Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How do i protect my backlup from a Crypting trojan?


  • Please log in to reply
7 replies to this topic

#1 alfred56

alfred56

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:01 AM

Posted 27 July 2016 - 11:03 PM

Hi Everyone,
 
how are you?
 
One of my clients in Melbourne Australia got attacked last Sunday morning by some sort of crypting trojan that encrypted most files on his computer making it unusable.
 
Then there was this text file stating to contact  allhelp16@gmail.com, provide the ID to request files to be unencrypted after paying some amount of money.
 
I asked my client if he had a recent backup and he said that he did have it.
 
But when I checked the backup folder on the external hard disk for the Acronis TIB file, it was not there. It had been deleted, I believe, by the trojan.
 
Therefore I ran the RECUVA undelete utility with deep scan, but nothing was found. It seems that file was not only deleted, but also erased completely.
 
Luckily he had another backup from a few days earlier and I was able to restore the Acronis image and got him operational again with some slight data loss.
 
Now my question is:
 
How can I protect the Acronis backups on the external drive from being deleted by a crypting trojan?
 
Do you think I should use a NAS unit instead which requires user authentication within the Acronis program to access the shared folder?
 
I am open for comments and suggestions.
 
Thank you.
 
Best regards to all
 
Alfred56

Edit: Moved topic from Virus, Trojan, Spyware, and Malware Removal Logs to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 Amigo-A

Amigo-A

  • Members
  • 579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:10:01 PM

Posted 28 July 2016 - 02:19 AM

How can I protect the Acronis backups on the external drive from being deleted by a crypting trojan?

 

 

alfred56, with password

see User Guide
paragraph 4.3.6 Backup protection

Edited by Amigo-A, 28 July 2016 - 02:21 AM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#3 El-Capitan

El-Capitan

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 28 July 2016 - 02:57 AM

I think if you just change extension to your Acronis Backup file (for ex: backup.tib > backup.dll or backup.sys) most of crypto viruses won't touch it.

Correct me if i am wrong


Edited by El-Capitan, 28 July 2016 - 02:58 AM.


#4 alfred56

alfred56
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:01 AM

Posted 28 July 2016 - 04:10 AM

I think if you just change extension to your Acronis Backup file (for ex: backup.tib > backup.dll or backup.sys) most of crypto viruses won't touch it.

Correct me if i am wrong

 

Hi 

 

thanks for your reply.

 

But if I change the extension of the TIB file to something else, it is going to break up the True Image backup chain.



#5 alfred56

alfred56
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:01 AM

Posted 28 July 2016 - 04:13 AM

 

How can I protect the Acronis backups on the external drive from being deleted by a crypting trojan?

 

 

alfred56, with password

see User Guide
paragraph 4.3.6 Backup protection

 

Hi

 

Thank you for your reply.

 

I know that I can setup a password to encrypt the backup file, but this will not stop the cryto trojan from deleting/erasing the actual TIB file.



#6 Amigo-A

Amigo-A

  • Members
  • 579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:10:01 PM

Posted 28 July 2016 - 04:27 AM

alfred56,

Or set aside time to backup to an external drive on and off regularly.

 

No other way. 


Edited by Amigo-A, 28 July 2016 - 04:28 AM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#7 El-Capitan

El-Capitan

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 28 July 2016 - 05:04 AM

 

I think if you just change extension to your Acronis Backup file (for ex: backup.tib > backup.dll or backup.sys) most of crypto viruses won't touch it.

Correct me if i am wrong

 

Hi 

 

thanks for your reply.

 

But if I change the extension of the TIB file to something else, it is going to break up the True Image backup chain.

 

well... it's just to "protect" your file from crypting...

when you'll need to use it, rename back to .tib



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:01 PM

Posted 28 July 2016 - 05:54 AM

For the best defensive strategy to protect yourself from malware and ransomware (crypto malware) infections, also see my comments (Post #2) in this topic...Ransomware avoidance.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users