Windows 10: Sadly, protection from ransomware is not totally possible

I was trying to see what might be a good way to protect oneself from ransomware. The reason that I started thinking about this is that my external backup disks are continuously connected to my PC. This would mean that a ransomware attack could infect those external disks as well as my internal disk.

Unfortunately the discussion threads that I saw do not come up with anything definitive other than to have at least one backup offline. The most useful strategy that I read was in Idea for ransomware protection of network drives where the poster suggests the following steps.

I wish I could develop a program to do all that automatically, on a schedule!

:)

 

What's the best Windows 10 backup strategy for a home user that can recover from a ransomware attack?

The best option is to create weekly offline backups using separate drives, so, in the event of a ransomware attack, you can simply boot from the backup and restore it.

Here are some tips for protecting your system:

How to Protect Your Computer From Ransomware - groovyPost

https://www.groovypost.com/howto/protect-window...

 

How to get rid of a ransomware malicious virus

Hi Jim,

For more information about Ransomware, and on how to handle it, we suggest that you check the following articles:

• Ransomware FAQ.
• Protect your PC from ransomware.

We would appreciate it if you could get back to us and provide us your feedback.

 

Hi, I think that was discussed a long time ago; I recall comments like
- that's why I need a wife (or similar) - could be husband of course.. *chuckle
- discussion of a robot arm...

You could create an obscure program that rogue software would not run to control power to your backup source:
USB Relay Controller | eBay

but you'd want to be able to power it down safely, of course.

 

In general, ransomeware looks for all the drive letters in your system. If you don't map a letter to a network drive it can't find it. You can still back up files to it though, using a UNC path of the form...

https://en.wikipedia.org/wiki/Path_(...ing_Convention

 

Other possibility, if you are using a standard user account or have UAC to set to full.

1. Change your drive to read only and allow only admins to modify/write.
2. Setup your auto-backup software to run as admin and that is it.

Note: You should also disable WSH and restrict powershell, both can be used to elevate user rights.

 

I've been also thinking of a "simple" solution and this is what i'm doing,
set up a hybrid system with both win and linux, windows back up to a linux samba share
then linux back up to a non shared folder, possibly invisible to the windows network.
Now if windows get infected the non sahred folder will still be safe.
Never got a ransomware so I wonder if it will really work, could it?

 

I read somewhere that some ransomware programs can assess SMB-connected drives even if not mapped. I have no idea if that's true, but I found it frightening.

One option that adds a small degree of safety is to take FTP backups to a server that does not have SMB running. And have the backup scripted so that the script fails if it tries to copy an already infected file. (That's probably an unnecessary step. If files were infected that would probably include the backup script.)

 

I think there still exists the problem if the ransomware is executed under an Administrator account, there exists exploits to bypass UAC.

This can potentially stop Standard accounts from compromising backups and the host.

I personally like this idea a lot! This is not too simple and requires a lot of user intervention, but it sounds like it can work.

Correct me if I'm wrong, the Linux Samba Share must also be online to transfer files over the network to the active Linux box.

How would you accomplish this on a single box, if only one operating system can be online while the other is turned off? I think you meant two separate machines or a virtual machine, yes?

Personally, for ransomware attacks.:

I would use MBAM 3's Ransomware protection feature while reconfiguring it's exploitation options for maximum allowed,along loaded with Windows Firewall (custom configuration) and EMET 5.5 maximum compliance.

Customized compiled VBScript calling Windows Script Host.

BitLocker AES-256 encryption.

Task Scheduler my C:\ransomware_protection.exe

Typically, ransomware does not infect .exe nor %systemroot% because they want their ransom's and not a crippled system. So with the exception of a few ransomware attacks whom may or may not be exempt from this prior assumption...

I would write a WSH script with read and execution access, given the system hide and EFS encryption attributes and compile in a special third party software so it's more difficult to find the BitLocker pw. The script will detect for the integrity of several dummy files scattered randomly across the system in typical user directories (Desktop, Videos, Pictures) and it's contents, and then if the integrity or MD5 of these files (with read access only) has its MD5 altered, I would end the script and ransomware would not transfer. If ransomware strikes, the script would be encrypted and no transfers would take place.

Else, the integrity has been maintained, I would allow it to transfer accordingly. For the transfer process to occur:

The second barrier requires BitLocker drive encryption on backup drives. The script would navigate Windows and unlock the drive (yes with the BitLocker password encased in the script, which I would compile into an .exe) to allow the file transfer and lock the drive once it's completed.

This sounds pretty complex and descent once it's setup.

 

There is no intervention using the simplest solution with no personalized script,
of course you need at least two machines:

win save to linux samba with file history (automatic), linux save samba shared folder to a linux folder
that could be a network SFTP or NFS folder or even an ext4 formatted external usb HD (automatic,
i.e. with bacula or rsync/grsync).
I think this make sense if you have a relatively complex environment
with both windows and linux pc; for a single PC the virtualization could be overkill and an external usb
(detachable) should do.

 

What about those without 2 systems at their disposal?

I personally like the idea of adding Linux (without wine, lol) into the mix, and it would bar the ransomware from executing on the Unix based system. But what if the Windows box is affected by the ransomware and does not backup the most latest, critical files? Is it a sustainable loss?

 

Hi there

For those without 2 machines : You can actually have the Linux machine as a VM --it can still backup HDD's from the Host !!!.

run the backup FROM the Linux server (obviously with Internet disconnected) and AFTER checking Windows box that there's no malware on it.

From linux you'll need something like RSYNC or GRSYNC (graphical / GUI version of RSYNC) which is great for backing up DATA. RSYNC is standard on Linux distros, GRSYNC is available on most Linux distros including CENTOS which is what I use.
Use the GUI version (GRSYNC) to test your parameters and when it works manually you can then use the command line version (RSYNC) for your batch backup job(s).

GRSYNC example :





For the (Windows) OS use something from he Linux box like CLONEZILLA which will image the OS (Windows HDD).

It depends on how many systems you need to backup.
If it's only 1 or 2 client machines then a stand alone backup on each client using macrium is fine -- but if you need an automated process you'll essentially have to use Linux. I'm not sure how complex job scheduling can be done in Windows --hopefully people better qualified than me could answer this question -- however it's relatively easy on Linux if the server can access your Windows drives.

Simply use the Crontab to schedule your jobs and ensure the client (Windows) machines are available to the server.

You will need to install SAMBA on the Linux machine though.



Cheers
jimbo

 

This makes sense, more elaboration! I love it. OK, this sounds like a fine process - however, how would we accomplish it without having to manually check the Windows box for malware and file integrity? There is no automatic fail safe that doesn't require user intervention?

I tried to implement that with my WSH script on my Windows box, without Linux. Trying to be as resourceful as I can *Nerd

Yes, virtualization is an option that I always consider, especially with a lot of my work invested in the field.

I'm super invested into security, it's my specialty.

 

This is what I'm thinking of doing.

Backup my files to an external provider that offers unlimited backups, that is versioning. This would hopefully allow me to go back to non ransomeware-compromised files and restore them if necessary. It also serves in storing backups in a remote location (using the 3 2 1 backup strategy). I'm also considering using a combination of Folder Guard with FreeFileSync in order to do backups on an external portable USB drive. If Folder Guard works as advertised, then it would deter an attack on the backup files, plus I would have a portable backup of my data.

 

Plug in external ocassionally. Run robocopy job to backup data using /mir switch. Disconnect external drive and keep offsite. Best practice, have 2 different external drives offsite.