[Guide] Choosing The Right Backup Method(s)

[captain_to_fire]

2 hours ago, Ryan_Vickers said:

-snip-

Both Google Drive and Dropbox has a similar feature where one can restore an encrypted file back to its unencrypted state. [1][2][3]

 

As for the external drives thing, I still think it's not supposed to be a "Y" imo considering that ransomware authors often deliver ransomware via spearphishing emails that can bypass most spam filters. In an unfortunate event that a malicious word document or link is clicked, it will trigger a cascade of events leading to file encryption usually through a PowerShell command. What happens when a tech newbie like a 50 y/o man who owns a small business accidentally clicked that malicious Excel spreadsheet thinking it's from his employee, while doing a local backup? Then, those backups are gone.

[vanished]

11 minutes ago, captain_to_fire said:

Both Google Drive and Dropbox has a similar feature where one can restore an encrypted file back to its unencrypted state. [1][2][3]

Interesting, well that's good for those users then.  I'll have to look into if OneDrive can do the same thing yet.

Quote

As for the external drives thing, I still think it's not supposed to be a "Y" imo considering that ransomware authors often deliver ransomware via spearphishing emails that can bypass most spam filters. In an unfortunate event that a malicious word document or link is clicked, it will trigger a cascade of events leading to file encryption usually through a PowerShell command. What happens when a tech newbie like a 50 y/o man who owns a small business accidentally clicked that malicious Excel spreadsheet thinking it's from his employee, while doing a local backup? Then, those backups are gone.

Yes losing the system and a backup at the same time is always a danger, which is why two good principles to have are:

1. Have at least 2 backups, and never connect more than one at a time.  I've mentioned this in the guide and throughout these comments
2. Focus on your backup while doing it.  Just do it, and then finish, then get back to normal work.  If you're doing a bunch of other stuff at the moment, just focus on finishing that and do your backup another time.  Not only does this just make sense from a task management perspective, but you also ensure your backup contains a finished product rather than something that's in an intermediate state you might have trouble picking up from, if necessary.  And, of course, it avoids the issue you described too.  I haven't mentioned this yet as it's not something that came to mind but it's here now at least

 

Ultimately, almost everything would be a "maybe" if you stretch the considerations far enough.  The approach I've taken is to label them under the assumption/context that it's an expected behaviour you can get from the solution under normal circumstances.  ie, you don't have to go out of your way to get up to that level of protection, and in order to not get that level, you would have to go out of your way to do something strange or stupid.

[captain_to_fire]

17 minutes ago, Ryan_Vickers said:

I'll have to look into if OneDrive can do the same thing yet.

It's within the Windows Security app. The downside however is that the ransomware recovery feature is only for people who paid for Office 365. https://support.office.com/en-us/article/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f

 

[vanished]

8 minutes ago, captain_to_fire said:

It's within the Windows Security app. The downside however is that the ransomware recovery feature is only for people who paid for Office 365. https://support.office.com/en-us/article/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f

I see.  I don't actually have the features you've shown here, despite being on 1903, having OneDrive (paid) installed and running.  However I did have a closer look into OneDrive's version history and it appears that does in fact exist and works quite well, at least on a file by file basis.  However it doesn't appear as though there's a way to roll back whole folders en masse, so that really limits its usefulness in the event of an attack like this.

[captain_to_fire]

On 7/21/2017 at 5:16 AM, Ryan_Vickers said:

With a proper backup strategy, even this nightmare scenario becomes nothing more than a minor inconvenience.  In the event you lack such a backup and need an option to recover, try searching for the type of ransomware you have fallen victim to.  Certain less sophisticated versions use encryption methods which can be broken with little skill, such as finding the key stored in a hidden file on your PC.

Actually even if backups are regularly done, a single day of downtime because of ransomware can cause loss of money even for a small business. It didn't happened to my family's business but it happened to many. Let's say I am a private practice doctor with five computers in my clinic, should my secretary unknowingly open a word document from a spear-phishing email pretending to be patient records, that will activate a script which will query a remote C&C to download a fileless ransomware to encrypt essential files. Even if I have offline backups in place, it can take time to reformat all computers and restore patient data. By that time, I have to turn down every patient in the waiting room. It is important not to only have backups but to reduce that attack surface and block ransomware at the pre-execution phase as soon as possible. I do have a how-to guide how to make Windows Defender as good as 3rd party antivirus in my signature.

 

It could be worse for larger hospitals even with backups in place.

[vanished]

Just now, captain_to_fire said:

Actually even if backups are regularly done, a single day of downtime because of ransomware can cause loss of money even for a small business. It didn't happened to my family's business but it happened to many. Let's say I am a private practice doctor with five computers in my clinic, should my secretary unknowingly open a word document from a spear-phishing email pretending to be patient records, that will activate a script which will query a remote C&C to download a fileless ransomware to encrypt essential files. Even if I have offline backups in place, it can take time to reformat all computers and restore patient data. By that time, I have to turn down every patient in the waiting room. It is important not to only have backups but to reduce that attack surface and block ransomware at the pre-execution phase as soon as possible. I do have a how-to guide how to make Windows Defender as good as 3rd party antivirus in my signature.

 

It could be worse for larger hospitals even with backups in place.

Well, true, I was thinking more about personal home use than a large (or even small) business, but even then, if the difference is between your company or organization suddenly ceasing to exist, or a day or two of downtime, proportionally speaking, I'm still right