Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How best to avoid/mitigate RansomWare


  • Please log in to reply
11 replies to this topic

#1 TambourineMan

TambourineMan

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 07 June 2017 - 02:59 PM

I use a top rated anti-malware program together a specialty anti-ramsomware program (Bitdefender and Malwarebytes).  However until now my backups have not been done regularly or in an organized fashion.  Some are on internal drives (but the power for which is controlled by a mechanical switch on a PCI card so they can and are powered off unless needed, some are on external USB drives and some on drives on other computers at offsite locations.  I used to backup to the cloud, but stopped.

 

I recently setup a Linux SFTP server.  I would like to schedule regular unattended weekly backups during the night, but my concern is that this necessitates that I would have to give the backup program the SFTP logon info and ransomware could somehow discover my logon credentials and password and encrypt the files on the SFTP server as well.  (I am unclear how often PCs running Linux are infected with ransomware.)

 

I am unclear as to how ransomware programs gain access to backups in the cloud. or other NAS.

 

I was thinking I could minimize the time I was exposed to a ransomware attack by running the backup program off a USB drive that remained disconnected except on the scheduled backup night, or alternately have the backup program run and save temporary backup files on a VeraCrypt encrypted drive (setup so it does not have a drive letter available to Windows) so it would hopefully remain unencrypted unless the vault was opened  which would only be on the scheduled backup night.  Also on that night I would possibly switch from an administrator account to a non-admin one that would require USER control.

 

I would prefer not to have to plug a drive in, open a vault, or switch to a USER account.  I'd like it to be entirely automated.  But I cannot think of any safe ways to do this.  I am not even sure that what I described would be sufficient.

 

Any and all insights will be appreciated.



BC AdBot (Login to Remove)

 


#2 Moritz30

Moritz30

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:14 PM

Posted 07 June 2017 - 03:09 PM

The ransomware would not even infect the SFTP server. It could just encrypt the files using your computer's access to it. I have not seen any ransomware fetching SFTP passwords yet though. You should make sure not to mount it as network drive or network location/folder though as most ransomware encrypts the contents of these, too


White Hat, Security Researcher, Modder, CEO at and founder of @DragonTeamMC, @OmniDragonBot and CryptID. Real name is Matthias Merkel.

#3 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:14 PM

Posted 07 June 2017 - 03:10 PM

If external storage is mapped and connected, it can be encrypted.



#4 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:14 PM

Posted 07 June 2017 - 03:16 PM

You might find this article from Carnegie Mellon SEI helpful...

 

https://insights.sei.cmu.edu/sei_blog/2017/05/ransomware-best-practices-for-prevention-and-response.html



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:14 PM

Posted 07 June 2017 - 03:20 PM

The best defensive strategy to protect yourself from malware and ransomware (crypto malware) infections is a comprehensive approach to include prevention and your best defense is back up, back up, and more back up on a regular basis. When implementing a backup strategy include testing to ensure it works before an emergency arises; routinely check to verify backups are being made and stored properly; remove (disconnect) and isolate all backups from the network or home computer...if not, you risk ransomware infecting them when it strikes.For more suggestions to protect yourself from ransomware infections, see my comments (Post #2) in this topic...Ransomware Avoidance...it includes a list of prevention tools.

Important Fact: Just like with anti-virus programs...there is no universal "one size fits all" solution that works for everyone and there is no single best anti-ransomware solution to supplement your existing security protection.

Security is all about layers and not depending on any one solution, technology or approach to protect yourself from cyber-criminals. The most important layer is you...the first and last line of defense and security is a constant effort to stay one step ahead of the bad guys. No amount of security software is going to defend against today's sophisticated malware writers for those who do not follow Best Practices for Safe Computing and stay informed.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 TambourineMan

TambourineMan
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 07 June 2017 - 03:33 PM

The ransomware would not even infect the SFTP server. It could just encrypt the files using your computer's access to it. I have not seen any ransomware fetching SFTP passwords yet though. You should make sure not to mount it as network drive or network location/folder though as most ransomware encrypts the contents of these, too

Thank you.  It's good to know that ransomware is not yet routinely fetching SFTP passwords.  I have been looking for good Win 10 backup programs that use SFTP and currently they are few and far between.  But if and when they become more common, I am sure ransomware will try to fetch them. 

 

The SFTP server is not connected as a network drive or location/folder.



#7 Moritz30

Moritz30

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:14 PM

Posted 07 June 2017 - 03:35 PM

 

The ransomware would not even infect the SFTP server. It could just encrypt the files using your computer's access to it. I have not seen any ransomware fetching SFTP passwords yet though. You should make sure not to mount it as network drive or network location/folder though as most ransomware encrypts the contents of these, too

Thank you.  It's good to know that ransomware is not yet routinely fetching SFTP passwords.  I have been looking for good Win 10 backup programs that use SFTP and currently they are few and far between.  But if and when they become more common, I am sure ransomware will try to fetch them. 

