reckons the last time was December, so not that regularly! They probably could get away with just Google Drive.

"Everything looks interesting until you do it. Then you find it’s just another job" - Terry Pratchett

[Dave Rice]

I agree with your strategy for the in-laws. I’m just exploring other solutions for anyone who may be watching.

As far as laptops go I’m finding that i3 with SSD or hybrid are the best bang per buck. You know they’re perhaps a bit too over specced CPU wise and that it’s the SS(H)D makes all the difference, but the (so called) Pentiums are only £20ish cheaper.

The Lenovo B50-50 still floats my boat at £320 for a 128GB SSD or 500GB SSHD.

[Wheels-Of-Fire]

I think it is a good idea to at least try to keep ransomware off your PC so as was mentioned earlier give everyone a limited user account (including yourself) and only use the admin account when installing software and the like. Malware finds it harder to install its self when it just dosnt have the permissions to do so.

[Wheels-Of-Fire]

A lot of malware that claims to have encrypted your discs has actually done nothing of the sort. This type of thing is often little more than a login script so its a good idea to keep a copy of Malwarebytes on your system that you can run (in safe mode if need be) to clear these things up.

[Dave Rice]

No one is saying you don’t try to keep it off, but if you rely on that you’ll come a cropper if it does.

To be able to recover from such an attack you must assume that one day it will succeed, but that doesn’t mean don’t you make it more difficult to.

A limited account helps but there are plenty of elevated rights exploits.

[Wheels-Of-Fire]

As always a backup is a good idea but the question was how to prevent ransomeware. On that note there is evidence to sudgest that some ransomware that actually dose encrypt your discs in the background uses Windows own Bitlocker service to do it. I wonder if that would work on home versions of windows that dont have Bitlocker activated ?

[Dave Rice]

The answer is that it’s not 100% preventable. Just having a backup won’t do you any good if the ransomware can get at it i.e. it’s to an external USB drive that’s plugged in or on a network share.

You can have “device encryption” on W10 Home if you sign in with an MS account and the keys are stored in your profile on MS servers.

I have heard of scripts that can strip out and replace the keys on a drive already encrypted with Bitlocker but haven’t heard of any that have been weaponised. There’s probably no need to as the tool kits already available do the job.

[Author]

Posts