 

The SFTP server is not connected as a network drive or location/folder.

 

Alright. If you need a custom software to be created you can contact me xD But also reply to this thread if you need anything else.


White Hat, Security Researcher, Modder, CEO at and founder of @DragonTeamMC, @OmniDragonBot and CryptID. Real name is Matthias Merkel.

#8 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:14 PM

Posted 07 June 2017 - 03:44 PM

-


Edited by jwoods301, 07 June 2017 - 04:09 PM.


#9 TambourineMan

TambourineMan
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 07 June 2017 - 03:47 PM

If external storage is mapped and connected, it can be encrypted.

I was only briefly attaching external storage to get the file to be backuped and then attaching it to another PC to transfer them.  With my new SFTP server I will be using an SFTP client (WinSCP) or a backup/syncing program to connect wirelessly or over the internet (using DynDNS).



#10 TambourineMan

TambourineMan
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 07 June 2017 - 03:58 PM

The best defensive strategy to protect yourself from malware and ransomware (crypto malware) infections is a comprehensive approach to include prevention and your best defense is back up, back up, and more back up on a regular basis. When implementing a backup strategy include testing to ensure it works before an emergency arises; routinely check to verify backups are being made and stored properly; remove (disconnect) and isolate all backups from the network or home computer...if not, you risk ransomware infecting them when it strikes.

For more suggestions to protect yourself from ransomware infections, see my comments (Post #2) in this topic...Ransomware Avoidance...it includes a list of prevention tools.

Important Fact: Just like with anti-virus programs...there is no universal "one size fits all" solution that works for everyone and there is no single best anti-ransomware solution to supplement your existing security protection.

Security is all about layers and not depending on any one solution, technology or approach to protect yourself from cyber-criminals. The most important layer is you...the first and last line of defense and security is a constant effort to stay one step ahead of the bad guys. No amount of security software is going to defend against today's sophisticated malware writers for those who do not follow Best Practices for Safe Computing and stay informed.

 

Wow!  That is a lot of info.  It will take some time to digest it.  I have been using the Malwarebytes update to the anti-ransomware program "Nathan" developed and posted here: 

 

https://www.bleepingcomputer.com/forums/t/572146/cryptomonitor-stop-all-known-crypto-ransomware-before-it-encrypts-your-data/#entry3671393

 

but I now see from a quick review of your material there are now other good ones.  Thanks.



#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:14 PM

Posted 07 June 2017 - 04:23 PM

Not a problem.

BTW...CryptoMonitor by EasySync Solutions is no longer supported. Nathan Scott (DecrypterFixer) discontinued development of his tools and now works for Malwarebytes (see here). The EasySync Solutions web site was taken down and all downloads from that site are no longer available.

Malwarebytes acquired EasySync Solutions and hired Nathan Scott to help incorporate his CryptoMonitor software into Malwarebytes Anti-Ransomware Beta which is now part of Malwarebytes 3.0.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 TambourineMan

TambourineMan
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:14 PM

Posted 07 June 2017 - 05:32 PM

Not a problem.

BTW...CryptoMonitor by EasySync Solutions is no longer supported. Nathan Scott (DecrypterFixer) discontinued development of his tools and now works for Malwarebytes (see here). The EasySync Solutions web site was taken down and all downloads from that site are no longer available.

Malwarebytes acquired EasySync Solutions and hired Nathan Scott to help incorporate his CryptoMonitor software into Malwarebytes Anti-Ransomware Beta which is now part of Malwarebytes 3.0.

Yeah, I am running the beta version from Malwarebytes now and debating with myself whether to also buy the Malwarebytes 3.0 Premium and run that alongside Bitdefender.  I ma going to check out the other anti-ransomware programs you listed.

 

 

 

The ransomware would not even infect the SFTP server. It could just encrypt the files using your computer's access to it. I have not seen any ransomware fetching SFTP passwords yet though. You should make sure not to mount it as network drive or network location/folder though as most ransomware encrypts the contents of these, too

Thank you.  It's good to know that ransomware is not yet routinely fetching SFTP passwords.  I have been looking for good Win 10 backup programs that use SFTP and currently they are few and far between.  But if and when they become more common, I am sure ransomware will try to fetch them. 

 

The SFTP server is not connected as a network drive or location/folder.

 

Alright. If you need a custom software to be created you can contact me xD But also reply to this thread if you need anything else.

 

Thanks for the offer.  I did briefly consider a small batch file as a pre-command for some of the backup programs that do not support SFTP.  I still do not understand why TrueImage and EaseUs do not support SFTP, nor why they do not plan to add it although I suppose the market for people running their own servers is small.  However Macrium says they are well under way in the development to add it to their backup program (but no release date. yet) and theirs is a good, solid backup program.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users